What Government Customer Experience Executives Can Learn from Retail Scams: Three critical lessons

Ho ho ho! It’s the holiday season and retailers are scrambling to maximize the short, intense selling season, which each year looks less like Black Friday mob scenes at big box stores and more like 24x7 marathons online. This year, total market share of online retail sales actually surpassed brick and mortar sales. Unfortunately, scammers are leveraging that same intensity and single-minded consumer focus to steal as much of your holiday dollar as they can. According to our recent blog on Black Friday scams, ZeroFOX identified 61,305 potential scams across just 26 retailers in the lead-up to the season, between November 1st and November 20th of this year.  

So - What does this have to do with federal government leaders concerned with improving your agency customers’ experience?  

Just as parents are forced to navigate unfamiliar sites online to find that one new break-out toy that their child HAS to have, citizens must navigate unfamiliar government sites in order to receive critical and essential government services. Scammers see vulnerabilities and opportunities in both.  

ZeroFOX just published a comprehensive study of persistent digital threats facing the retail sector. Reading through the study, I was struck with how many of the same attacks are being conducted against government constituents attempting to get services from IRS, VA, Medicare/Medicaid, Federal Student Aid and other highly essential government services.   

I strongly encourage you to read the study, (and pass it along to your friendly neighborhood cyberexperts). I’ll link it below. Three of the most compelling findings that are pertinent for government customer experience are:  

• Retailers in our study experienced six or more instances of brand abuse daily, on average. For a government agency, the equivalent is someone impersonating your agency on the web or in social media in order to scam constituents. This can be catastrophic for the constituent, with extensive collateral damage to your reputation. An example imposter site would be a fake Department of Education FSA on the web or in social media being used to get access to student loan financial information. I don’t know if you’ve filled out a FAFSA recently but man, it gets personal.    
• Executives are also impersonated with increasing frequency. Impersonations are carried out in Facebook, Twitter, LinkedIn, Instagram, in order to establish a beachhead to steal PII, conduct business email compromise, learn sensitive corporate or agency information, or endanger executives’ families.  
• Domain-related tactics have become more sophisticated. Retailers – and federal agencies – need fine-grained detection tools to discover these attacks. In retail, a fake domain represents an opportunity to steal customers, sell counterfeit items, or just steal outright, all at the expense of the retailer’s reputation. For agencies, a fake domain more typically translates to an attempt to intercept PII intended for the agency for malign purposes; for example, to get someone who thinks they are applying for veterans’ benefits to give up detailed health and financial data.  

The Retail Report provides more detail and more examples. Some key actions that are appropriate for both retailers and agencies include:  

• Conduct a digital asset inventory to understand your agency’s digital footprint. Do you have a clear understanding of exactly what and how many web domains and social accounts your agency has? How would you recognize an imposter?  
• Monitor and protect all digital and social media platforms to identify potential threats like domain and social media impersonations, credential compromise and counterfeit goods, so you can respond quickly when an attack has begun. 
• Take quick action to mitigate damage. Taking down offending attacker infrastructure (for example, working with the social networks to remove impersonating social accounts) forces attackers to start over or look for targets elsewhere.
• Additionally, consider monitoring criminal forums on the clear and dark webs for information on potential attack plans (targets, vulns, techniques, exploit development, etc).
• Complement human research with intelligent machine-based analysis to automate the collection and processing of indicators and alerts. Machine-based analysis can help you to correlate additional indicators to help validate and eliminate false positives, which allows for rapid remediation and minimization of citizen abuse. Curated threat intelligence specific to your threat environment helps you to better prioritize and surface relevant alerts.

Federal and state governments are wisely adapting their traditional services approaches to new media, to meet citizens where they are. But as part of that outreach, it’s critical to understand and adapt to a new threat environment as well. The experiences of retailers can be very helpful to understand and anticipate these new risks. Are you seeing these scams being carried out against your constituents? Are you looking for them?