20 minute read
FUTURE OF LP
Three Types of Social Engineering That Keep Coming after Retailers
When you think of hacking, breaches, or cyber security, what do you think of? Probably software or technology. We often forget the human side. But humans continue to play a big role. In fact, more than half of breaches and cyber-security events start with a human error or social engineering. Many are a combination of both.
So what exactly is social engineering? It is the manipulation of people into performing actions or divulging confidential information. It is a confidence (con, for short) trick for information gathering, fraud, or system access. And while it is like a con, it differs from a traditional con in that it is often one of many steps in a more complex fraud scheme. Wikipedia says, “While the term social engineering is not directly related to computers, information security, or traditional security professionals, most recently it has become a major part of our industry.” In this article I will review some of the most common types of social engineering and how they occur in retail.
Baiting
Baiting occurs when the social engineer leaves a malware-infected device, such as a USB flash drive or CD, in a common area where it is most likely to be found. Several devices can be left at one time to increase the likelihood of success. Bathrooms, hallways, and mail drops are easy targets for baiting. Humans are curious creatures, especially loss prevention professionals. The intent of the social engineer is that someone will pick up the infected device and plug it into their computer to see what’s on it. That’s when the malware installs itself. A lot of times the USB drive or disk will be labeled “important” or “private.” Once the malware is installed, the social engineer may have access to the computer or whole networks.
One example of baiting in a retail environment is when a social engineer applies for a job, schedules an interview, and meets with HR. After the meeting, he leaves a USB drive on the HR person’s desk. Because of his long commute, he uses the restroom and leaves a second USB drive on the bathroom sink. Then, for good measure, he places one more on a random desk while exiting. What would you do if you found a USB on your desk that was marked “private?” The answer to that question could make the difference between your company finding itself on the front page of the newspaper for all the wrong reasons in a few months or not.
By Tom Meehan, CFI
Meehan is the chief strategy officer and chief information security officer for CONTROLTEK. Previously he was director of technology and investigations with Bloomingdale’s, where he was responsible for physical security, investigations, systems, and data analytics. He currently serves as the chair of the Loss Prevention Research Council’s innovations working group. Prior to his 13-year tenure at Bloomingdale’s, he worked for Home Depot in loss prevention, and has had various technology, loss prevention, and operational roles at several other companies. He can be reached at tom.meehan@controltekusa.com.
Phishing
Phishing occurs when a social engineer creates fraudulent communications with a target, appearing legitimate and often claiming to be from a trusted or known source. Phishing is one of the more well-known tricks of social engineers and still one of the most successful.
The most common phishing attempts are unexpected urgent emails, usually involving banking, shipment, bill payment, or online accounts. Another common attempt is an email that appears to come from a person of importance, like your boss, your CEO, or a law enforcement official. The intent of phishing is to gain access to accounts, install malicious software, or steal money.
Here is one example of phishing in a retail environment. You receive an email from Jack, your good buddy in IT, and the email says, “Hey bud, can you reset your password? Just click the link below.” You have known Jack for years and often work on projects together. You click the link and reset your password. But the email wasn’t from Jack; it was someone trying to steal your login credentials, and that person has now accessed your HR profile in order to redirect your paycheck to his account. Don’t click on any links. Call the person. Or go directly to the source and reset the password.
Vishing
I have personally seen a lot of vishing in my past retail loss prevention assignments. Vishing is when the social engineer (a
continued from page 40 criminal, let’s be clear) calls an employee within a company posing as a trusted individual or a representative of a bank, credit card company, IT, or loss prevention. Then the social engineer tries to get information from the person in the business. In more complex examples the social engineer will call several people using the information obtained from each to further the scam. The main purpose of vishing is to get information or to cause someone to act.
Let’s review two real-life examples I have seen in the past. A call comes to a cashier at a register. The caller (a visher) acts as if he works for IT. He asks the cashier if the register is working correctly and claims to see an outage. He then asks the cashier to ring a test transaction to a gift card for $250. Once the test is complete, he asks for the gift card information from the cashier. Once he hangs up, he immediately places a fraudulent online order using that gift card number.
