Fighting Organized Retail Crime with AI-based Threat Intelligence
February 2, 2021
Organized retail crime is nothing new but, the devastating economic impact of COVID-19 has made the long-standing industry issue more menacing of late. Many retailers facing lockdowns and business restrictions during the pandemic have seen sales plummet and profits erode. In a time of economic turbulence and razor-thin margins, retailers become more vulnerable to the additional financial drain of large-scale theft.
Unfortunately, organized retail crime (ORC) is on the rise. According to a National Retail Federation (NRF) report published in December 2020, retailers’ losses due to ORC increased almost 60 percent over the past five years, climbing to an average of $719,548 per $1 billion in sales last year. Three-quarters of the loss prevention executives NRF surveyed said ORC activity increased in the past 12 months. That’s up from the 68 percent who reported a year-over-year uptick in ORC in the retail association’s 2019 survey.
Compounding matters, states have increased the dollar threshold for determining whether a theft represents a felony, NRF noted. This change has caused law enforcement agencies—already dealing with overstretched personnel and budget constraints—to shift their investigative priorities.
Another concern—several retailers, including some large-scale national brands, filed for bankruptcy and shuttered stores in 2020. The resulting consolidation means retailers spared ORC incidents in the past face higher exposure in a smaller pool of potential targets.
Against this backdrop, the onus is on retail managers and loss prevention professionals to reduce losses stemming from ORC. Any improvement cuts directly to the bottom line. Resource-limited retail security teams, however, are fighting an asymmetrical battle against surging ORC activity. Retailers should consider enlisting AI-based web intelligence (WEBINT) technology as a force multiplier and the means to obtain a threat intelligence edge. Such platforms can help recover stolen goods, identify threat actors and their networks, and reduce thefts from happening in the first place.
Targeting Supply Chains
ORC can happen at the store level, as when a group of threat actors converge on a retail outlet to pilfer merchandise. The most damaging thefts, however, occur along the retail supply chain. Trucks bringing goods from a warehouse to a retail store, or transporting cargo from a vendor to warehouse, might be robbed en route, for example. Or the warehouse, itself, could be the target of a break-in. More than half of the respondents to the NRF survey reported cargo theft in the past year.
Such ORC activities tend to focus on high-value products such as designer clothing or high-volume commodities. These operations require a well-organized operation and pre-mission planning. Stolen goods may find a home among niche brick-and-mortar retailers willing to take the risk of an attractive purchase price. But items are frequently sold through online commerce platforms, including marketplaces and forums that reside on the so-called “dark web.” Markets doing business on the dark web offer threat actors a degree of anonymity since those sites are not indexed by any of the conventional search engines.
Digital assets, as well as physical goods, may also end up on an online marketplace in the deep and dark web. Threat actors, for example, will return stolen merchandise to retailers, obtain gift cards in return, and sell them in the various marketplaces.
A stolen asset’s ultimate destination is often some aspect of the web, which means retailers must employ specialized technology tools to conduct investigations. But the ability to track stolen goods isn’t the only reason to do so.
Indeed, when it comes to ORC, all roads lead to the online world. Threat actors coordinate “flash mob” store raids via social media platforms. ORC players use the web to conduct business and sell stolen items. The scale and complexity of those online operations call for a technology-driven approach to investigation and loss prevention. Just consider the billions of social media users worldwide and the myriad dark web markets that emerge, disappear, and resurface on a week-to-week or even day-to-day basis.
Attempting to probe the vastness of cyberspace manually with a limited number of professionals will fail to provide the insight and situational awareness a retailer needs to combat ORC.
For organized crime, the web provides ready-made infrastructure for coordinating theft, reaching buyers, distributing stolen items, and, in the case of the dark web, masking activities. But this strength is, paradoxically, also a weakness. ORC players leave clues to their identities and relationships with other potential threat actors across the web. Those clues could include online “handles,” email addresses, phone numbers, payment service account numbers, and cryptocurrency wallet addresses.
This is where web intelligence becomes critical. Gathering a host of informational breadcrumbs and converting the individual bits of data into actionable intelligence is nearly impossible without an automated tool. Take the task of finding the online marketplaces selling stolen goods. A WEBINT platform can help a retailer execute searches that span not only the familiar surface web, but also on deep web forums, social networks, and the dark web where ORC actors often attempt to hide. For example, complex keyword searches using custom search parameters such as a retailer’s name, luxury and popular branded goods, and store locations can help a retailer’s security team identify the sites offering its goods. Retailers can also use an image of a specific product to search for matches across marketplaces and forums to receive alerts about counterfeit or stolen goods. Artificial intelligence, when integrated with WEBINT, enables an automated search process and improves the user’s efficiency and accuracy, by employing capabilities such as object detection OCR (Optical Character Recognition) powered by text analytics. These technologies generate an alert based on a visual match and specific text string, which are all embedded within images.
