While identity theft and other types of credit card fraud have received the most attention in recent weeks, Internet retailers are proving susceptible to many other costly scams.
In recent months, online retailers have lost thousands of dollars from shoppers tampering with the sites' coupon and gift certificate codes.
Case in point: iGo.com, a wireless device/accessories e-tailer. Although the site's coupon codes can typically be used only once, earlier this month its shopping cart software was not functioning properly, allowing customers to enter the same coupon code multiple times on one order. One customer used so many coupons that his Palm VII, retailing for $499 on the site, cost him only $10.
News of the flaw spread rapidly on several savings Web sites, but iGo quickly caught the problem. “Several loyal customers contacted us about a chat group telling others how to 'soft hack' our shopping cart system…we realized there were several such fraudulent orders being placed,” said Shannon Oberndorf, director of communications at iGo.com.
The site's daily coupon code reports, which list the code, average order size and amount of click-throughs generated, also showed the errors. “One coupon code was applied to 122 orders, but it only had a $10 average order and only six click-throughs,” Oberndorf said.
Despite the problem, iGo believes the savings sites/forums are good for business. “We don't mind that these sites exist, because it does drive traffic to our site and introduces iGo to people who otherwise might not have heard about us,” Oberndorf said.
Another victim of coupon fraud was Macys.com. Earlier this year, after a Macy's shopper figured out how to enter multiple coupon codes instead of the intended single code (from a coupon provided for customers who signed up for a Macy's card) and receive deeply discounted merchandise, he shared the information on several “savings” Web sites such as FatWallet.com and Dealhunting.com. Soon, Macys.com was flooded with the multiple coupon orders.
Although Macy’s caught the problem the next day and a majority of the orders were cancelled, some orders slipped through. “We honored all sales that met the criteria…that they used their Macy's card,” said Kent Anderson, president of Macys.com, San Francisco. However, the retailer also informed consumers that entering the multiple coupon codes is considered a “poor business practice.”
“Being taken advantage of in a very unethical way is not a very good business practice. There were attributes to those coupon codes; they were not for general use,” Anderson said.
Although Macy’s has received some negative customer feedback about canceling orders, Anderson said he is not worried because that type of customer will not be a long-term Macy's shopper.
Another site hit by multiple orders was Digital-Neighbors.com, after it agreed to sell Amazon.com and Buy.com gift certificates on its site last summer. Buy.com offered the site $5 for every $10 gift certificate issued to Digital-Neighbors members, plus a percentage of sales, and a third-party marketing company for Amazon.com said it would pay $7, plus a percentage of sales, for each $25 gift certificate issued.
However, when members of several savings sites such as BigBigSavings.com and MyCoupons.com shared the Digital-Neighbors promotion, “everything went crazy,” said site owner Tim Timmerman. “I went from giving away a couple hundred a month to over 100,000 requests in less than 12 hours. At the time, I was getting reports by both marketing companies to sign, sign, sign,” he said.
However, Buy.com and the third-party marketing company (which Timmerman refuses to name because of legal action) could not handle the volume, and Timmerman was not set up with software to catch the thousands of fraudulent orders that poured in. Fraud included the same consumers signing up for the gift certificates under several different e-mail addresses. “Four thousand requests came from one IP [Internet Protocol] address. Someone set up a program to mask where it was coming from,” Timmerman said. However, after Timmerman purchased software and physically checked each order, he found the fraudulent orders.
A Buy.com executive finally said the site should stop selling the gift certificates this February, and the third-party marketing company for Amazon has “disappeared” without paying for gift certificates sold.
Meanwhile, the problem is a financial strain on Digital-Neighbors, which is slowly delivering legitimate gift certificate orders. It is buying 1,000 a month from Buy.com and other sources.
“Digital-Neighbors is committed to getting certificates to every person who signed up. If it means no profits until it happens, then that is how it will be,” Timmerman wrote in a letter to Digital-Neighbors members.
Another trick some shoppers have learned is to change the price of an item at checkout. Sanctum, Santa Clara, CA, a security software company, found that about one-third of sites use shopping cart software that can be manipulated. “Most of the systems have no validation to check the price against the price that was put in. A lot of retailers claim they have back-end checking, but a lot of them don't,” said Peggy Weigle, president of Sanctum.
In fact, it is very common for Internet retailers to be vulnerable to all types of manipulation on their sites. In Sanctum's audit of about 70 sites, including financial service, health and e-commerce firms, its auditors could breach the privacy of customers on 24 percent of the sites and had “full access” on 22 percent of the sites. In other words, Sanctum employees would be able to view all company information, e-shoplift, deface the site, and in some cases, delete the entire site.
Experts say these problems happen because many e-tailers do not have the proper software in place — both to run coupon programs and catch fraud –and because it is difficult to physically check thousands of orders. Online retailers should be aware of how quickly information can be spread on the Web, as well as have alert systems to catch problems early, said Jill Frankle, director of retail e-commerce at Gomez.com. “Over time, we will see more things built in to deal with this,” she said.
