Cybercrime: Is Your Store at Risk?



From phishing to social scams, online crime is running rampant

From smash-and-grabs to diamond switches, jewelers are well aware of the traditional techniques criminals use to target the industry, but a growing number of thieves aren’t coming through the front door or window. Cybercrime increased dramatically in 2017, with an average dollar loss of $1.2 million, according to Jewelers’ Security Alliance (JSA), and it’s likely to continue.

“Most jewelry businesses are not tech savvy, and are either unaware or unprepared to avoid cyber-enabled crime,” says JSA president John J. Kennedy. “The potential dollar losses are very high, and there often will not be insurance coverage.”

With the rise of new technologies comes the rise of data sharing and collection and a corresponding increase in cyber threats, says Miya Owens, assistant general counsel for the Jewelers Vigilance Committee. “With so many publicized data breaches in recent years, the issue of cybersecurity is hotter than ever, because like any business, jewelers want to keep their data secure and protect the reputations of their businesses.”

Be Aware of Jewelry-Specific Scams

Kennedy says the main risk for jewelers isn’t being hacked, like in the Equifax or Target data breaches. Instead, 95 percent or more of the cyber-related losses are through social engineering, where criminals manipulate people into providing information or taking action through email or direct contact using information gleaned from the internet. The tactic is successful because the requests look and sound legitimate.

One of the most common social engineering scams targeting retail jewelers, vendors, and chains involves the use of impersonation to gain information, merchandise, or money.

“The criminals use social media, websites, and telephone calls to obtain ­information about a firm so that they can knowledgeably order product or get money,” Kennedy says. “They do extensive online research and probing phone calls to set up an order.”

After the order is placed, the criminals will attempt to get the tracking number of a shipment and then contact the shipper to have it diverted to their desired location. A couple of years ago, this scam resulted in losses exceeding $1 million from high-end, luxury jewelry firms that believed they were lending jewelry to a media executive for video and ad shoots. The scam’s leader, who was based in Miami, had several runners and accomplices. He was caught in 2017 and pleaded guilty.

Other impersonations through email involve criminals pretending to be ­customers or employees of another branch of a retail chain. They request to have merchandise expedited to a customer or to the home address of a fictitious “employee,” or they fraudulently redirect the items to a new address once in transit.

“Jewelers should never give out shipping numbers under any ­circumstances and should advise their shipper never to change the destination of a package,” Kennedy says. “To prevent losses, it is necessary to contact the true person by telephone to confirm that the request was genuine.”

Create a Cybersecurity Plan

Protect your business by making sure proper firewalls and anti-malware systems are installed and kept up to date. All jewelers should have a written cybersecurity plan that employees must read and sign. Conduct regular staff meetings and periodic reviews of cyber protocols, and discuss current scams that are targeting jewelers and retailers. Also, educate your staff on common cyber-enabled crimes, such as opening or clicking links in unknown or suspicious phishing emails.

“Even emails from people, customers, or vendors that seem familiar can be spoof emails,” says Kennedy, adding that criminals make slight changes to real email addresses, such as adding or changing an extra letter. “Look for unfamiliar foreign domains, misspellings, and other anomalies. If a transaction is involved, call the known person on the telephone to confirm that the transaction is not a fraud.”

Phishing emails continue to grow in frequency and severity each year. A report by Infosecurity online magazine found that 75 percent of surveyed organizations were phished in 2017.

“Cybercriminals conduct more phishing attacks during peak retail season, in hopes the business employees are so busy they let their guard down,” says Don Lewis,  senior marketing manager of cybersecurity company EdgeWave. “Businesses have a higher chance of being phished during Black Friday, Cyber Monday, and other holidays with peak retail sales. It only takes one wrong click to become susceptible to a data breach.”

In addition to being careful about people who approach your business, be mindful of the information you are sharing. Kennedy warns jewelers against including virtual store tours on their websites, which allow criminals to case the store without even entering it.

“Do not post pictures and names of staff on websites or social media,” he adds. “Make sure employees realize that they are jewelers 24/7, and what they post on social media about their residence, children, vacations, movements, autos, etc., can be used by criminals in planning crimes against their firms.”

And take inventory of the data you collect and store, such as customer credit card numbers and addresses and employee Social Security numbers. Classify your data according to its sensitivity, and reassess who has permission to access it. Restricted information—for example, financial records or account information—is your most sensitive business data, while confidential data include customer and ­employee information. Trusted employees may be privy to confidential data, but few if any should have access to restricted information. “Knowing your data will enable you to protect your data,” Owens says.

Assemble a Cyber Team

Before a breach occurs, hire a security consultant who can find weak areas and provide solutions, Owens says: “I recently attended a class with a third-party consultant who showed everyone, in real time, how easy it can be to access private company and government websites and wreak havoc.”

And consider cyber insurance that will help in the event you fall victim to a cybercriminal. “A lot of businesses think, ‘We’re a small business. Nobody will target us,’ ” says David Derigiotis, corporate vice president and national ­professional liability practice leader for Burns & Wilcox, a Michigan-based insurance firm that specializes in cybersecurity. “Do you have employees? Does anybody operate a computer? When information is compromised, it’s often a person working behind the counter, checking email, and clicking on a phishing link. Cyber insurance quickly and thoroughly handles the situation from start to finish.”

We’re living in a world where all information has been compromised, and every individual at every business is at risk, Derigiotis explains. “The problem doesn’t look to be getting better,” he says. “It’s better to be prepared instead of being caught holding the bag after an attack.”

Photograph by Kenji Toma; prop stylist: Eriko Nagata; Hawaiian fishhook pendant on chain in 18k yellow gold with 0.25 ct. t.w. diamonds, $1,789, Native Hands Jewelry Hawaii, ntvhands@yahoo.com, 808-221-7221