By Larry Spicer
Amidst pandemic-related lockdown measures, more and more business owners turned to e-commerce as a way to stay connected with their customer base and make sales. For many, these digital platforms are invaluable, as they provide convenience for the consumer, as well as efficient and seamless payment processes.
However, as e-commerce technology continues to evolve and become more sophisticated, criminals, in turn, are developing new tactics to target the assets of businesses without ever stepping foot inside a store. As such, it is beneficial for you, as a small business owner, to be aware of the threats associated with cybercrime and how you can protect yourself in an ever-evolving digital age.
Cybercrime refers to computer-oriented criminal activity. It takes many forms and may include:
- identity theft using phishing techniques via email, text, or phone calls;
- the setting up of fake accounts that mimic those of a company’s suppliers, then asking for payment to that account; or
- taking over a store’s mailing system to obtain private information from its customers.
As with many security measures, the most efficient way to protect your business and your customers is to remain aware of your potential vulnerabilities, as well as implement steps to strengthen your security.
For starters, it is worth noting that, even if you do not sell inventory online, any computer connected to the internet can become a target (or, a source of attempted crime). This is even more relevant if you have a broadband connection and are using either a cable or DSL that is always on.
Consider the following measures to enhance your digital security:
- Add security and anti-virus/anti-malware software to any computer connected to the internet. Further, depending on how you use the web, increase the levels of intrusion protection and detection (including firewalls), making certain to change the product default passwords.
- Keep your systems current with applicable vendor security patches. Update anti-virus/anti-malware software weekly (or even daily).
- Take extreme caution when opening and downloading email attachments unless you know exactly what is included in the message and who sent it to you.
- Likewise, practise extreme caution when clicking on links in emails unless you know it is from a reliable source. Email phishing is the most common way computers are compromised.
- Protect access to inventory and financial records stored on computers—this extra step prevents potentially disgruntled former employees from stealing, altering, or destroying important business data. Additionally, protect all information that is stored—restrict access, use security software to encrypt data, and do not retain data for longer than necessary. Protect both the primary source and any back-ups.
- Use access protection methods (e.g. strong passwords and/or passphrases) to prevent unauthorized individuals from gaining access to your systems. Multi-factor authentication is recommended when connecting to systems remotely.
- Back up and save computer data regularly. Make sure to test the back-ups often and store them at a site away from your business location. Encrypting back-ups is recommended.
Often referred to as a ‘necessary evil’ for small operations, payment card processing can, indeed, be overwhelming and expensive for business owners.
When making sales by way of payment card transactions, there are a few considerations to keep in mind. The first is the type of payment card being used—as in chipped (e.g. Visa, Mastercard, etc.) or non-chipped (i.e. magnetic stripe). Chipped cards are much harder for criminals to duplicate, making the non-chipped variety more of a target. This means, of course, there is a higher risk when conducting sales with these cards.
It is a good idea to create a committed practice around payment card acceptance—one that is written into your store policy. When drafting such a document, consider these best practices:
- Follow the rules set out in the merchant account agreement for accepting payment by way of payment cards. If you fail to do so and a sale is determined to be fraudulent, there is slim chance of recovering the loss, even if you have insurance to protect yourself from these scenarios.
- Match the purchaser’s signature to the name on the payment card. Take the time to read it closely—don’t just take the signature at face value.
- Check the payment card for a signature on the back. If it doesn’t have one, get the client to produce another form of identification with their name and signature on it and have them sign the payment card so you can compare. Check the secondary form of ID to ensure the name matches the signature on the payment card as well.
- Should you have an after-sales program (e.g. free cleaning and servicing for a year) requiring a client signature to enrol, use this paperwork to further verify a signature match.
- When processing a payment over the phone, request the following pieces of information for every order:
- complete credit card number;
- expiration date;
- security/CVV code; and
- billing postal code (match the billing and shipping postal codes while on the phone; if they are different, ask the customer why they don’t match).
- Additionally, on the signature line of the receipt, write ‘phone order’ and file the paper receipt. When shipping the order, purchase tracking for the shipment so you have a paper trail. This will make it more difficult for a customer to claim their goods were not received or it was fraudulent.
- Know your customer. After all, good sales practice is to have a rapport with a client, which means obtaining their name and remembering it. This happens at the front end of a potential sale, before a payment card is presented. When and if a payment card is presented, verify the name they provided matches that which is on the payment card.
For added security, you can also protect your business with a cyber liability insurance policy. This covers the loss of money incurred due to financial fraud, as well as liability claims where there is a duty to defend lawsuits or regulatory penalties are incurred.
Larry Spicer is vice-president of loss prevention and risk management at Jewelers Mutual Insurance Group in the United States. He has more than 20 years’ experience as a security professional. Comments and questions can be sent to email@example.com.
For resources regarding safety and security when carrying or working with jewellery, visit JewelersMutual.com. For more information on reliable burglar alarm systems, subscribe to the Jewelers Mutual Clarity blog at jewelersmutual.com/clarity-blog. Jewelers Mutual Insurance Group is the only company specializing exclusively in jewellery insurance in Canada and the United States. It is licensed in Canada and all 50 states.