Identifying web sites that traffic in stolen goods is the first step toward recovering assets and shutting down illicit marketplaces. A WEBINT platform with the appropriate investigative and analytical capabilities allows the security team to find accurate data to mitigate such loss and compile an accurate report with actionable intelligence. Once this is completed, the retail security team will typically handoff its investigation to a law enforcement agency. Equipped with accurate information, police investigators will be able to rapidly speed up their work and build a successful case against the nefarious parties.
Identifying marketplaces also provides a launching pad for unmasking the individuals involved. The wealth of data a WEBINT platform accumulates during an investigation, such as the previously mentioned identifiers such as handles, email addresses, and crypto wallets, can now be used to resolve the identities of the key participants.
With that knowledge, retailer security teams can use WEBINT to begin to piece together the broader organizations and networks in which the threat actors operate. A WEBINT platform can discover the interactions among ORC online players, monitoring chatter on blogs, messaging platforms, and social media. As investigators explore more linkages, the shape of an ORC operation may be uncovered, down to a group’s second- and third-tier relationship levels.
The ability to probe such relationships offers an important line of defense—the lower tiers of ORC networks could implicate a retailers’ own employees. Coordinating a cargo theft requires surgical precision, so ORC groups must gather intelligence on the types of goods being shipped, transport dates and times, truck routes, and warehouse locations. Many heists, unsurprisingly, depend on insider collaboration and information.
For that reason, retailers should take care to vet personnel playing key roles and have access to sensitive information along the supply chain. A retailer will have typically conducted initial background checks when onboarding new employees, but a revisit of digital footprint scan over time to identify risky affiliates and their connection is crucial.
In this use case, a WEBINT platform can help a retailer assess the risk level posed by unknown insider threats based on their digital footprint, revealing connections between in-house personnel and external threat actors. Once a retailer has resolved the identities of ORC players, those can be periodically cross-checked to find new potential links.
Taking a Proactive Stance with a Boost from AI
Unearthing theft networks, monitoring chatter around planned activities, and vetting employees and supply chain personnel gives retailers a more aggressive security stance. They are no longer reacting to incidents, but proactively disrupting ORC networks and can minimize or prevent thefts planned for future dates.
Information sharing among retail investigation units is critical and is an additional measure that can help security teams develop an intelligence-based advantage and head off problems before they occur. When a retailer receives information on an organized crime network that has recently hit other companies, it can aggregate that data into a web intelligence platform to enrich its own risk threat analysis. Connecting the silos of information on threat actors helps organizations prepare for attacks and track organized groups moving between regions. In addition, information sharing may turn up the names of previously unknown ORC players, which can be cross-checked to identify potential insider threats.
At this point, retailers’ loss prevention activities rise to the level of threat intelligence, delivering knowledge that helps security personnel understand where a given threat is coming from and providing insight into how it can be targeted and prevented.
AI is an integral part of threat intelligence, helping sift through and prioritize the vast amounts of data collected during an investigation. The technology offers the ability to search huge numbers of data sources, both text and visual images on the web, and narrow the results to just the items that meet a retailer’s risk assessment criteria. Retail security managers can then prioritize alerts.
In general, the use of AI in threat intelligence helps organizations prioritize threats and provides the security staff with wider web visibility. This approach also enables important, risk mitigation steps, such as identifying internal human security weaknesses and obtaining situational awareness in real time.
Moving Beyond Physical Security
Retail security, historically, had revolved around cameras on the sales floor and attached to stores and warehouses. Those measures remain important, but retailers must now broaden the security scope to include proactive situational awareness gained by automated web intelligence platforms.
Focusing on hiring more security people to provide wider coverage is neither scalable nor an option for cash-conscious retailers. Technology, however, lets organizations cost-effectively scale their loss prevention operations and improve their security posture. Investing in a WEBINT layer can provide the threat intelligence context to tackle organized crime and cut financial losses due to theft.
About the Author
Eyal Bachar serves as North America managing director for Cobwebs America, a global leader in web intelligence. He is a seasoned professional with over 25 years’ experience in technology driving actionable intelligence and global corporate management experience in the defense, law enforcement, and cyber industries. He can be contacted at [email protected].