Shop.org Member TeleSeminar:

1
Shop.org Member TeleSeminar Catch of the
Week 10 Things Your Business Can Do to
Circumvent Phishing June 17, 1230-130 p.m.
ET http//shop.org/teleseminar05/june Dial-in
800-862-9098 or 785-424-1051, CodeShop.org
2
Its Win-Win in Vegas!

• Shop.org Annual Summit
• Sept. 12-14, 2005
• The Venetian, Las Vegas, NV
• www.shop.org/summit
• Keynote Speakers
• Barry Diller, Chairman and CEO,
  IAC/InterActiveCorp
• Esther Dyson, Editor-at-Large, CNET Networks
• Kelly Mooney, President and Chief Experience
  Officer, Resource Interactive

3
Shop.org Board of Directors Elections Schedule

• Throw your hat in the ring!
• Submit your nomination to become
• a Shop.org Board member
• July 1 Nominations due
• July 18-29 Voting
• August 5 Results announced

4
Pre-order the SORO 8.0 Benchmarks Report

• State of Retailing Online 8.0
• June 24 Performance Benchmarks Release
• Available at special member price of 2,495
• Go to www.shop.org/soro to see
• how you can save 1,000 by extending your
  Shop.org membership for one year

5

• Catch of the Week 10 Things Your Business
  Can Do to Circumvent Phishing
• Presenters
• Cassandra Imfeld, Director Marketing
  Communications, SunTrust Corp.
• Angela Lisa Crouse, Internet Marketing Manager,
  Paul Fredrick Menstyle
• Sundeep Kapur, Director Strategic Marketing, NCR
  Corporation

6
Agenda Phishing

• What is it? How is it used?
• Examples of Phishing
• Impact of Online Fraud
• SunTrusts Response
• Best Practices
• Where to Learn More
• QA

7
Overview

• What is it?
• Email Fraud (Phishing) Fraudulent emails or Web
  pages that often include a legitimate companys
  logo or images that attempt to illegally obtain
  clients confidential information.
• Pharming Code that compromises users
  computers and redirects them to fraudulent Web
  sites - even if users type in the correct URL.
• Identity theft The act of impersonating
  another, by means of using the person's
  information, such as birth date, Social Security
  number, address, name, and bank account
  information.

Commonly asked for information Account
numbers Credit and check card numbers
Social Security numbers Internet Banking sign
on IDs and passwords Mother's maiden name
Date of birth Other sensitive
information
8
Overview

• How is it used?
• Once criminals obtain this information, they can
• Charge expenses to victims accounts
• Create new accounts in victims names
• Use victims personal and account information for
  other illegal purposes.
• This can also lead to identity theft.
• Who is really liable?
• What happens to the brand?

9
Email Example
Legitimate Looking From Email Address
Company Logo
Urgency
Embedded URL
Typo
10
Email Example
11
Email Example
12
Web Site Example
URL Looks Real
Appears to be Standard Login Screen
13
Web Site Example
14
Web Site Example
15
Impact of Online Fraud

• Direct losses due to online fraud are estimated
  as high as 1.2 billion in 2004 for businesses
  and consumers.
• More than financial loss
• Challenges to customer service
• Increase in call and email volume
• Customer service responses (quality)
• Processes to handle reports of online fraud
• Need for dedicated resources
• Increased Web site traffic - potential to bring
  down the site
• Challenges to brand equity/company reputation
• Clients may believe that your company has not
  done enough to protect them against online fraud.

16
SunTrusts Response

• Formed the Online Fraud Task Force
• People
• Process
• Technology
• Developed the SunTrust Client Commitment
• SunTrust will never send unsolicited emails
  asking clients to provide, update or verify their
  personal or account information, such as
  passwords, Social Security Numbers, PINs, Credit
  or Check Card numbers, or other confidential
  information.

