RAPAPORT… Major jewelry outfits from Stuller to Graff have already fallen prey to cyberattacks, so it’s only a matter of time until smaller jewelers become the next victims of digital fraud. Many may remember reports of Stuller’s cyberattack in 2020 that shut down phones and delayed shipments, and then Graff’s ransomware attack in 2021 breached customer names and addresses.
“Big retailers suffer most, but often people don’t tell us about these incidents or report cybercrimes,” says John Kennedy, CEO of the Jewelers’ Security Alliance (JSA), a non-profit association that provides crime information to jewelers and assistance to law enforcement. His bureau’s most recent Annual Crime Report underscores the point that cyber crime isn’t even a category of note, unlike robbery and burglary.
Security data confirms cyber risks for companies — jewelers included. In a 2022 survey from Stanford University and digital security firm Tessian, 52% of respondents revealed they fell for a phishing email in which a cybercriminal impersonated an executive, a 41% increase on 2020 figures, and 36% admitted to making a mistake at work in the last 12 months that compromised security.
“Employees must be aware of risks and procedures,” says Itay Hendel, CEO of ISPS, a loss prevention specialty firm specializing in jewelry and art. “[Staff] don’t realize that with the touch of a finger, they can dramatically affect a company for good or bad.”
Down the rabbit hole
According to Ryan Ruddock, senior crime analyst at the JSA, there are three main types of cyber fraud encountered by jewelers. The first and most prevalent is phishing — manipulation delivered by way of links or attachments in emails.
When clicked, links can lead to legitimate-looking websites that ask you to enter personal information such as bank details, which fraudsters steal for personal gain. Attachments, meanwhile, can embed malicious software into your computer, sometimes infecting other computers or shutting down systems entirely, with criminals asking for ransoms to release the data.
Kennedy recalls a small jewelry chain falling victim to such a crime. The business was completely locked out of all systems — accounting, inventory, clients — until they paid a $100,000 ransom. “Then they had to pay an IT company to come in and clean up their computers,” he says.
Hendel has seen his share of such instances and urges merchants not to rush to pay the criminals. “You do it today and they’ll ask for more tomorrow,” he says. Instead, have a professional IT department on standby that knows how to deal with this type of hacking.
“If the domain in an email has numbers or letters and the language is off, don’t open it,” adds Hendel. “If it sounds or looks weird, then it’s a red flag.” To avoid becoming a victim of phishing, don’t click on suspicious links or downloads; delete them.
Compromised correspondence
Another common type of cyber crime among jewelers is impersonating a supplier or executive over email. This activity is called business email compromise (BEC) by the Internet Crime Complaint Center (IC3; ic3.gov), a site established by the Federal Bureau of Investigation (FBI) for the public to report such malfeasance. Another name for this deception is spoofing.
Telltale signs include emails that recipients think are from a person they know, such as a supplier or company executive. The email addresses, however, are just slightly off — they have an extra letter or two than the sender’s actual email. Often, criminals will research staff and vendor names and job duties to set up an authentic-looking scam.
“Criminals will make emails look like they are coming from the CEO — someone staff might be reluctant to question. The request will be a one-time event and there will be a big rush on it,” says Kelly Ross, 24-year veteran of the Canadian police and a security advisor for Jewelers Vigilance Canada.
Always look closely at the email addresses, should you get suspect and time-sensitive correspondence asking for funds or product. Call the individual in question to verify the request.
Phone fakes
A final category of cyber crime is vishing — impersonating someone of importance over the phone to secure money or goods. Efforts can be convincing. Kennedy recalls one such scam from about five years ago where a prisoner in jail called luxury brands — “Fifth Avenue mainstays,” says Kennedy — and convinced them to loan products for a music video. “The prisoner had a colleague pretending to be an executive show up to collect the goods,” he explains.
This offense and the other two occur through social engineering, explains Ruddock. “It is the art of human hacking — manipulating people into revealing confidential information.”
To thwart these efforts, experts recommend calling known contacts to verify stories and securing copies of photo IDs in person. Cross-reference callback numbers or let suspect calls go to voicemail so you and your IT professional can determine if numbers are legitimate.
In general, the best way to avoid all manner of cyber fraud is by slowing down, scrutinizing outreach and calling known contacts for confirmation, according to Steve Gonzalez, senior supervisory resident agent in the Brooklyn/Queens office of the FBI, and supervisor of the FBI/New York Police Department major theft task force. “When the pressure to make sales is on, it’s easy to move too quickly and not pay attention and that’s usually when things go wrong,” he says.
This article was first published in June 2022 in a special Rapaport supplement titled Retail in the Digital Age.
Image: Shutterstock.