Tips for Secure Online Shopping this #BlackFriday

The Christmas shopping period, the most hectic time of the year for the retail sector, is well and truly underway this year, with the highly anticipated Black Friday and Cyber Monday events now upon us. It is fair to say that this year, shopping will feel a bit different, largely due to the explosion in e-commerce brought about by the COVID-19 pandemic. Ongoing social distancing restrictions throughout the world, including the enforced closure of non-essential stores in countries such as the UK currently, coupled with continued fears over catching the virus, mean it is certain more people than ever will turn to online shopping to take advantage of the one-off deals during Black Friday and Cyber Monday.

Sadly, despite the enormous benefits online shopping brings, particularly to elderly and vulnerable people in the midst of a global pandemic, the huge increase in users is providing more opportunities for cyber-criminals to launch attacks and scams. Those new to the world of online shopping will be especially vulnerable to the tricks employed by nefarious actors.

Paul Hampton, payment security expert at Thales, noted: “With a second lockdown forcing shoppers to replace the high street with a COVID-safe shopping spree online, Black Friday and Cyber Monday are set to draw people online like never before. While it’s an opportunity for brands heavily impacted by the pandemic, the annual retail holiday weekend opens up a much larger threat landscape for cyber-criminals to attack. As we saw around Amazon Prime Day with a spike in phishing scams masquerading as sales and websites disguised as the retailer giant, hackers take advantage of these peaks in the shopping calendar to launch their attacks.”

Since the start of COVID-19, the ways online customers have been targeted haven’t drastically changed – they generally revolve around standard scam techniques such as phishing messages to steal credentials or launch malware. It is the sheer scale of attacks that has been the distinguishing feature in 2020.

“Fraud tactics like phishing attempts, fake websites and SMS scams are used to trick customers into revealing their personal details”

“Fraud tactics like phishing attempts, fake websites and SMS scams are used to trick customers into revealing their personal details. Mobile app-based payments are also creating new opportunities for fraudsters to access customers’ data,” explained Andy Renshaw, VP of payments strategy and solutions at Feedzai. “That’s the most important element in this – if fraudsters don’t have access to personal information, it’s very unlikely they are able to commit any type of fraud.

So what steps can people take to ensure they are shopping online safely this year?

Beware of Greeks Bearing Gifts

Black Friday and Cyber Monday have become synonymous with bargain offers, and in the midst of the current economic crisis and huge job losses, consumers will be on the hunt for cheap deals more than ever before.

However, the increased desire to save money this year provides extra lures for fraudsters to entice shoppers to click on malicious links and reveal personal data, even including card details. For instance, a survey by Kaspersky this week found that 84% of consumers are willing to risk giving away personal data such as email addresses and telephone numbers to take advantage of bargains. It is crucial therefore that shoppers take a more cautious approach when they come across apparently great offers, especially those sent directly to them, by email or other mediums.

Joseph Carson, chief security scientist at Thycotic, warned: “Cyber-criminals use fear, time and money to lure victims into making them do something they wish they had not. Using fear of potentially losing a ‘once in a lifetime,’ time-sensitive bargain online that could save you money, is one example. You expect that you will get these limited specials, however, the cyber-criminals are simply trying to abuse your vulnerable trust. Cyber-criminals will sift through tons of social media information to search what you are looking for and offer you the best deal in the world simply just to steal your password to your accounts.”

Steve Durbin, managing director of the Information Security Forum. added: “Beware of email ‘offers’ from companies you don’t recognize and even those that you do know but shouldn’t be emailing you – they’ll likely contain a malicious click through link or even an attachment. Don’t click through or download the attachment unless you are completely certain that they are legitimate.”

Following the old maxim ‘beware of Greeks bearing gifts’ is therefore highly advisable. Etay Maor, chief security officer at IntSights said: “Remain vigilant and don’t click/download/reply to anything that seems even mildly suspicious. If it seems too good to be true, it probably is.”

If unsure, another useful tip is to undertake a quick grammar check of any communication received as spam messages often contain spelling errors. Liviu Arsene, global cybersecurity researcher at Bitdefender, said: “Check the grammar of any email you receive, and hover across the link to make sure it leads to the official website.”

While fraudulent offers are generally discussed in the context of email messages, the growing use of phones to browse and purchase products in recent years has opened up further channels for malicious actors to launch phishing scams. Worryingly, messages sent to smartphone devices are in many ways even more dangerous than email, and these users therefore need to exercise an even greater sense of caution.

Hank Schless, senior manager, security solutions at Lookout, noted: “People are shopping on their smartphones and tablets more than ever before. Threat actors know that. We receive messages about new deals and shipping updates through SMS and social media platforms all the time. Phishing campaigns based on an event, such as Cyber Monday, are built to imitate those communications. We’re programmed to interact quickly with notifications on our mobile devices. It also doesn’t help that mobile devices have smaller screens and simplified user experience that makes it more difficult to spot many of the red flags that would usually warn us of a phishing attack.”

