Beware the Free Gift
Who doesn’t love the promise of a free gift after buying something online? How about a gift card for completing a short survey? Or free enrollment in customer reward programs to encourage customer loyalty?
Companies regularly take advantage of these programs to help reduce the cost of their equipment and supplies purchases, business travel, events, and other company expenses.
Individual consumers and employees respond frequently to online invitations to earn free gifts for taking specific actions, such as completing a survey.
While most of these programs are legitimate and deliver their rewards as promised, hackers and scammers have been exploiting these offers for personal financial gain. Today we’ll look at three types of exploits, how they work, and what companies can do to help prevent them.
Survey Scams
Surveys are everywhere these days. Some are delivered by pop-up ads, but most are offered via email. In 2019, more than 293 billion emails were sent each day, and almost half of them were spam, according to Statista. While it’s unclear how many spam emails contained survey offers, with rewards ranging from free services, free product trials, free gift cards, and other prizes, survey scams are very popular.
Whether the link is delivered via pop-up ad or email, surveys are constructed on websites. And they usually require individuals to enter basic personal and demographic data before answering the survey questions.
Surveys are exploited when hackers install adware on a computer to hijack private data for their own use or for sale on the black market. To steal the data entered by the survey respondent, hackers may hack into the legitimate survey website. Or the adware may be used to change web browser settings to create redirections to a fake website that collects the data, transparent to the user. When this occurs, not only does the promised reward go up in smoke, but data security is breached and identities can be stolen.
According to the Federal Trade Commission, identity theft cases more than doubled from 2019 to 2020, from 650,000 in 2019 to 1.39 million in 2020. Identity theft is no small crime. It can create difficulties in applying for credit, finding work, and correcting negative or false information in records.
Securing Surveys
Various companies rely on surveys to drive customer reward programs, marketing, and promotional initiatives, product research and development, and other business functions. These organizations should review the steps in the survey process to discover vulnerabilities and strengthen the security around those gaps.
-
Validate security safeguards used by the survey provider and the email service provider who sends the survey invitations and links.
- Conduct a website security assessment and shore up security accordingly.
- Review all links to the survey platform; analyze data flow in and out of the platform; review data storage policies, procedures, and data safeguards.
- Require strong passwords and multifactor authentication for survey site access.
- Implement role-based access controls; monitor employees’ network activity for signs of program abuse.
- Use a password manager for complete visibility into employee password practices; monitor password use; enforce password security policies, including strong, unique passwords.
- Set up shared folders, and employee permissions based on their roles and responsibilities related to the survey program.
- Train and retrain employees in safe online practices and good security hygiene. The importance of employee security training cannot be over-emphasized for multiple reasons.
Free Gift Offers
Many companies offer free gifts for trying the company’s products for the first time, for achieving a preset buying threshold, or for being the 100th customer to perform a certain action, for example. One of the most notorious of these scams leverages a fake “Google Rewards 5 Billionth Search” ploy.
In this scam, a consumer, employee, or other online user receives a pop-up box as they work online. The pop-up announces they have just completed their five billionth Google search and are eligible for their choice of three prizes.
Fake Websites
Clicking on any of the prize icons sends them to a fake website.
The website looks legitimate and asks them to enter all the necessary personal information to claim their prize.
And boom – just like that, hackers accumulate stolen personal data for malicious purposes.
They can employ a variety of tools, including eavesdropping, to intercept and steal incoming traffic to company websites. Their reward is marketable data such as usernames and passwords, email addresses, credit card numbers, addresses, dates of birth, and other sensitive information.
Securing Free Gift Offers
Organizations that use pop-up ads and email campaigns to entice customers with free gift offers should monitor the points of vulnerability on a regular basis and follow industry best practices, including vulnerability and penetration testing.
- Be sure that ad messaging is professional and that the link in each pop-up stays connected to the proper website or ad landing page.
- Conduct periodic website and email security assessments and take action to mitigate identified risks.
- Educate employees to be cautious in responding to others’ pop-up ads and email offers, especially not to click on links they don’t recognize.
- Restrict employee access to external websites based on roles and responsibilities.
- Force use of a virtual private network, rather than allowing the use of public wi-fi, when connecting to company systems and email from outside the network.
- Enforce strong passwords, frequent changes, unique passwords for every account, and multifactor authentication.
Loyalty Program Hacks
Loyalty programs appeal to businesses as well as consumers. The most popular offer discounts on airline travel, hotels, and rental cars. Others reward frequent purchases of office supplies, furniture, clothing, cosmetics, food, and even services such as dental care and air conditioning maintenance. Some loyalty programs charge a fee to enroll. Others do not.
Some customer reward programs award points that can be converted into digital currency to buy gifts online from third-party websites.
What they all share in common is some form of online enrollment on a website form or landing page that requires the entry of personal and/or company information in order to activate the account. In addition to the usual data, these programs may require income levels, travel preferences, trips taken, hotel locations used, and similar information to enable the company to customize offers.
Attractive Targets
Hacks of travel reward programs have made headlines frequently. One of the most publicized was the Marriott/Starwood database hack, which went on for four years with hackers gathering rewards data from thousands of accounts. The stolen data is usually sold on the deep web, although hackers also use the rewards for personal enjoyment.
Hacked customer reward programs can incur very real costs, as illustrated by the Dunkin’ Donuts DD Perks program hack. In addition to requiring the restaurant chain to reimburse its customers for stolen rewards, settlement of a class-action lawsuit with the State of New York imposed a $650,000 fine on the chain.
Even dishonest employees can take advantage of poorly secured rewards programs to pad their own accounts or move others’ unused rewards to their accounts.
Social Media Vulnerable
In addition, many hotel and restaurant brands have begun to leverage social media platforms, such as Facebook, Instagram, and others, by offering extra points or other rewards for following them, liking them, or tagging them in posts.
In April of this year, CBS News reported that the data of more than 500 million Facebook accounts had been made available on a hacker site. According to Business Insider, the information included phone numbers, Facebook IDs, full names, birthdates, locations, and email addresses of Facebook users in over 100 countries.
Securing Loyalty Programs
Companies that operate legitimate loyalty programs need to be aware of the points of vulnerability in their programs and take steps to secure those weaknesses. Following are several industry best practices as a starting point.
- Require customer use of strong passwords with frequent password changes; require multifactor authentication.
- Educate customers to monitor their reward program accounts and activity, and to avoid using the same password across multiple accounts.
- Routinely monitor loyalty program metrics to detect suspicious activity by customers and other program users.
- Implement role-based access controls; monitor employees’ network activity for signs of abuse.
- Use a password manager for complete visibility into employee password practices; monitor password use; enforce password security policies, including strong, unique passwords.
- Set up shared folders, and employee permissions based on their roles and responsibilities related to the program.
- Use only secure social media platforms for customer outreach.
Summary
Wherever marketable data about a company’s customers is collected or stored, hackers will sniff it out and attempt to steal it, especially if the volumes are significant. Information required to support legitimate loyalty programs, gift offers, and survey incentives is collected on website pages and online forms. Customers are typically directed to these pages and forms via links in emails and online pop-ups.
Hackers have perfected the art of spoofing legitimate websites, emails, and pop-ups to deceive customers into entering their sensitive information into fake sites. Companies who operate legitimate programs need to be aware of the points of vulnerability in their programs and take steps to secure those weak points. Doing so will help safeguard customer information and protect brand reputation. It will also enable companies to continue providing legitimate customer rewards and conducting useful customer surveys.
Don’t make it easy for the hackers. Secure your customer programs today.