Coming Out Swinging
The efforts of retailers to stunt the billions of dollars annually lost to theft worldwide are like a prizefight where the combatants emerge battered, bruised and bloodied. In one corner of the ring, retailers are employing sophisticated tactics and methods to slow the pace of staggering losses that eat away at profit margins. In the other corner, criminals are relying on persistence and stealth to try to stay ahead of detection.
Three recent global surveys paint a picture of the state of the retail shrinkage problem and offer new recommendations for retailers to stay a step ahead of crooks seeking a knockout. In addition, NRF’s annual survey of U.S. loss prevention executives on the impact of organized retail crime is scheduled for release this month.
“Changing Retail, Changing Loss Prevention,” released in March by the U.K.’s Centre for Retail Research and Checkpoint Systems, a vendor of retail shrink management solutions, highlights a number of current trends and analyzes the growth of retail crime and loss as part of its “Global Retail Theft Barometer” series.
Among the insights: The number of retail thieves arrested annually is around 6 million; more than 78 percent of retail shrink is attributed to shoplifting by customers or retail employees; and new products in fast-paced categories like electronics, perfumes and sportswear that command premium prices are most likely to be stolen.
The report showed that retail companies in the 43 countries surveyed (including the United States) suffered losses from shrinkage and theft of $119 billion in 2011 — costing families in those countries an average of $185.44. The losses amounted to 1.45 percent of sales, a 6.6 percent increase from 2010.
As daunting as the statistics are, some approaches adopted in recent years are working — particularly when retailers partner with law enforcement and other industry stakeholders and deploy new technologies to deter theft. For instance, of the 50 most-stolen products, the number of items protected from theft increased from 60 percent in 2007 to 75 percent in 2011, the report says, largely because of innovations like source tagging and other high-tech solutions.
More than 32 percent of LP professionals surveyed by the Centre for Retail Research for the report said the need to improve inventory management and enhance overall loss prevention fueled many retailers to implement technologies like RFID, which includes item-level tracking of merchandise among its benefits.
The primary sources of retail loss, according to the report, are shoplifting by customers, theft by employees, theft and fraud by vendors and suppliers and process failures and accounting errors like incorrect pricing and invoicing. “Loss prevention departments have therefore to be able to apply their skills in every one of these areas,” the report concludes.
To the benefit of the retail industry overall, the rapid growth of omni-channel commerce has positioned LP departments to provide strategic services to other areas of the retail business. As a result, loss prevention is working more closely with information technology, store operations, logistics and marketing.
The report chronicles an evolution in retail LP from one of security to that of full-blown loss prevention where retailers are increasingly more proactive in deterring theft. While LP officers still must patrol stores diligently and investigate suspicious employee behavior, today the loss prevention function has expanded to include enhancing procedures, ensuring conformity with company LP policies, training staff on how to stem potential losses, analyzing loss patterns, helping to mitigate actual or potential losses caused by error or procedural failures and developing new policies to address the changing pattern of retail losses, including from fraud from refunds and returns.
“Apprehending thieves, processing them and handing them to the police is extremely expensive and often costs more than the merchandise recovered when a thief is caught,” the report notes.
A major focus today is the impact of the exploding consumer use of online platforms for purchasing. “Changing Retail, Changing Loss Prevention” says online retailing now accounts for between 8 and 12 percent of retail sales in many developed countries and continues to grow rapidly.
“This means that for criminals, new retailing structures create new crime opportunities,” according to the report.
‘Unprecedented’ data attacks
Another survey, the 2013 Data Breach Investigations Report from Verizon Communications’ Enterprise Solutions division, reported that large and small organizations faced unprecedented attacks on their data networks in 2012.
The survey, released in April, analyzed more than 47,000 reported security incidents and 621 confirmed data breaches during 2012, gathered from the records of 19 global organizations that include law enforcement agencies, incident reporting/handling entities, a research institution and other incident response forensic service firms.