17
SunTrusts Response

• Developed and executed comprehensive internal and
  external communication campaigns
• Implemented internal processes for handling fraud
  reports
• Developed and implemented aggressive processes to
  identify and remove sources of online fraud
• Working with Secret Service, industry groups and
  other financial institutions

18
Best Practices

• Be Prepared Dont think that this cant happen
  to your company. This is not just a bank
  problem
• Create a cross-sectional team dedicated to
  addressing online fraud issues
• Determine a budget
• Conduct an internal audit of communication
  practices
• Develop strategic internal and external
  communication plans

19
Best Practices

• Be Prepared
• Develop and document processes
• Handling inquiries and reports of online fraud
• Analyzing and implementing technologies
• Communicating internally and externally about
  online fraud
• Employees
• Senior management
• Clients
• Prospects
• Industry
• Third party resources/vendors/partners
• Educate and train employees
• Basics about online fraud
• Processes for reporting fraud

20
Best Practices

• Online Process
• Dont ask clients for personal or account
  information in unsecured emails
• Avoid using pop-up windows or unsolicited instant
  messaging/chat
• Never use pop-up windows or instant messaging to
  collect personal or account information
• Dont direct users to Web sites by IP addresses
• Do not use embedded links or even better, links
  at all in emails

21
Best Practices

• Proactively Educate Clients
• Instruct clients to
• Always use caution when disclosing confidential
  information
• Never respond with personal or account
  information to unsolicited emails or pop-up Web
  pages
• Call the company the communications appear to
  come from if theyre unsure as to its legitimacy
• Type Web addresses into browsers instead of
  clicking on links in emails
• Keep anti-virus, anti-spam and anti-spyware
  software up to date
• Change passwords and PINs every 30 to 60 days
• Monitor accounts and credit reports for
  suspicious activities

22
Best Practices

• Reinforce Your Commitment to Security
• Tell clients the security of their personal and
  account information is your highest priority
• Reassure clients youre aware of the fraudulent
  activities
• Reiterate that you have processes, policies,
  technologies, and teams in place to help fight
  against online fraud
• Assure clients that their email addresses were
  not obtained from your company

23
Best Practices

• Dedicate Content on Your Web Site to Fraud
• Create a central site where clients can find
• Latest information about online fraud
• Examples of phishing emails or Web sites
• Latest phishing tactics (ex. Banner ads, context
  aware emails, etc.)
• Instructions on how to report online fraud
• Tips on how to help protect themselves against
  fraud
• Information on how your company protects their
  personal and account information

24
Best Practices

• Online Messaging
• Personalize online communications when possible
• Proofread and spell check all online
  communications
• Include information about your online
  communication practices
• Include information about how to report online
  fraud

25
Best Practices

• Work with IT
• Set up audit trails everywhereAnything that
  contains customer information should have an
  audit trail. Unique usernames and passwords
  should be used for every single person accessing
  the information so that you can tell who accessed
  what.
• Be very careful with internal usernames and
  passwordsFollow the most secure methods for
  setting up usernames and passwords. Make sure
  your company policy explicitly states that
  sharing your username and password to other
  employees and anyone outside of your company is
  prohibited.

26
Best Practices

• Work with IT
• Don't have anything on your site domain that you
  don't want anyone else to seeMany don't realize
  that it's very easy to see every single page
  listed offyour main domain.  If you have an
  admin site that uses your main domain, this could
  be found by anyone.  Don't tempt scammers to try
  to hack in to your admin - put it somewhere else.
  
• Filter out everyoneFor anything that contains
  sensitive information, restrict who views it by
  IP if possible
• Become best friends with your log filesRoutinely
  have your IT people check the log files to see if
  any intrusion attempts have been made.

27
Q A
28
Contact Information

• Cassandra Imfeld
• 404-813-7146 Cassandra.Imfeld_at_suntrust.com
• Angela Lisa Crouse
• 610-944-0909 ACrouse_at_menstyle.com
• Sundeep Kapur
• 803-939-2524 Sundeep.Kapur_at_ncr.com
• www.serviceinaction.com/fraudinfo