The bust ended on a familiar enough note. At a dusty border crossing in San Ysidro, California, a young woman was recently arrested by U.S. postal agents as she waited to cross the border into Tijuana. In her car agents found the five packages of gift cards she’d ordered from a U.S. on-line retailer that they’d observed her pickup.
The investigation began months earlier, right after the retailer introduced gift cards at its on-line store. Within days, the retailer’s sales audit department contacted the parent company’s loss prevention department. Daily review of on-line sales transactions showed dozens of gift cards were being ordered that used legitimate credit card numbers from people all over the U.S. The curious thing was that the cards were being shipped to one of five postal box storefronts in the San Ysidro area.
The retailer called in the U.S. Postal Service and a surveillance operation soon identified the young suspect. In her email address book were copies of over 200 orders placed using stolen credit card numbers. Agents eventually learned the woman had an accomplice in Baja, Mexico, who was stealing credit card numbers from U.S. travelers. A trial is pending.
Old Crime Finds New Tools
Theft is one of the world’s oldest crimes. Crime and computers is nothing new, either. It is generally known, but not deeply studied so far, that criminals invariably keep up with and effectively exploit the latest IT advances.
From the earliest days of the telegraph, telephone, and office automation era, white collar fraud…much of it by employees…has bedeviled business and law enforcement. Retail crime and computers have always been a natural fit. Facing diversion of goods, false inventory reports, and cash-register fraud, loss prevention has had to shift its focus from a traditional “walking the floor” mentality to understanding more complex, new threats that technology-savvy criminals present.
Today, the information technology (IT) revolution rolls on. Retailer spending on everything from new inventory management to article tagging to POS systems grows every year. But arguably the most dramatic change affecting retailers and their LP departments is how retail crime is rapidly being transformed by effective, even innovative use of technology—particularly the Internet and email.
The rapid integration of the Internet into the retail crime world is challenging and radically changing LP at every turn. Understanding the scale and scope of the challenge will help LP executives change their thinking, planning, and communications with management.
As John Talamo, vice president of loss prevention at Columbus, Ohiobased Limited Brands, points out, “Until recently, retail theft had a strong local element. Individuals and small groups tended to dispose of stolen goods locally and quickly. Today, the Internet provides thieves with a global customer base that they can reach cheaply, quickly, and anonymously.”
This presents a particularly difficult challenge for Limited Brands, whose brands include Victoria’s Secret, The Limited, Express, Henri Bendel, Bath & Body Works, and White Barn Candle Co. “Our brands are universally known and have universal appeal,” Talamo says.
Talamo and other LP professionals point out that Internet crime today has two related, but distinct, dimensions. First, just as IT automated old-fashioned retail bookkeeping, the Internet has allowed store employees and shoplifters who continue to steal merchandise or gift cards the old-fashioned way to dispose of it more quickly, profitably, and safely over the Internet, primarily through on-line auction sites.
Rhett Asher, vice president of retail operations and loss prevention for the Retail Industry Leaders Association (RILA), says, “On-line auction sites have changed the character of fencing stolen goods. They are global flea markets where anything and everything, legitimate and illegitimate, is available.”
At one high-end retailer, an employee was recently suspected of stealing laptop computers. He was apprehended after the company started monitoring the Internet sites he was accessing from his company computer. His repeated checks of specific auctions on eBay showed that over several months he had resold over $45,000 worth of stolen computers.
The second and even more frightening dimension of Internet-based retail crime is virtually paperless retail fraud. Much has been reported about the dramatic growth of identity fraud. There are estimates that over seven million U.S. consumers are the victims of identity fraud annually. This includes such mundane crime as thieves looking over people’s shoulders at ATMs or sorting through their trash to much more sophisticated on-line methods of fraudulently obtaining credit card and driver’s license numbers.
One of the fastest growing Internet crimes is the use of legitimate credit card numbers to purchase gift cards from on-line retailers. These cards are then sold at on-line auction sites or bogus e-commerce sites. Certainly the speed and ease, but even more so the anonymity, of such operations poses a unique challenge to LP and law enforcement. Such crime is boundaryless and perpetrators are almost chameleon-like in their ability to morph into other identities.
