informa

Cybersecurity In-Depth

The Edge

Loss Prevention Teams Up With Cybersecurity to Address Retail Fraud

As retailers roll out more fulfillment options, loss prevention professionals are increasingly shifting their attention from in-store theft to e-commerce fraud.

Prior to the COVID-19 pandemic, most retailers treated omnichannel options as add-ons to their brick-and-mortar storefronts. Then the coronavirus — and the subsequent anxiety around shopping in stores — made home delivery, curbside pick-up, and buy online, pick-up in-store (BOPIS) options a necessity.

BOPIS transactions increased by 208% in April 2020 compared with April 2019, according to a May 2020 Adobe report. Adobe predicted in a March 2021 report that e-commerce spending will reach between $850 billion and $930 billion this year.

With retailers relying more on omnichannel services, loss prevention teams are becoming concerned about  cybersecurity threats and are increasingly collaborating with cybersecurity teams, according to a recent National Retail Federation survey. Per the NRF, 76% of loss prevention professionals said cybersecurity-related incidents have become somewhat more or much more of a priority at their organizations over the past five years.

Cybersecurity Threats and Fraud
It’s not uncommon for teams to operate in silos where they don’t communicate with one another, says Yale Fox, a cybersecurity consultant and Member of the Institute of Electrical and Electronics Engineers. Organizations need to conduct periodic training sessions with employees to prepare them for evolving cybersecurity threats, he says.

Fraud comes in many forms. One common example is a fraudster purchasing an iPhone, removing the iPhone from the packaging, placing something that weighs similar to an iPhone into the packaging, and returning the re-shrink-wrapped package for a refund, Fox says. A cybersecurity element in this kind of fraud comes when the bad actor purchases stolen payment card data and user personal information from online criminal marketplaces to make illicit purchases.

Fraudsters who attack retailers now typically provide false information and trick employees into taking action. This is why employee education on how to spot suspicious activity is critical, Fox says.

Areas of Collaboration
In the past, retailers’ cybersecurity staff were part of their IT departments, whereas loss prevention professionals tended to have law enforcement backgrounds and worked primarily in stores, says Christian Beckner, vice president of retail technology and cybersecurity at NRF. E-commerce has become the next frontier for cybercriminals, in part because retailers have improved the security of point-of-sale systems. This has has made it harder to execute cyberattacks in-store, Beckner says.

“There's a realization that the different parts of the organization have to work together," he says. "They have to have that shared perspective on risk and find ways to coordinate on things, like investigation and incident response, [and] have a common plan for technology development to support security. All those types of things are ways in which their walls have converged,. 

City Hive, an e-commerce platform for alcohol retailers, has conducted calls with retailers’ loss prevention and cybersecurity teams during incident debriefs to assess what went wrong, what the store could have done differently, and what the platform could have done differently, says Roi Kliper, City Hive co-founder and CEO. The company works alongside retailers to determine where cybersecurity threats are and how to prevent them in the future, he says.

Echoing Fox, Beckner also notes theft of consumers’ personal information from retailers remains a problem, as well as email compromise attacks, ransomware attacks, and a range of other threats. At City Hive, the platform primarily sees credit card fraud, which usually involves a bad actor who takes someone’s physical credit card or uses stolen credit card information to make a purchase online, Kliper says.

Retailers Need to Address Security
Though retailers are battling cybersecurity breaches, they also can be ambivalent regarding whether to invest more retailers into cybersecurity defenses. Half of the respondents said their companies are devoting resources toward loss prevention equipment, according to the NRF survey.

Though big-box retailers take cybersecurity concerns seriously, they tend to view cybersecurity measures as a cost without an immediate benefit, like spending money on ads to drive sales — not to mention that data breaches don’t appear to affect companies’ long-term stock price, Fox adds. (Research from IOActive suggests that the impact of data breaches on companies’ stock prices is mixed.)

However, while cybersecurity breaches may not have a long-term impact on their stock value, failing to address these issues could be detrimental to retailers' brand reputation and add to their expenses, Beckner says. In addition to consumers questioning retailers’ commitment to cybersecurity, they must also contend with the costs of cyber insurance and losing sales if their systems are down, he adds.

“For the most part, in terms of the members and companies we engage with, companies are taking this seriously because they know that this is a critical risk and critical set of issues that they need to address, even up to the senior leadership of a company,” Beckner says. “At this point, I think everybody knows — maybe, not everybody knows — what to do but everybody knows that cybersecurity is something you need to take seriously and address.”