What is Organized Retail Crime (ORC)?

Organized crime continues to be a growing concern for the retail industry. 97% of those surveyed said they've been victimized by ORC in the past 12 months. When we talk about ORC, we aren’t talking about a few teenagers slipping sunglasses into their bags. We are talking about the substantial theft or defrauding of a retailer by an organized group of people as part of a larger criminal operation.

The primary objective of these criminals is to turn a profit. This means their theft is rarely, if ever for their own personal use. Instead, they employ strategies such as obtaining illegitimate refunds for stolen goods, thefts of credit card information from vendors, or reselling those aforementioned stolen goods. 

Typically for these organizations to operate profitably they need to steal in substantial quantities. In fact, it is estimated that retailers had an average loss of $703,320 per $1 billion in sales directly due to ORC in 2019. The scale of the organized retail crime operations can be devastating for retailers and are responsible for billions of dollars worth of losses each year in the retail sector. 

Many factors play into this, including rising felony thresholds that reduce the risk for ORC criminals. In addition, respondents say ORC gangs are becoming more violent. And over 2/3rds of those questioned said they’d seen an increase in ORC activity.

Types of Organized Retail Crime

There are two main ways that retailers are targeted. This is either through retail fraud, where the threat actors implement one of many fraudulent strategies to make a profit at the harm of the retailer. Or they steal product from the retailer and resell it usually through e-commerce channels or even dark web commerce sites.

Fraud and Organized Retail Crime

Refund or Return Fraud - This is when an individual or group returns merchandise they stole for cash or credit from the store. An alternative strategy involves attempting to return counterfeit merchandise.

Counterfeit Money - Groups use counterfeit money to make numerous purchases from across a range of stores to avoid suspicion. Then they return the products for real cash or they sell the product online. Alternatively, they might purchase gift cards and then sell those on for real cash.

Serial Number Fraud - The organization might legitimately purchase goods and then sell the serial number for a replacement claiming it has broken. Often, replacement goods are sent before the damaged ones are received by the retailer. They can then make a profit off of the fraudulently claimed item.

Gift Card Fraud - There are a few ways that gift cards can be used by organized retail crime groups. First, a stolen credit card could be used to buy gift cards. Second, gift cards often have fairly simple serial number sequencing, attackers can learn the sequence of the cards and when they are legitimately loaded, make a clone of the card to sell or use themselves.

Credit Card Fraud - Because of the amount of transactional data that retailers have they are a prime target for hackers. These hackers could be looking for credit card data, banking details, or simply, personal information data. This they will likely sell off to the highest bidder through a dark web marketplace rather than use themselves.

Theft and Organized Retail Crime

Mass Shoplifting - This can take various forms. One, a group goes around separately to various different retailers and boost a substantial amount of merchandise without anyone noticing. Alternatively they might take a smash and grab approach, where a large group rush into a store, grab what they can, and rush out just as quickly. Potentially making off with thousands worth of goods.

Robbery - This is when an individual or group targets a specific retailer, often for cash in the till. This kind of robbery can be violent and safety should always be the primary concern for the retailer. 

Smash & Grab / Burglary - Organized retail crime groups have been known to target high-quality retail stores for high-value merchandise they know they can profit from. For example, designer clothing, electronics, and jewellery. This could involve smashing the front window with a brick or a more subtle entry involving access through air vents or by manipulating an employee to gain access after closing.

Cargo Theft -  One of the key strategies employed by organized crime groups is the theft of cargo. Cargo is defined as merchandise that has yet to reach its final destination. Examples of this include theft from warehouses or from lorries whilst they are in transit. This allows for the criminals to steal large quantities of goods in one go. 

73% of retailers surveyed said they've been a victim of cargo theft in the past year. En route from distribution center to store is the most commonplace for cargo theft to occur.

Improved Situational Awareness for Preventing and Mitigating Threats Associated with ORC

To combat the threat of organized retail crime, 65% of retail executives surveyed said they were prioritizing ORC more now than 5 years ago. To do this 56% said they have or plan to allocate additional technology resources to fight risk and 44% said they would be increasing their loss prevention budgets (source).

Loss prevention strategies include more stringent return policies, better gift card serializing, electronic article surveillance, and improved video surveillance. To improve the overall effectiveness it’s also important to support loss prevention teams with accurate and up-to-date intelligence.

Using OSINT tools like Signal you can quickly become aware of and mitigate damages from a range of potential threats from organized retail crime such as: 

• Cloned gift cards for sale on the dark web.

• A conversation suggesting cargo was going to be targeted. 

• Data breaches of sensitive customer data.

• Plans for after hours break-ins.

• Product serial numbers found for sale on Telegram.

• Stolen goods found online.

Retail is the fourth most targeted industry by cyber-criminals. It is the same technologies that have created new potential growth opportunities for these businesses which has simultaneously opened up new and evolving attack vectors for both cyber-criminals and physical attacks.

Use of the cloud, IoT (Internet of Things) and global expansion increases potential risks exponentially, as these threats are no longer constrained by location or borders. Organisations need to secure customer data, protect executives, manage travel, predict physical threats to assets, and prevent cyber-attacks. All of these threats could come from a range of possible sources involving a plethora of evolving methods, from anywhere in the world. 