No Safety in Numbers
How big is the Internet crime problem? Because it’s such a new frontier, sizing it is still a tentative and sometimes frustrating new science. Published statistics about actual cybercrime incidents and losses vary wildly; even more so do projections of future growth.
The latest U.S. Government’s Internet Fraud Report for 2003, issued by the Internet Crime Complaint Center (www.ic3.gov), says that 124,509 complaints were filed, a 60 percent increase over 2002 versus just 106 in 1997. Over 95,000 of these latest complaints were turned over to government agencies for investigation. The top three complaint categories involved on-line auction fraud, non-delivery of merchandise, and credit/debit card fraud. Email and Internet pages were the predominant means by which these incidents occurred.
Interestingly, confirmed dollar losses associated with these complaints came to just $125.6 million. While that is a huge increase over losses of $54 million in 2002, the amount pales to the approximately $35 billion of annual retail losses that have been tracked over many years. However, as Limited’s John Talamo points out, “There’s a consensus among government and private retail sectors that this represents as little as ten percent of actual losses. Many retailers either don’t carefully track or are reluctant to report their actual cybercrime losses.”
This is entirely plausible, if only because other professionally conducted surveys and studies indicate far higher on-line incidents and losses. A 2004 Gartner Group survey found that losses associated with on-line fraud reach $1.2 billion in a 12-month period covering 2003 – 2004. Another survey projects Internet retail fraud in 2005 will reach over $2.6 billion. If you relate these projections to recent U.S. Census Bureau/Department of Commerce estimates that retail e-commerce in the United States grew to $54.9 billion in 2003, you can very roughly size the country’s e-commerce shrink problem as upward of five percent or more.
The one strong and consistent trend in this disparate data is that the number of victims is growing faster than total dollar losses. Internet crime is very democratic in that anyone’s credit card is potentially obtainable by thieves and that everyone has the ability to buy a counterfeit Rolex or Gucci purse. While many businesses and even individuals lose thousands of dollars through Internet fraud, the Internet Crime Complaint Center says the median dollar loss in 2003 was $329 per reported complaint.
There’s Gold Out There!
It’s sometimes overlooked or taken for granted that Internet thieves are well-versed in IT. This includes the intriguing stories we all read about teenage computer wunderkinds who write virus codes and tap into mammoth government or private databases “just because they can.”
The Internet has given retail thieves—large-scale crime organizations and individual thieves alike—a number of strategic advantages that the retail industry and LP professionals need to think about.
Ease and Relative Anonymity
The ease with which individuals can obtain an email address and then many more email addresses without necessarily revealing any specific or correct information about themselves provides criminals a huge advantage.
It’s easy to create multiple “degrees of separation” between reputable auction sites and fraudulent sellers. The use of free email addresses, postal outlets and intermediaries, and stolen identities further makes the identification, exposure, and apprehension a huge challenge.
Tiffany’s manager of investigations, John Pollard, observes that “We see individuals successfully hiding their own identity and while illegally creating Tiffany-like on-line storefronts and auction listings, often incorporating merchandise photography from our website.”
As with all legitimate commerce, the Internet opens a larger world in which thieves can operate and, of course, hide their identities. “Except for the very largest organized crime thefts, stolen goods moved from one store to the local market and sometimes the region. A network of fences existed and was known,” says Limited’s Talamo. “That’s still often the case, but the Internet has made retail theft a global enterprise. Through auction sites and Internet storefronts, stolen and counterfeit merchandise can be sold quickly worldwide.”
With relative anonymity and cross-border jurisdictional complexities always factors, retail Internet crime is a technological as well as investigative challenge on which, until quite recently, most major retailers had not significantly focused.
The Internet is constantly and correctly touted as a great medium for global communications and collaboration. This is a boon to everyone, including thieves.
“The Internet has become a training ground for criminals, including retail thieves,” says Don Burkett, director of loss prevention and systems at Sears. “There are chat rooms where people talk about methods of stealing and about how they can collaborate. Even legitimate consumer chat rooms talk about how to take undue advantage of retail coupon and other promotional programs.”
Mix and Match
A highly effective and disturbing trend that was just waiting to develop is the use of the fast-growing auction community as well as legitimate looking e-commerce websites to fence genuine merchandise that was stolen the old-fashioned way from stores. This ranges from small amounts of merchandise and gift cards stolen by store employees and petty shoplifters to huge heists by well-organized gangs and crime rings.