Another example of vishing is when a caller contacts someone in the shoe department and asks for the department manager’s name (say, Mike), the previous department manager (say, Bob), and the store manager’s name (say, Jack) because he wants to write a thank-you note to them. The visher then calls the CEO’s office and says, “I bought two pairs of shoes, and both were damaged. I have spoken to Bob, Mike, and Jack, and no one can help me. All I want is my money back. I left the shoes with Bob several months ago. I paid for them in cash and want a check mailed to me, or have it returned to my debit card today. I am a lawyer/doctor/federal agent/ judge.” I have personally heard all of the above. He continues, “If you don’t refund me today, I want to meet with the CEO. I can’t believe I am getting the run-around for $290!” This scam happened to every retailer I have ever worked for. Imagine what happens when the visher calls ten retailers a day, and two give a refund!
These are only three types of social engineering. There are more, but these are the most relevant to retail. You will notice in all of the above scams the risk of being caught is low, and the potential reward is high. The most important ways to prevent falling prey to social engineering are training, awareness, and policy. The more you talk and train, the less likely you are to become a victim.
What exactly is social engineering? It is the manipulation of people into performing actions or divulging confidential information. It is a confidence (con, for short) trick for information gathering, fraud, or system access. And while it is like a con, it differs from a traditional con in that it is often one of many steps in a more complex fraud scheme.
Introducing LPM Online
An All-Digital Magazine with All-New Content
LPM Online is an all-new magazine experience. LPM Online publishes every other month on even-numbered months in between our print editions. The inaugural edition went live in August. You can view it and our current edition on the LPM Online tab on our website, LossPreventionMedia.com, or by entering LPM-online.com in your browser.
LPM-online.com
SEARCHING FOR REALITY IN RETAIL
HYPE, HYSTERIA, OR HAPPENING?
By Walter E. Palmer, CFI, CPP, CFE
Read any retail trade publication or mainstream news-media article about our industry, and chances are that you will walk away feeling bearish on the future of this business. Go to a retail trade show, and you are likely to hear speaker after speaker emphasizing change, business disruption, moving to e-commerce, and the need to completely reengineer your business to court the new, tech-savvy generation of shoppers.
In fact, the more retail e-newsletters and alerts you receive, the worse you may feel with the constant drumbeat of store closings, retailers filing bankruptcy, and elimination of jobs in our sector. Is this reality, or is it Chicken Little syndrome?
You will also read and hear about how the future is bright for those companies that embrace omni-channel retail—groceries delivered into your refrigerator, a ready-to-cook gourmet meal pack on your doorstep, free shipping and free returns, and price guarantees to make sure you never pay more than the cheapest price you can find on the Internet.
With the twin poles of hype and hysteria in mind, this article will reflect on the reality of what is actually happening and try to find some sense of balance in a world that magnifies the extremes. We will look at the current state of the retail industry and compare it to the narrative that traditional retail is dying with three principles in mind: ■ Keep a historical perspective. ■ Frame the debate correctly. ■ Pay attention to actual data.
Keep a Historical Perspective
Is the retail scene changing? Of course. Have there been a number of established retail companies that have gone out of business or are struggling? Without a doubt. So what’s new?
Retail has always been a hypercompetitive business with thin margins and obsessive pursuit of market share and customer loyalty. We don’t have to go back too far to see the same answers to the above questions.
For instance, let’s look at what we’ve seen in retail over the past thirty-five years or so. During that time, we’ve seen the rise and fall of almost the entire consumer electronics retail segment. I bought my first VCR at Montgomery Wards’ “Electric Avenue” shop a couple of years into my retail career. But I also shopped some great stores including The Wiz, Circuit City, and Lechmere. When it came to computers, I spent a lot of time in CompUSA and Computer City. What do they all have in common? They are all gone, of course, and not a single one of them went out of business because of Amazon.
When I was in the northeast part of the country in the late 1980s and early 1990s, Ame’s, Bradlee’s, and Caldors dominated the mass-merchant segment. None of them survive today, and Kmart is famously on the ropes.
Should we talk about the home improvement category? Rickel? Builders Square? Channel Home Centers? HQ?
What about toy stores? KB Toys? Circus World? Thornberry’s? FAO Schwartz?
We have not even gotten to the fickle fashion sector. Do you remember when specialty retail was dominated by conglomerates like Melville (Wilsons, Chess King, Foxmoor, and Thom McAn) and Petrie Stores (Stuarts, Jean Nicole, Mariannes’, G&G, and Petrie stores)?