Over nine years of conducting the annual study, Verizon has reviewed more than 2,500 data breaches and 1.1 billion compromised records. At the top of the data-breach food chain are financial concerns: 37 percent of breaches affected businesses like restaurants, retailers, media companies and banks.
The greatest portion of the breaches these organizations experience — 24 percent — occurred in retail environments and restaurants through compromised payment systems, according to the survey. The aim of data criminals is to exploit easy breaches — “low-hanging fruit from any tree within reach,” the report says.
Suzanne Widup, a Verizon Risk Team analyst, says the point of sale is where retailers often find themselves vulnerable to organized criminal groups if they do not have sufficient security protocols in place.
Criminals target “a particular kind of product that has a vulnerability that they know how to exploit,” she says. “So they start just looking for anyone that runs that kind of product, and they start trying to see whether or not [retailers’] systems are up-to-date and whether they can successfully exploit that vulnerability.”
One tactic thieves use in retail is to compromise a POS device with one of their own that has been modified, Widup says. Often the thieves will recruit retail cashiers in such plots, she adds.
“You need to have something that lets you know that the device has been disconnected from your network so their device does not immediately become live again when they plug it back in,” she says.
The Verizon survey notes that data breaches are a complex, multi-faceted problem where one-size-fits-all solutions often fail. Breaches may stem from intrusions that include hacking, placement of incorporated malware, spyware, phishing, stolen network credentials, smash-and-grab physical attacks and leveraged social tactics, the report notes.
In retail, for instance, one of the favorite tactics of cyber criminals “is to actually put the malware down on the point of sale controller,” Widup says, “something one step up from the swipe machine, so they can collect as many credit card numbers as possible that are coming across the wire.”
Widup says retailers of all sizes are at risk, but the 2013 report indicated that many smaller retailers characterized as having between one and 100 employees were particularly vulnerable.
Increased spending on equipment
Online businesses and the new payment systems that are emerging with them, the report says, present particular opportunities for hacking attacks, denial-of-service and viruses along with malware. Hacking, which involves attempts to intentionally access or harm data assets without authorization through bypassing security mechanisms, is a phenomenon of the online world where methods are scalable, automated and largely anonymous.
Most attention in retail today is being paid to how devices like smartphones and tablets are poised to create additional revenue as new outlets for ordering merchandise and making payments. Often overlooked is how these innovations are changing the nature of the retail supply chain. Many changes are being fueled by retailers’ marketing and operational needs, according to Verizon’s report, “with less attention being paid to loss prevention, even though the potential liabilities for fraud and reputational damage are immense.”
The report notes that organizations that understand how anomalies get on their data systems and what they are likely to do when that happens typically are in the best position to make informed choices about protecting the enterprise.
Meantime, retail LP is starting to take the right cues. While more than half of retail loss prevention spending is devoted to employees, 30.9 percent of spending is now dedicated to LP equipment like electronic surveillance, software, access control and communications, and that figure is growing.
The report recommends that LP policy compliance become a standard element of the business, with regular audits of compliance along with ongoing training. “Many frauds such as refund fraud and employee theft are facilitated by weak and inconsistent procedures,” the report notes. “Robust compliance and procedures is a vital part of inhibiting these losses.”
The report further recommends that organizations take a number of proactive steps to protect their data, including: Eliminate unnecessary data and keep track of what is left on the network; take steps to better understand the organization’s threat landscape and address it accordingly; don’t buy into a “one-size-fits-all” approach to security; ensure essential network controls are met by performing regular checks; and collect, analyze and share incident data to create rich data sources.
In a survey released in April by the Merchant Risk Council, the organization outlines key findings from its reporting on global fraud and payments in e-commerce during 2012.
The annual survey measures fraud rates, focusing on the tools used for detection and fraud prevention, and said that its merchant members reported 18 percent fewer fraudulent orders during the year when compared with non-members.
The merchant-led nonprofit lists the greatest fraud challenges for electronic retailing platforms as implementation and integration; changing fraud patterns; managing chargebacks; maintaining cleaner data; a lack of consistent address/telephone verification tools; and multi-country operations.