In an era where digital transformation has revolutionized how organizations operate, it’s baffling to witness some organizations that do not prioritize cyber security. Despite high-profile breaches and the growing sophistication of cyber criminals, many organizations lag in cybersecurity efforts, leaving their employees, vendors, partners, and customers vulnerable to significant financial, reputational, and operational damage.
One of our employees experienced a personal cybersecurity incident first-hand last week. On Friday morning, she woke up and found three large payments drafted from her bank account and paid to a large department store that she holds an active, open line of credit. Surprised by the payments, she quickly tried to log in to her account with her mobile app only to find out her account login information was changed. She checked her email, and found several emails from the retailer overnight, including two that indicated her account had changed, three confirming three different payments were made on her account, and one confirming an order was placed – for a gift card. Her account was clearly compromised.
She immediately contacted the department store’s customer service line and was greeted by a representative who was skeptical about a cyber breach or her account being compromised and insisted the payments on the account were legitimate. Our employee insisted there was a cyber breach, these transactions were not legitimate, and demanded to speak to a supervisor. She was then met with the typical customer service response, “We don’t have any supervisors available right now.” Keep in mind, our employee has held an active – and positive – credit line with this department store for over 15 years. Our employee felt powerless, unheard, and completely disappointed in a brand she trusted.
Her next call was to her bank – a major, national bank. Only this time, the customer service experience was very different. They immediately identified the transactions as fraud, issued a stop payment, created fraud claims, and promised to return the money — $1,600 – to her immediately.
The following day, she received an email from the retailer, indicating that one of the fraudulent orders was delivered. The email provided an unknown shipping address and phone number – in Newark, New Jersey. You guessed it – the phone number was not accepting calls. However, the name/addressee used on the order was a known person – a friend she placed an order for a couple of weeks earlier. This friend lives across the street from her – many states away from the new order’s delivery address in New Jersey. The cybercriminal tried to disguise their fraudulent purchases as real, using our employee’s own friend’s name from a recent order, hoping she wouldn’t suspect this new order right away as fraud.
Our employee proceeded to call the retailer again – armed with this new information (evidence) regarding the cybercrime on her department store account, and the retailer finally believed her. In fact, several more orders were placed on her account, and the retailer intercepted and canceled them, marking them as fraud. Finally, the retailer acknowledged the risk and was taking action.
This begs the question – why did the retailer not believe their customer’s claims? Their customer — of 15 years (as a credit card holder in positive standing for the duration of the credit relationship) — did her part and proactively reported the fraudulent activity within minutes of discovering it and within hours of them occurring. And, was this cybersecurity incident bigger than one customer? Was more than one of the retailer’s customers impacted? Our employee posed the question and wanted answers, yet the retailer wouldn’t hear it – wouldn’t even consider – the possibility of a cyber incident. Organizations must proactively fight back against cyber criminals and prevent future cyber incidents. They need to take reports of cybercrime – especially from known, credible sources (i.e. their own customers) seriously. The first time. Every time. No exceptions.