Even those fashion retailers that have survived would hardly be recognizable to a time traveler. How many of you remember when American Eagle Outfitters was all about flannel and the lumberjack look? Do you remember when Banana Republic had a Jeep in its storefront and the tagline “Travel and Safari Clothing Co.”? This review is not intended to be a trip down memory lane or wistful nostalgia. It is simply a reminder that pretty extreme disruption happens in our business all the time. It doesn’t feel good for the “losers,” and it certainly creates disruption to retail workers. But we are all subject to the tendency to believe the moment we are currently in is vastly different than what anyone else has ever experienced in the history of mankind. Psychologists call this “declinism” and define it as the belief that a society or institution is tending
toward decline. Today, it seems to be a widespread phenomenon across society that is hard to shake even when the facts are clearly in opposition.
Frame the Debate Correctly
One of the real problems in the perception of what is happening in retail is how the issue is framed. Is retail in decline, or is it brick-and-mortar retail that is in decline? We’ll look at more data on that in a minute, but we need to start with accurate baseline definitions.
If one were to go back just ten years ago, most industry insiders would not even consider Amazon as a “retailer.” They were the enemy. They were not welcome at retail industry trade shows. Retail groups were lobbying against Amazon on the issue of sales tax.
In a similar fashion, it is easy to remember when eBay was a pariah to the retail loss prevention community. They weren’t a “retailer.” They were an online flea market that existed solely to sell counterfeits, out-of-date product, and worst of all, the illicit gains of organized retail crime gangs. This was the perception despite the fact that eBay is used by many large retailers as a way to job out clearance merchandise.
Fast-forward to today, and one is forced to view the issue a bit differently. How does one separate an online retailer from a “regular” retailer when Amazon is buying brick-and-mortar retail, and brick-and-mortar retailers are focusing so much time and attention on growing their online businesses? How does one exclude Amazon from being a retailer when such global brands as Nike are opening dedicated Amazon shops?
It is not just Amazon we are talking about here. Warby Parker, Bonobos, and Casper Mattress have all made the move from pure-play e-commerce to a blended model with a brick-and-mortar presence. Untuckit recently announced plans for up to 100 brick-and-mortar stores over the next five years with fifty opening by the end of 2018.
Going back to the issue of eBay, they alone generate about $9 billion in retail sales in the online brokerage space. In fact, one could make an argument that eBay is the new manifestation of the mom-and-pop retail segment in today’s society. Who doesn’t celebrate the success of the independent, family business?
It is probably not necessary to spend much time discussing how traditional retailers are expanding into online e-commerce. All one must do is read retail company press releases, and it is easy to discern the scramble to capture a percentage of the online market share.
Let it suffice to say that the way we think about retail has changed, and e-commerce will inevitably be part of the picture for the vast majority of retail organizations. Therefore, growth in retail has to be evaluated in holistic terms.
We are all subject to the tendency to believe the moment we are currently in is vastly different than what anyone else has ever experienced in the history of mankind. Psychologists call this “declinism” and define it as the belief that a society or institution is tending toward decline. Today, it seems to be a widespread phenomenon across society that is hard to shake even when the facts are clearly in opposition.
Pay Attention to Actual Data
The biggest reason, however, to take a breath and reconsider what is going on in the retail industry is because the actual data and research do not support the headlines and hysteria. Yes, you read this right. The headline “Retail Industry Is Dying” or “Brick-and-Mortar Retailers
Going the Way of Dinosaurs” just isn’t factually correct.
First, the total share of retail attributed to e-commerce is still relatively small. Last year, Walmart got a big jump in its stock price because it announced that its online sales had grown at a faster rate than Amazon’s. Now, one should consider the fact that Walmart was growing from a much smaller e-commerce base than Amazon, but the markets still responded very enthusiastically. But keep in mind one
fact—despite that big growth, online sales accounted for less than 3 percent of total sales for Walmart.
The numbers are constantly changing, but e-commerce market share as a percentage of total retail sales in the US was about 7 percent in 2016. Even with the enthusiasm for the growth of this segment, recent projections speculate it will still be under 10 percent of total market share at the end of 2019.
This does not mean that e-commerce is not important. It does not mean that it is not growing. It does not mean that retailers can ignore it. But it should be kept in perspective, especially as we move through some of the other data below.
Second, let’s look at the question as to whether brick-and-mortar retail is dying. It’s not. A recent report from the IHL Group, Debunking the Retail Apocalypse: Retail’s Real Story, was promoted by the National Retail Federation as a nice anecdote to the current narrative being played out in the media. The IHL report concludes that there will be a net increase in store openings in 2017 of over 4,000 stores.
