By Callie Guenther | CYBERSOC Data Scientist, CRITICALSTART
November 20, 2020
Black Friday. You love it, you hate it, you love to hate it. Coronavirus has canceled many things in 2020, but Black Friday and Cyber Monday may be as big as ever. The number of online holiday shoppers this year is expected to skyrocket due to the Covid-19 pandemic and consequently, consumers and retailers alike can expect an onslaught of scams, phishing attacks and other malicious activities. With Black Friday quickly approaching, the responsibility to combat cybersecurity threats lies in the hands of the retailer more than ever.
The risk of infection is driving consumers to shop from the safety of their homes, rather than venture out into stores and from a cybercriminal perspective, this level of online shoppers translates to a heightened risk of targeted attack for retailers globally. It’s important for e-commerce businesses to be aware that they aren’t the only ones making preparations for a busy holiday season. Cybercriminals will look to profit from the lucrative opportunities at a time when payment card data and personal details will be flowing through digital databases at a faster rate than ever.
Retail is an Attractive Target for Cybercriminals
E-commerce has surged with the onset of the pandemic earlier this year, dramatically changing shopping behavior around the world. As merchants gradually release 2020 Black Friday plans, it appears that this year’s shopping spree could be extended, giving cybercriminals a large window to lure potential victims and set up campaigns redirecting merchants’ cash flow away from the intended recipient. A flood of aggressive advertising via social media and email may prompt consumers to dismiss red flags, making them even more susceptible to credential-harvesting phishing scams, account takeover and fraud. In the past year, cyber-thieves have proved to be distinguished social engineers preying on our fears, misinformation, and speculation surrounding Covid-19. Their expanded set of tools is bound to shine even more this holiday season.
Verizon’s 2020 data breach investigations report found financial motivations lay behind 89 percent of attacks. Cyberattacks damage retailers in many ways, like lost sales, loss of reputation and legal sanctions if they’ve not met regulations such as the European Union’s General Data Protection Regulation (GDPR.) The stakes are high on Black Friday and Cyber Monday – in 2019, Kaspersky’s research identified a range of cleverly designed phishing scams masquerading as seasonal discounts from big brands, almost indistinguishable from the real thing. It’s not just phishing emails – smart scammers also launch malicious websites for the occasion to further build a sense that they’re credible.
Cybercriminals’ Seasonal Strategies
People are always on the lookout for deals, whether you’re a regular consumer or a cybercriminal on the deep and dark web. Authorities worldwide are already warning of a slew of scams leading up to the holiday season. Here are three ways consumers should look to combat cybercriminals ahead of Black Friday and Cyber Monday:
Good riddance doorbusters: Pay special attention to appointment shopping this year, as cybercriminals could leverage the scheduling systems already set up by some retailers to avoid hectic lines amid the global health crisis. Inspect the offer closely before “reserving” your spot for a chance to shop early and snag a deep discount. Covid-19 restrictions are here to stay, but it’s always best to check out the vendor’s official website before you sign up, pay for any exclusive store access, or provide personal information in an online form.
Proceed with QR Caution: The pandemic has also fueled the use of QR codes, which gained immense traction in recent years. An estimated 11 million households in the US are expected to scan a QR code in 2020 alone. QR codes can be used in ads and promotions to redirect customers to product webpages where they can quickly add merchandise to their online shopping cart. Although this method is time-efficient for the customer, threat actors could create malicious QR codes and encode custom-made payloads to redirect users to fake websites and steal personal data or install malware on the device.
Online Social Distancing: In 2019 social-media scams and domain-impersonation scams were some of the biggest types of attacks during the holiday shopping season, often meant to steal credentials or payment data from unsuspecting shoppers or distribute malware onto their systems. These types of attacks are increasingly convincing and harder to spot; attackers are using sophisticated tactics including visual CAPTCHAS and token-based authorization methods to bypass normal safety features.
In addition to great deals and savings, the holiday season can also bring an increased risk of financial loss. As more and more people turn to online shopping, cybercriminals are provided with a much larger landscape to conduct fraud. There are several actions retailers can take to reduce risk and ensure customers staying safe while shopping:
Plan ahead: Be proactive in letting everyone know you’re a step ahead of the threats. By putting the right measures in place, you can not only reduce the likelihood of a breach but also enhance your reputation and help customers to safeguard themselves. Communication is key and letting your customers know you are vigilant in cybersecurity will build customer confidence. Alert them to your security and privacy procedures and tell them what you are doing to safeguard them.
Be diligent: Find and isolate scams posing as your brand and lock down any compromised online accounts before they cause irreparable damage. Look beyond conventional perimeter security (thorough checks for all attempts to connect to corporate resources from outside the infrastructure,) locking down social media and other online endpoints. If you discover that scammers are using your brand to target customers, issue a prompt warning and urge customers to check that any links to your website are legitimate.
Hold your supply chain accountable: Point of sale (POS) devices are prime targets, so make sure they are protected and monitored regularly for suspicious activity. Besides POS devices, don’t forget about third-party vendors such as your HVAC vendor, IT services, third-party software, etc. Have a defined supply chain onboarding process to include a robust vendor review, implement least privilege access, ensure there are strict security controls, and remember to revisit every step on a regular basis or if the scope of the vendor partnership changes.
Use payer authentication and validation: Requiring card verification numbers (CVNs), using an address verification service (AVS), or using a 3-D secure payer authentication service can help reduce the use of stolen credit cards. Additionally, companies should monitor cracking forums for mentions of your company. The presence of your company domain on a criminal forum is a good indication you are being targeted by credential stuffing tools.
Use anti-CNP (Card-Not-Present) tools to validate transactions: Device fingerprinting, customer history, velocity monitoring, and negative lists (in-house or shared) are all valuable tools to disrupt fraudsters.
Retail and e-commerce organizations have a wealth of sensitive data and deep supply chains that can expose your business, customers, and brand to a wide variety of digital risks. There is no doubt that businesses around the globe will be more dependent on e-commerce than ever before this Black Friday. Given the events of the last few months, we all hope that it’s a successful one for businesses that have struggled through the uncertainty of 2020.
Looking for quick tips that you can give customers? Check out our blog 4 Holiday Shopping Tips that Retailers Can Provide to Customers.