Every year, customers are enticed by thousands of ‘unmissable offers’ on Black Friday and Cyber Monday with, in the UK alone, consumers expected to spend up to £3bn on Black Friday and Cyber Monday purchases.
Digitalization of the shopping experience means buyers are not only bombarded with discounts in physical stores, they also receive notifications through retailers’ apps and via email. The more ways retailers have to engage customers, the more avenues attackers have to choose from to get their hands on buyers’ credentials and sensitive information.
However, there are steps both consumers and retailers can take to protect themselves and each other against malicious actors.
Only Trust Official Retailers
During peak demand periods like the one around Black Friday and Cyber Monday, malicious actors’ preferred mode of attack are social engineering campaigns, usually in the form of phishing emails that show remarkable offers. “The goal is to deceive victims into divulging sensitive information, such as credit card details and personally identifiable data,” said Vlad, Threat Intelligence Analyst at Searchlight Cyber.
“One prevalent tactic is malvertising, which targets bargain-hunting customers. These unsuspecting users may end up with their devices infected while seeking a good deal. This emphasizes how crucial it is for customers to shop online with extra caution over the holidays. Shops imitating reputable products and adverts directing them to questionable websites should be avoided.”
David Warburton, Director at F5, noted: “One of the best ways consumers can protect themselves from these risks is to ensure they visit a brand’s official website and check if the promotions coincide with what was advertised on the email.”
It is important to understand that not everything that looks safe, is indeed safe. “Consumers should recognise that the security padlock and ‘http’ in a web address are not signs of security,” Warburton advised.
“In fact, it is common for most phishing websites to have both, with the aim to provide a false sense of security to consumers who don’t pay too much attention to a website’s name. Consumers need to stay vigilant this Black Friday to avoid being scammed.”
Responsibility to Protect Customers
Consumers are not completely naïve and oblivious to the rise of cyber threats, in both quantity and complexity. NCSC research shows that seven in 10 British people worry that AI will make it easier for criminals to commit online fraud. Retailers have the responsibility to protect them from this.
The most obvious way for businesses to protect consumers is to introduce strong security measures, such as multi-factor authentication (MFA). Research conducted by Ping Identity found that half of consumers report that tools like MFA make them feel more protected against fraud, something e-commerce companies have already taken note of and are continuing to implement.
“Modern authentication solutions, like passwordless or MFA, in the customer log-in and purchase process will ensure the safety of customers' identifiable data,” added Matthew Berzinski, Senior Director of Ping Identity. “During busy shopping periods and beyond, this extra layer of security could lead to increased revenue, satisfaction and brand loyalty as consumers trust the retailers.”
Ian McShane, VP of MDR at Arctic Wolf noted that frequent password reuse across personal and business-related sites provides the key opportunity for those creating well-crafted scams.
“Even more risk is added when people use their work email addresses as account credentials, meaning, if they fall for one scam, it’s not only their personal account credentials at risk, but the credentials for everything which uses that password,” he commented.
McShane added that businesses can help guard their employee’s personal and business credentials by encouraging the use of password managers and multifactor authentication, not just for work but for all online accounts.
Don’t Make it Easy for Attackers
Savvy attackers are always looking for ways to install malicious malware or collect customers’ confidential payment details and data. “An added seasonal gift is when they are also given the opportunity to infiltrate the networks of people using corporate devices to shop, because even one compromised business credential on one employee device can lead to costly business damage and disruption to their employer,” explained David Higgins, Director of the Field Technology Office at CyberArk.
Higgins insisted that the only way for businesses to build and maintain trust from customers is to prioritise the enhancement of security procedures, confirming identities and validating participant credentials before any online interaction.
Embracing Data and Automation
Ryan Sheldrake, Field CTO EMEA at Lacework believes the best way for young companies in the retail sector to tackle key dates like Black Friday and the demand surges that accompany them is to embrace data and automation.
“It is the only way to keep pace and ensure their environment moves around to meet demand and control risk during the busiest traffic week of the year. Cloud asset data can be used for preventative controls and misconfiguration detection (CSPM), arguably one of the most significant threats whilst leveraging public cloud, as many retailers do,” he explained.
But this is not enough, according to Sheldrake. “On top of this, retailers must deploy threat detection in runtime, as the systems processing transactions and taking users' card details and addresses must be secure. It's not enough to merely deploy misconfiguration detection. If, for example, an access key is compromised, CSPM will not detect this. The damage radius needs to be quantified, put in context, triaged, and remediated as rapidly as possible.”
Prevention is the Best Cure
As retail and shopping becomes increasingly digital, consumers and businesses are on high alert to protect themselves against cyber scams. Steps can be taken on both sides to keep personal information and sensitive data safe on peak days like Black Friday and Cyber Monday. From always visiting official websites and being wary of intermediaries, to introducing MFA, organizations need to protect themselves this shopping season.