While the headlines focus on the struggles of the department store sector or the bankruptcies of iconic chains such as Toys“R”Us, these do not reflect the overall market. For every RadioShack, there is a Dollar General. For every The Limited, there is a Five Below. For every Wet Seal, there is a TJ Maxx.
Broken down by brand, 751 brands are increasing their store counts versus 278 that are reducing their store counts.
Perhaps this is an indication of the normal life cycle of this business that we are in.
Even where some companies have struggled, they are finding ways to stay in business and “right size” their businesses. Rue 21 and Gymboree have both emerged from bankruptcy as ongoing concerns with less debt and a tighter store base. Ascena Group is working to find a new organizational and expense structure that is sustainable. And while some specialty segment retailers like Staples and Office Depot have not been in growth mode, they are still significant retail chains that operate over 1,000 stores each.
Third, is there data to support the idea that no one will ever go to a retail store again to make a purchase? Of course not.
In fact, the recent projection from PwC for the holiday shopping season is for a 6 percent increase in sales with about 90 percent spending that money in a physical store. The previously mentioned IHL report says that 80 percent of shoppers are visiting stores as frequently or more frequently than last year. And that number goes up by about 5 percent when you survey younger shoppers.
This leads to the next question—are younger people going to do all of their shopping online? The answer, according to a recent Accenture report, is no. In fact, one of the report’s key call-outs is that many members of the digital generation actually prefer visiting stores to shopping online. This is echoed by the recent study from OpinionLab that shows millennials are actually the only generation that prefers shopping malls over online shopping.
Fourth, and perhaps most importantly, is the fact that many of the experiments being tried in retail right now may not be sustainable. In other words, most companies can’t make money at e-commerce today. Data has been published or is starting to emerge about the profitability, or lack thereof, of many of the major initiatives retailers are chasing en masse.
For instance, grocery delivery in the United Kingdom has been a big push for the past several years in this very competitive market place. As one drives through Northwest England and sees a Tesco truck delivering groceries to a tiny hamlet of fifteen homes, they can’t help but wonder, “How in the world can they make any money on that?” The answer is simple—they can’t. The consulting firm Kurt Salmon and Associates conducts a
study each year of the costs of this service and concludes the leading grocers in the UK that offer this service lose £5 to £7 on each delivery.
The most obvious problem for traditional retailers comes from trying to compete with online giant Amazon. When one looks at the macro level numbers for Amazon, it becomes pretty apparent that it currently loses money on online sales that it fulfills itself. Its profit from recent years comes from the Amazon Web Services (AWS) business, taking a commission on sales fulfilled by third-party sellers, and the income it receives from the various other value streams such as digital content. Now, we don’t know how much of that is due to infrastructure build-out and pursuit of growth, but we do know that many retailers are chasing the one aspect of Amazon’s business that is almost sure to lose them money.
Perhaps this explains why so many e-commerce companies are opening brick-and-mortar stores. A report from business intelligence firm L2, The Death of Pureplay Retail, suggests there is no such thing as pure-play e-commerce as there is no clear indication it will be successful for the vast majority of companies that pursue it.
We could look at even more examples of data that suggests we are chasing profits in all the wrong places due to fear of being behind the trend line and losing market share. But time will prove these things out as retailers start to unpick the true costs associated with these various experiments to see if they are sustainable or not.
Keeping Perspective
None of the above is intended to suggest that the retail business is not changing or that technology and e-commerce will not have a profound effect on our industry. Neither does it intend to minimize the negative impact that bankruptcies and layoffs in retail jobs have on those affected by them. Rather, it is to try and keep some perspective when reading the doomsday articles and headlines.
It is always interesting to me when I’m at a conference and speakers talk about companies that are disrupting their business space as—more times than not—they cite companies that don’t make money, such as Uber, Spotify, Zillow, and Blue Apron, to name a few. At some point, investors are going to want to make money, not lose money. Give that some thought.
WALTER E. PALMER, CFI, CPP, CFE, is CEO and president of PCG solutions, a loss prevention consulting, training, and education firm. He has thirty years’ experience in retail LP and is a frequent speaker at industry conferences and as a guest lecturer for Eastern Kentucky University’s executive lecture series. He is active in professional development and training as a member of the American Society for Training and Development, the International Society for Performance Improvement, and the American Management Association. He can be reached at 859-271-3140 or at wpalmer@PCGsolutions.com.
Let our patented Sherpa™ Tag guide your Yeti sales to PEAK PROFITS!