“Any well-known, high-demand brand is going to encounter a constantly changing mix-and-match crime situation. We have investigated and exposed operations that are using the big on-line auction sites, their own e-commerce websites, and even old-fashioned storefronts in strip malls. They sell both stolen authentic and counterfeit merchandise,” says Talamo.
Most top-name luxury consumer brands, from jeans to perfume manufacturers, have caught small players selling merchandise on-line that they originally purchased in an alley out of a fence’s trunk. There are incidents of counterfeiters…more often than not based in Asia…going directly to the Internet themselves, further streamlining the fraud supply chain and dramatically increasing their profit margins.
An even darker threat to big-box and other mass merchandise retailers is the theft from stores and warehouses of high-demand commodity goods such as baby formula, razor blades, and cosmetics. Several major retailers say these goods are often resold to wholesalers or auctioned at commodity goods websites.
Virtual Fraud Platform of Choice
The on-line auction is the most dramatic illustration of how Internet based crime skillfully integrates the illegitimate and legitimate, and takes profitable advantage of technology. Today, on-line auctions are the preferred platform of Internet-based retail crime. No one really knows how many active Internet auction sites exist. One auction portal claims it networks with over 25,000 auction sites.
Founded in 1995 and today with a market capitalization of over $70 billion, eBay is by far the most successful and well-known on-line auction site. So it’s not surprising that eBay is the lightening rod for a vocal and sometimes angry debate about the respective responsibilities of sellers, buyers, and auctioners in controlling fraud.
The varieties of on-line auction fraud are many. At the core of most of the contention between on-line auction sites and retailers is the perceived ease and impunity with which stolen and counterfeit merchandise can be sold. The anonymous, virtual-reality nature of the Internet marketplace invites into it opportunities to sell or buy legitimate and illegitimate goods using legitimate or illegitimate means of payment.
In one simpler manifestation, retailers are finding gift cards stolen in small quantities by employees are then being auctioned on-line. On the other hand, Joe Hajdu, cybercrime investigator at Limited Brands, says he’s seen much larger cases that are variations on the general theme of mixing and matching the real and the fraudulent. “In once case, we helped apprehend a 21-year-old kid who had used fraudulent credit cards to purchase genuine gift cards and then sell them on eBay,” Hajdu says.
On-line auction fraud takes other twists and turns as well. “In another case,” says Hajdu, “we found an individual who was manufacturing and auctioning counterfeit gift cards. At the same time, he was also auctioning equipment needed to manufacture gift cards and credit cards. He was offering embossing machines, swipe bands, gold tips for the numbers, and even computers needed to make the system work. Of course, this equipment was all stolen.”
Bones of Contention
The on-line auction companies, especially eBay, are attacked by retailers for not putting in place effective controls to prevent sellers from placing counterfeit or stolen merchandise up for auction. eBay and other auction sites have responded that they do, in fact, take Internet crime and retailers’ intellectual property rights very seriously.
Most major on-line auction sites provide substantial information at their websites to educate and raise the awareness of sellers and buyers alike. eBay, in particular, has established a trust and safety function within its security and resolution program. And under its Verified Rights Owner (VeRO) program, eBay works with intellectual property owners to remove counterfeit or possibly copyright infringing items. [See the sidebar “Controlling Fraud at eBay” on page 28.]
But some retailers are unconvinced the on-line auction leaders have done enough. At one website alone, there were recently over 3,400 “Tiffany” items…from necklaces to rings to china…on auction or for outright sale. The majority of those items were listed at under $100.
Recently, Cartier sued Amazon.com and Tiffany sued eBay on the grounds those auctioners have not created controls and policies that reliably prevent the sale of counterfeit or stolen merchandise.
According to Limited’s Talamo, “The on-line auction industry has generally been slow to respond to on-line fraud. But as the public becomes more concerned and as retailer losses skyrocket, auction sites are starting to become more aggressive in their safeguards as well as their efforts to detect and stop criminal activity.”
In spring 2003, RILA brought together eBay loss prevention executives and a group of LP executives. “This was the first productive meeting between a major on-line auction company and our members,” says RILA’s Rhett Asher. “We went into that meeting with a prioritized list of issues. The result was a better mutual understanding, a new communications channel, and a number of specific actions regarding the auctioning of gift cards.”
