The only problem: Koenig had no idea what they were talking about.
Cybercriminals had used her online gift store in a "phishing" scam, which set up a fake version of the site to try to extract visitors' credit card information. An e-mail enticed victims to the fake site by telling them they had a prize. The lure was a free Hewlett-Packard laptop computer.
"We got at least 10 to 20 phone calls and e-mails from people wanting to confirm they'd won the computer. It was a situation that could have hurt our brand, reputation and sales, if we didn't return those calls and e-mails," said Koenig, founder of Cybercalifragilistic, a gift site for geeks that generates 80 percent of its annual revenue during the holiday season.
The holiday shopping season, with its boom in traffic and sales, casts a spotlight on concerns over the security of e-commerce. Online fraud is becoming more professional as organized crooks begin to flex their muscle in digital scams. But major retailers and services providers have become more savvy too, bolstering security all year round. That leaves midsized and small Web stores as possible prey of criminals.
Those small businesses have more to lose, in credibility and income, from attacks. "This is the kind of thing you don't want to happen any time of the year--especially (not) during the holidays, when it's the busiest time of the year," Koenig said.
Online retailers are expected to generate about 30 percent of their overall revenue for 2004 in November and December, according to figures from research firm Jupitermedia. That adds up to about $20 billion in holiday sales.
But the spike in holiday traffic brings a 20 percent rise in the number of attempted security breaches, estimates VeriSign, which provides authentication of Internet transactions.
"Fraud activity increases with the level of volume activity to the site," said Trevor Healy, VeriSign's vice president of payment services. "There's a belief in the fraud community that retailers may not be as vigilant during the holidays because they're busy filling orders and getting their holiday sales out."
That traffic plays a part in one fraud scheme, in which criminals use a large number of stolen credit card numbers to make purchases on one site, to make sure those numbers are valid. The fraudsters then use those cards to buy goods at another e-commerce business. Another credit card scam that is increasingly popular, Healy noted, has corrupt employees issue refunds on numbers that don't exist.
Credit card fraud, phishing and denial-of-service (DoS) attacks linked to extortion are the security threats that have online businesses most worried, security analysts agree.
"If you are looking for opportunities to defraud a merchant, you are going to look downwards in order to find those that are susceptible to fraud," Banks said.
Koenig and her small online business are familiar with the dangers of DoS attacks. Back in 1996, Cybercalifragilistic suffered an outage for a couple of days during the holiday spending season after its Internet service provider, WebCom, was hit with a flood of data that swamped its servers.
"It cost our company 20 percent of our holiday sales," she recalled. "This happened during the pioneering days of the Internet, and the attack was to protest commerce on the Internet."
Carrie Johnson, an analyst with Forrester Research, noted that the retailers most likely to lose customers from a DoS attack are those