Digital and In-Store Locations Are Both Valuable Targets

Retailers deal with large numbers of people. As such, their databases necessarily contain vast amounts of data which could be valuable to hackers. This includes but isn’t limited to personally identifiable information (PII) for customers, employees and even executives. Vulnerable PII which contains financial information is highly valuable and the most obvious of targets for hackers, however, even non-sensitive data can be a hugely profitable attack vector for cyber-criminals when used correctly. This is shown by the frequent sales of login credentials on the dark web.

Additional avenues of attack include mobile retailer apps, customer-facing devices in retail locations, and IoT product offerings. These new technologies are continuously assessed by cybercriminals for potentially exploitable weaknesses and can often be found mentioned in online discussion forums. Because of this, public-facing social media data, as well as data collected off the dark web, is more valuable than ever in detecting threats.

Social media, as well as anonymous forums on deep and dark websites, are used to discuss or advertise criminal strategies like shoplifting, POS fraud, and counterfeiting. Public-facing social media data is more relevant than ever for detecting sentiment, executive threats, and critical events like active shooters in or around retail locations.

The Heavy Cost of Threats for Retailers

The cost associated with the risks outlined in this article are huge. Retail inventory loss incurred by shoplifting or fraud costs the industry an estimated $50 billion a year. The average cost of a data breach, according to a 2018 Ponemon Institute report, is USD $3.86 million. And these are just the measurable costs. The long lasting effects that comes with the reputational damage and global brand erosion that coincides with a data breach that exposes customer or executive data is also a highly valid concern.

This information points to the importance and necessity for an effective data discovery and analysis programme to be employed by companies to effectively secure organisations in the retail industry. Security teams are burdened with a seemingly impossible task of processing an ever-increasing and varied amount of threat data to separate the noise from the real threats to contextualise that data into actionable insights. This industry needs tools that automate and accelerate data analysis to enable effective threat monitoring and prediction.

- 50% of retailers have experienced a data breach.

- 84% plan to increase IT security spending.

- 85% of retail IT security professionals said their organisation used cloud storage for sensitive data.

Source

The Importance of Cybersecurity in Retail

The rise of e-commerce and the adoption of digital technologies means that retailers now hold vastly more data on their customers than ever before. Most major outlets currently have online stores and it’s expected that online sales will outstrip high street sales within the decade. Gaining access to customer accounts can give access to PII and even bank details. Hackers who manage to obtain this customer data will either use this data themselves or more likely sell it on the dark web.

One of the popular methods that this data is used for is an approach called credential stuffing. This attack works because many customers use the same login credentials across many different sites. Hackers will take these credentials and make multiple automated login attempts across an array of websites. One team of security analysts found that 90% of retail login attempts were from hackers attempting to access other people’s accounts in this way. 

Another common attack vector is payment processes. Retailers are embracing technology to make it as easy as possible for customers to purchase through their online stores, however, if security standards aren’t advanced alongside these payment processes then they leave vulnerabilities to fraudulent activity.

A final key cybersecurity vulnerability for retailers is the staff. Often retailers hire young and inexperienced staff, most of whom have had little if any cybersecurity training. This leaves them vulnerable to common ‘social engineering’ attacks such as ‘phishing’. For example, a hacker might contact a staff member directly and trick them into installing malware onto a company device or attempt to get them to provide sensitive information by pretending they are someone that they aren’t. 

Additional Threat Vectors for the Retail Industry

A few examples of additional threat vectors that the retail industry need to pay careful attention to include: 

Gift card cloning

In a 2018 report security firm Flashpoint identified found hundreds of discussions of "cracked" gift cards on criminal web forums.

There are several strategies to hack gift cards. One example is by predicting the gift card numbers, which when combined with a brute force attack, means hackers can identify activated cards and the amounts on them. Another method involves creating clone cards of inactive gift cards and then when they are activated using the credit before the rightful owner has a chance.

Whichever method they choose it’s often the retailer that’s left picking up the tab.

Executive and employee threats

As with any industry, staff may be targeted, not just for phishing attacks or fraud but for physical attacks by disgruntled customers or even terrorists. 

Threats to physical locations

From active shooter attacks to terrorist assaults physical locations, especially those where members of the public can come and go freely, are high-risk locations.

By utilising the right technology companies can identify threats early and mitigate the potential damage by forming an effective response based on real-time data fast.

What modern security means for modern retail

Criminals can leverage the web to commit both physical (such as in-store theft), as well as cyber-attacks (such as phishing or gift card cloning). This leaves retailers operating in a unique threat landscape with a broad array of potential attack vectors.

There are three levels that modern retailers should consider to ensure a complete and effective security, both in-store and online. First, at the highest level, training and information need to be gathered for both their security teams, both also disseminated to employees across the organisation so that everyone is aware of the threats and how to avoid them.

The next level is to only work with secure third-party providers. Companies that take security seriously and when it comes to building defences against cybercrime have strong records. These businesses, such as connected devices, cloud storage or payment portal providers form a crux of any companies security.

Finally, the security team need to be enabled with the right tools for the job at hand. Signal OSINT software enables security teams to scan a vast number of open, surface, and dark web channels and sources to gain real-time data on emerging threats. Our sentiment analysis, custom filters and advanced alerting means security teams can be notified instantly on threats as they are emerging. Whether it’s customer data for sale online, or an active shooter situation in-store, security teams can quickly assess and respond to mitigate risks and damages.