Phishing, hacking, and scamming are on the rise everywhere—and the jewelry industry is no exception. We talked to security, software, and insurance experts about vulnerabilities, best practices, and fighting back against cyber crooks.
It can be easy to take cybersecurity for granted—until it’s compromised.
For jewelers, the stakes are especially high. Not only is cybercrime—illegal activity that uses or targets computers or the internet—on the rise, but the jewelry industry is also a tempting target for digital scammers and hackers. Digital security firm Check Point Software Technologies Ltd. says cyberattacks rose by 32% in the second quarter of 2022 compared with a year earlier, hitting an all-time high. The increase in the wholesale and retail sector was even steeper, rising by 54%.
The reasons jewelry designers, wholesalers, and retailers are especially vulnerable to cybercrime vary, according to experts. The goods themselves are small and high-value, making them easy to move and transport without detection. The industry is home to a sizable number of small businesses, which means greater opportunity to exploit potential vulnerabilities. And ordinary transactions typically involve large amounts of money.
“Because it’s such a high-dollar and high-volume business, scammers count on someone not paying attention,” says Josh Burwick, cofounder and CEO of software company CaratX. In a “department where a lot of money is moving, someone might not notice $10,000 or $20,000 that went missing.”
Personal Devices Can Spread Malware
It’s important to make sure employees practice safe cybersecurity practices when it comes to hardware—including their own devices—as well as when working in the cloud or on a wireless network.
“Allowing people to plug thumb drives into company-owned equipment can really increase the likelihood of a cyberattack from a hardware perspective,” says Andrew Chipman, vice president of Berkley Asset Protection, which specializes in fine art and jewelry insurance.
Chipman also says the proliferation of cloud computing increases vulnerability because staffers might use their own devices to access company technology or access their personal email accounts from company computers. If this happens, any malware their devices or accounts may be harboring can infect your business’s technological infrastructure.
“Take an aggressive stance on not letting people use their personal emails on company-owned equipment,” Chipman advises.
Phishing Is a Go-to Tactic for Crooks
Many phishing cyberattacks involve sending fraudulent messages that appear to come from a legitimate source but are intended to deceive recipients into divulging confidential information.
“The main thing we see is people are essentially using social engineering to pretend to impersonate somebody else,” says John Kennedy, president of Jewelers’ Security Alliance (JSA). This impersonation often occurs via email, although thieves are known to use text messages and sometimes even phone calls to exploit their targets.
But Burwick says that phishing emails, texts, and calls are “just the tip of the iceberg.” A staffer might inadvertently click on a malicious link in an email and download rogue software, which can introduce ransomware or other types of harmful programs into the computer system.
Even though email and the internet have been a fixture of the business world for decades, security pros point out that human error is still the weak link when it comes to cybersecurity. The damage results from “people giving away information,” says Zach Lipsky, founder and president of software provider Boss Logics. “We recommend you limit what your associates and team can do.” The smaller the number of people who have the ability to override login credentials or retrieve passwords, for instance, the better.
The Fake-Remittance Ruse
“One of the most common types of phishing attack in our industry is a fake remittance,” Burwick says. While these are fashioned to look like legitimate documents, in reality they are created by criminals to trick you into sending money or merchandise to them.
“They’ll send an email with a sense of urgency, telling you they need to have a payment processed,” says Ryan Ruddock, senior crime analyst at JSA. “They’re using deception in an effort to acquire payment directly from the jeweler,” or in some cases they might try to trick you into providing your payment information so they can fraudulently withdraw funds from your bank.
“You have to make sure that the people who have communicated with you are the people you think they are,” Kennedy says.
Beware of Ransomware
“The most common cybercrime that jewelers are reporting to Jewelers Mutual Group involves a ransomware event,” says Don Elliott, the insurance company’s director of claims.
These crimes start when someone unwittingly clicks on a link that triggers a download of malware. The ransomware then infects your computers and prevents your accessing the programs you need to operate your business.
“If they’re going to be getting into your internal network,” Lipsky says, “they can hold your site hostage or your network hostage.”
Experts consider ransomware to be every organization’s most critical threat. That’s because often the only way to recover your data is to pay the ransom, usually in the form of cryptocurrency, Chipman says.
How to Fight Back
The good news is there are steps you can take to protect your company, your reputation, and your bottom line from an expensive and disruptive cybercrime.
• Invest in your digital security.
Jewelers’ Security Alliance recommends that businesses invest in software protection including firewalls and antivirus and anti-malware programs. If your business isn’t large enough to have an information technology professional or team on staff, work with a third-party cybersecurity expert or business.
Cyber liability insurance comes highly recommended because it can compensate you for losses due to business interruption and the cost of recovering compromised data. If the cybercrime included the theft of customer data, your coverage can also cover money you spend on a crisis communications plan, as well as damages associated with ransom payments and associated legal bills.
“The technology in the field is changing so rapidly, it helps to work with a specialized carrier,” Chipman advises.
• Mitigate human error through training.
“I can’t stress enough that every organization should really be training their employees on things to be aware of, like phishing schemes,” Chipman says.
Companies such as HMH Consultants & Security Services, which has offices in Houston and London, can perform audits by staging a mock phishing campaign to pinpoint where your staff might need additional education.
Experts advise conducting training on a regular basis to reinforce vigilance. “The training piece is not a one and done—it’s got to be a recurring thing,” Chipman says.
• Update software and passwords regularly.
Another way to defend your cybersecurity is to shore up employee credentials such as passwords. Janet V. Hallahan, a partner at the law firm Practus LLP, recommends implementing software that requires the use of strong passwords and mandating that your staffers update those passwords regularly.
Jewelers Mutual recommends establishing and maintaining a protocol for key employees to periodically verify security patches and software updates with tech providers, because these companies regularly revisit their offerings in order to strengthen security. To thwart fraudulent transactions, JM also suggests having clear procedures with multiple layers of authorization in order to approve changes in payment processes, accounts, or vendors.
• Tread carefully when it comes to customer info.
Implement good practices around handling customer data by asking for information on a need-to-know basis, using strong encryption software, and never storing payment information.
“For credit cards, the best thing to do is to not store them,” Lipsky says. “You can use tokens”—which securely link to, rather than store, customers’ credit card data—“or store them on the processor side. Passwords you have to store, so they should be encrypted.”
• Have an emergency plan.
The best time to develop a response to a cyberattack is before the incident takes place.
If you suspect a breach, get offline so the crook can’t send directions to the malicious software. “If you’re hacked, disconnect from the internet,” Ruddock says.
In the event customer data is compromised, those customers need to be informed. Companies that have suffered a cyberattack “would need to assemble a crisis communications team, including hiring an attorney,” Ruddock says. “All 50 states have data breach notification laws—they need to make sure they’re going to be in compliance.”
It’s also critical to contact law enforcement and your bank as soon as you uncover the crime. In some cases, they may be able to stop a fraudulent transaction or payment transmission.
But time is of the essence, according to Ruddock. “If you contact law enforcement within 72 hours, they have a chance at returning your funds.”
Top: Getty Images