Check for Illegitimate Websites

Another tactic frequently used by fraudsters is to set up fake e-commerce sites or spoof legitimate ones. Before electing to visit a particular shopping site, especially ones that are not unfamiliar, it is important to take steps to be certain they are legitimate. If any kind of doubt resides, it is best to err on the side of caution; they may contain a malicious link or trick consumers into handing over sensitive data.

“Only use websites that you have heard of before and have lots of positive reviews on a range of sites”

Hampton advised: “Be on guard for cowboy websites with self-written reviews. Only use websites that you have heard of before and have lots of positive reviews on a range of sites.”

He added: “Avoid any links sent to you by email or SMS and always type the URL of the website directly into your browser.”

A similar rule of thumb applies with shopping apps, which are becoming increasingly utilized as a result of the rise in mobile browsing. “Just like websites, apps can be spoofed or copied, so if you want to use a shopping app, get it from a legitimate source and limit the information you share with it,” highlighted Tom Pendergast, chief learning officer at MediaPro.

Shipping Updates and Tracking Scams

Consumers should also be aware that malicious actors may try and catch them out with fake order notifications and shipper notes. Again, great care should be taken to ascertain whether the message is from a legitimate firm before clicking on any links. Pendergast explained: “If the shipper doesn’t announce who they are, you can be sure they’re fake. You might consider creating accounts at the major shippers (FedEx, UPS, USPS) so that you control your shipping notifications.”

Brandon Hoffman, CISO at Netenrich, added: “While the cyber-criminals are hastily preparing their phishing campaigns and account takeover techniques, the traditional criminals are watching the delivery services with a careful eye. This time of year is always rife with crime sprees and this year will be no different. Be on the lookout for suspicious deal-related emails, shipment updates and so-called tracking services.”

“This time of year is always rife with crime sprees and this year will be no different”

New Retail Trends

Another consideration this year relates to the rise of ‘appointment shopping,’ which some retailers have introduced in order to avoid overcrowding in physical stores on Black Friday and Cyber Monday. Arsene believes that some criminals may seek to imitate online scheduling systems. “Inspect the offer closely before reserving your spot for a chance to shop early and snag a deep discount. COVID-19 restrictions are here to stay, but stores may also come up with a go-to lottery system, where lucky winners receive an allocated time slot for in-store shopping,” he said. “It’s best to check out the vendor’s official website before you sign up, pay for any exclusive store access or provide personal information in an online form.”

Arsene added that fraudsters may also try to exploit the growing use of QR codes since the start of COVID-19. These codes, which can be found in adverts and promotions to redirect customers to product webpages to allow them to quickly add items to their shopping cart, are likely to play a major role during this year’s holiday season. He commented: “Although this method is time-efficient for the customer, threat actors could create malicious QR codes and encode custom-made payloads to redirect users to fake websites and steal personal data or install malware on the device.”

Password Security

An area in which online users often fall short is in regard to having good password habits and security. In the current situation, this has never been more vital, with tactics like account takeover (ATO) rising fast this year. For instance, a new study has shown that account takeover e-retailers experienced more than twice as many ATO attempts than any other industry this year. Following recommended password hygiene will therefore go a long way to keeping shoppers safe. Passwords should be different for each online account, complex in nature and changed regularly.

Although perhaps seen as slightly inconvenient, the security benefits of two-factor authentication for accounts are overwhelming. This can generally be easily set up on any online account, and brings in an additional layer of security should a password be compromised.

“Stop using the same password for all of your accounts and implement software that generates one-time unique passwords. This means every time you log in a random password will be created for you,” commented Hampton. “Always try to activate two-factor authentication services to give you that extra layer of security. This will ensure only you can access your account.”

Pendergast advised that for any retailers not regularly used, it is better to use “guest access” in order to reduce the amount of online accounts being created.

Update Security Software

Consumers can also make life much easier for themselves simply by downloading the latest security updates for their personal devices such as phones and laptops when they become available. These provide patch updates, sometimes to fix a bug or error discovered after product release. Yet many people delay implementing software updates, and this can make their devices more vulnerable to attack.

Durbin said: “When shopping online, especially at a busy time like Black Friday, be sure to update your security software and check that your firewall and anti-virus is working.

Retailers must be aware of these increased threats and mitigate against them to protect their customers as much as possible. However, with the huge growth in online shopping this year, it is becoming increasingly important that consumers are aware of the types of scams out there and conduct basic security steps. For example, if a hacker is able to guess a customer’s login details, it will be very hard for firms to prevent fraud taking place.

Hampton concluded: “While retailers absolutely have a responsibility to protect customers at this time of year, shoppers shouldn’t assume they’re automatically protected. It’s vital that they understand the risks and know how to protect themselves. Ultimately, it’s their data and they will be the most affected should it become compromised.”

What’s Hot on Infosecurity Magazine?