Asher believes “collaboration between retailers and on-line auctioneers is the only way to make the progress we need. Just as in the old crime days, criminals will always come up with something new. The problem of Internet crime is not going away. So it will take communication and collaboration of everyone concerned to protect everyone’s best interests.”
For example, neither on-line auctioneers nor retailers are certain how the emergence of a slew of auction drop sites—brick-and-mortar businesses that accept, prepare, and send merchandise to on-line auctioneers—will affect on-line crime trends. Some argue these drop sites should be required to obtain ownership verification from would-be auction sellers.
Retooling LP for the New Frontier
No one would disagree that Internet crime is not going away. It will probably get worse in terms of dollar losses and companies and individuals affected and it will constantly change. Because the underlying technology is rapidly evolving, as Sears’ Burkett observes, “Internet criminals are evolving and improving their methods of fraud. Loss prevention’s job is to build and then rebuild controls and safeguards into our retail systems to match and beat anything that comes along.”
Retail executive management and LP executives differ significantly in how aware of and how much impacted their companies are by Internet crime. However, light bulbs of recognition are turning on. There is a growing consensus within LP that positive trends are emerging and should be promulgated widely and broadly.
LP Education and Communication
Every year for some years now, the level of concern and alarm within the retail industry about Internet crime has increased, but arguably not nearly at the same rate as e-commerce itself. Driven by retail and LP professional groups as well as by law enforcement organizations, academic institutions, consumer rights groups, and the popular media, momentum is building to raise the visibility of the threats and losses posed by Internet crime in all its varieties.
Awareness, education, and collaboration within the LP profession must be a driver for effective attacks on and prevention of Internet retail crime. As RILA’s Asher says, “Retailers have always been sensitive about sharing their loss data and LP practices. That attitude is giving way to the realization that losses of all kinds, including Internet crime losses, are best combated through the sharing of incident data and best practices.”
Controls and Safeguards
The idea of building and rebuilding controls to reduce retail theft is hardly a startling proposition. Yet what is old can sometimes have startling impact on the new. One major retailer’s e-commerce operation was seeing steady growth in the use of fraudulent credit cards and delivery addresses. Just tightening controls to require CID numbers and identity and address verification caused losses to plummet.
Cooperation and Communication with Law Enforcement
Heightened concern about the risks and costs of terrorism, as well as natural disasters, have prompted loss prevention executives to help their organizations strengthen their crisis and business continuity plans. Some LP directors and retail association leadership are vocal proponents of building homeland security-like communications channels with federal, state, and local law enforcement agencies who are concerned with Internet and e-commerce crime.
Technology Crime Watch
While Internet thieves can operate in relative anonymity, at least for a time, electronic transactions on the Internet are detectable and trackable. More retailers are now monitoring the Internet on a daily basis—on-line auction sites, particularly—to track transactions involving their brands. They also monitor and go after websites that sell counterfeit merchandise or misleadingly direct consumers to websites that sound and look like legitimate brand websites.
Most corporations, including retailers, routinely audit websites their employees access during work hours. LP executives are starting to recognize that vigilance applies as much to the Internet as it does to the store floor.
Organizing and Staffing for the Fight
LP executives expect to see the emergence of new LP organizations with specialized expertise to attack and prevent Internet fraud and theft. Sears’ Don Burkett argues that a retailer needs a technology-savvy resource dedicated to tracking and leading the attack on emerging Internet threats.
Limited Brands’ organizational approach to dealing with new types of losses could well be a model for other major retailers. Within Limited Brands’ LP department is a dedicated Organized Retail Crime Team (ORCT) that deals with all aspects of internal and external fraud. The unit includes a manager of cybercrime investigations. The ORCT works across all brands, distribution channels, and stores to deal with attacks on its high-visibility brands and merchandise. The unit monitors illegal resellers, auction and e-commerce sites, and other fences of Limited Brands merchandise.
About his role as cybercrime investigator, Joe Hajdu says, “I’ve always been interested in computers. I owned one of the first Macs. And I always thought that criminal justice and the Internet would have a lot to do with one another.”
That premise is true today and will certainly influence the evolution of loss prevention over decades to come.