In 2001, two Russian men in Brooklyn, New York, offered a Mercedes-Benz in an online auction. The winning bidder, a North Carolina man, offered $68,000. The “sellers” asked him to fax a copy of the cashier’s check, made out to them, as proof of his good faith, and promised to deliver the car to North Carolina. However, the Russians instead scanned the faxed check and forged new ones made out to various online precious-metals dealers.

“They would order $68,000 worth of Krugerrands, and the dealer would call the bank in question to verify the check,” recalls James Doyle, the New York Police Department (NYPD) detective who investigated the case as the head of the department’s cybercrime unit. He became involved when a postal carrier alerted the NYPD after noticing the men were receiving large amounts of gold coins. “What do you think the bank said? ‘The check is good,’ so the dealers would ship $68,000 in gold coins to Brooklyn.”

The NYPD raided the house and arrested the men—a successful conclusion to one of the many online fraud cases investigated by Doyle, now president of consulting firm Internet Crimes. The Krugerrand con was an elaborate, if unsophisticated, example of the growing plague of online fraud, scams, and theft that are slowing the development of e-commerce, costing businesses millions of dollars a year, and vexing law-enforcement agencies worldwide.

Proliferation of Fraud

The Internet Fraud Complaint Center (IFCC), with support of the National White Collar Crime Center and the U.S. Federal Bureau of Investigation, referred some 48,252 cases of online fraud in 2002, a threefold increase over 2001. The $54 million in total losses from those referred cases was triple those of the previous year. The IFCC collects complaints worldwide; most come from the United States, but the 2002 totals include complaints from Australia, Canada, Germany, Great Britain, and Japan.

Auction fraud is by far the most prevalent form of online fraud reported, representing nearly half of the IFCC’s total cases. Other popular scams include nondelivery of merchandise or payment, and credit- or debit-card fraud. The most expensive con? The notorious "419" scheme, named for an article in the Nigerian penal code, in which the target receives an e-mail requesting urgent help with a transaction and promising thousands of dollars in fees in return for an up-front payment, often for “bribes” to be paid to the Nigerian government. Despite its notoriety, this scam continues to find victims, whose median losses total $3,864, according to the IFCC.

Most online fraud scams affect consumers, but businesses suffer greater direct or indirect losses. According to most experts, companies tend to vastly underreport online fraud because it looks bad in the news headlines.

“These kinds of losses are rarely reported to the board of directors or to stockholders,” says Edward Appel, chief operating officer of the Joint Council on Information Age Crime, a nonprofit organization that works with law-enforcement agencies and corporations to battle online fraud and computer intrusions.

Beyond monetary losses, companies suffer damage to their reputations when scammers misuse a company’s name, logo, or Web site to commit fraud against consumers. Many financial institutions have seen sophisticated criminals erect fake “front-door” Web sites that are almost indistinguishable from a bank’s real Web page, on which customers are asked to enter private information.

The costs of online fraud, in terms of lost revenue, customer dissatisfaction, and even in slowing e-commerce development, are literally incalculable, says Ira Winkler, chief security strategist for HP. But these costs pale when compared with the financial losses related to corporate fraud committed by company insiders. “We’re talking about actual, major losses of money, much more than is involved with online [consumer] fraud,” Winkler asserts.

Many experts concur. While companies focus on preventing well-publicized computer intrusions by outsiders, employees are backing electronic trucks up to the virtual loading docks and making off with millions.

“Technology moves faster than the law, and the private sector has an advantage over law enforcement. One primary flaw is human beings: especially the ones who work for us,” says Appel.

Global Antifraud Efforts

Both the European Union and the United States have launched anti–online-fraud initiatives. The White House released a report in September 2002 entitled “The National Strategy to Secure Cyberspace.” Widely viewed as toothless, according to Winkler, the plan focuses on recommendations to prevent hacking but provides little guidance on preventing other types of computer misuse, such as online fraud.

As online sales volume increases, so will the dollar value lost to online fraud, according to a report from online payment-verification firm CyberSource Corp., which found that nearly 40% of online merchants plan to implement “payer-authentication systems” —methods of confirming that online purchasers are the authorized credit-card holders—this year. The upshot? Consumers will be asked to provide more information before making purchases online. How this will affect e-commerce is unclear.

In 2001, the Council of Europe—a forum established in 1949 to uphold human rights and promote lawful democracy, which now has more than 40 member states—approved the Convention of Cybercrime, the first international treaty governing computer fraud, Internet pornography, and network intrusion. Five nations, including three Council of Europe members, must ratify the nonbinding treaty before it goes into effect.

Unfortunately, the Cybercrime Convention has attracted as much controversy as solutions to problems it tries to address. In particular, privacy advocates have attacked the treaty, saying that Internet service providers will be forced to act as law-enforcement surrogates, collecting and handing over to authorities confidential information on their customers. The outcry over early versions of the Convention of Cybercrime caused it to go through more than two dozen drafts. As of July 2003, 37 nations had signed the convention, but only 3 had ratified it.

Other efforts have fared better. The European Working Party on Information Technology Crime, a coalition of multiple law-enforcement bodies, was formed in 1990 and meets three times annually. To date, the Working Party has developed a computer-crime manual for investigators, presented various training courses for law-enforcement agencies, and developed a rapid information-exchange system that includes an international 24-hour response system for high-tech crimes.

The G8 Subgroup on High-Tech Crime, meanwhile, has released a raft of documents on online fraud and network vulnerabilities and has developed its own International Organization on Computer Evidence, an effort to create an international forum for law-enforcement agencies to exchange information concerning computer investigation and computer forensic issues.

Business Protection

For small and medium-sized companies looking to combat online fraud, the first step is to use common sense, advises Erik Laykin, president of OnlineSecurity, an Internet investigation firm. There are very few new frauds, Laykin points out—only the technology is new.

“Even in today’s world of high technology and electronics, most scams come down to human interaction,” says Laykin. “It could be an unsolicited phone call or an e-mail from someone who knows exactly what to say to exploit your vulnerabilities or some other type of social engineering. Or it may be a more complex conspiracy of individuals or organizations looking to defraud people.”

While international efforts proceed slowly to unify the myriad national legal systems involved, businesses must take steps to protect themselves. Establishing an executive-level director of corporate security is crucial for any company, regardless of size. It’s like battling terrorism, according to Ron Moritz, senior vice president and chief security strategist at Computer Associates International.

“You really can’t do homeland security or business security without bringing the functions of physical and electronic protection and business continuity under a single directorate,” says Moritz. “It’s what the federal government is doing, and it’s what progressive corporations have done.”

Then, it’s a matter of taking concrete and verifiable steps: compartmentalizing online databases so that few individuals have access to the range of corporate data; using Internet-trolling or “spidering” technology to search out misuse of corporate names or logos; communicating with customers only in secure settings and keeping them informed of threats and preventive measures; and, most important, viewing good security and fraud prevention as a competitive advantage.

The key is to “make security a strategic marketing principle in everything you do,” says Appel. “A lot of companies don’t get that. They’re afraid that their main customer base doesn’t really care. People do care, and if you’re going that extra step, they’ll choose you over another vendor.”

Ultimately, the market will force companies to pay more attention to online fraud. The question is, How long will it take?

iQ Magazine, September/October 2003