According to the Federal Bureau of Investigation (FBI), online shoppers risk losing more than $53 million during this year’s holiday season. Scams ranging from socially engineered emails promising great deals to hard-to-find gifts popping up for sale but never making it to the buyer’s address, the festive season is cybercriminals’ and fraudsters’ favourite time of the year.
So, what should consumers do to shop safely?
We asked cybersecurity experts what they thought of holiday shopping scams and what they thought were the most important signs to be on the lookout for, and what retailers can do to protect shoppers this holiday season.
Andy Renshaw, SVP of product management at Feedzai:
As the economy becomes cashless and digitised, the rise in scams is to be expected, and not just around the holidays. In fact, purchase scams, where buyers pay for goods that are never delivered, were the number one fraud attempt in the third quarter of 2021, according to Feedzai’s financial crime report.
Unfortunately, we can expect purchase scams to increase as consumers take advantage of Black Friday deals and do their holiday shopping online, and people are invited to exert caution. Consumers should make sure they stay on the lookout for socially engineered emails that promise deals too good to be true and create a sense of urgency around completing a purchase, as these are red flags that could indicate a scam. This is particularly true if consumers have never used these merchants before.
It’s particularly important to look out for the less tech-savvy shoppers, who might have started making purchases online during the pandemic. Consumers are advised to validate retailers’ credibility by searching for online reviews – more often than not, others will have already raised the alarm on fraudulent websites and dodgy sellers. Alternatively, the absence of any reviews or information (negative or positive) could be of concern too.
Jamie Boote, software security consultant, Synopsys Software Integrity Group:
The holidays are a chaotic time for many industries that depend on the retail surge to put their ledgers back in balance. Every year offers increased opportunities for businesses and scammers alike, but this year will be especially dangerous. The supply chain disruptions and high employee turnover rate means that there are new challenges to face and fewer experienced hands to fix them.
Supply chain disruptions create all kinds of opportunities for unscrupulous dealers to introduce risk into end products that might have been passed by in years where parts were easier to come by. Normal suppliers of chips and hardware may not be able to fill demand and desperate vendors may need to source parts with a less pedigreed provenance. These counterfeit chips and parts can degrade reliability and availability, or be vectors for malware and back doors. The remote nature of online store fronts makes it much easier for counterfeit goods to be sold as genuine. By passing on this risk, the burden is placed on the end consumer who has to perform extra diligence in terms of testing and validation or be faced with an attack vector or unreliable hardware.
Unfortunately, sourcing work hours to devote to security is difficult during the holidays, and extra difficult in the midst of the Great Resignation. This time of year is difficult for IT teams that are covering for time off during the holidays while supporting the increase in holiday operations. New hires can help with the issue, but they may lack the training and experience to properly diagnose and respond to security issues. Increasingly, IT departments are turning to outside help for assistance with their security issues.
All this holiday traffic is riding over brand new architectures such as cloud, microservice, and API driven applications. These new services are accompanied by a learning curve and unique tooling needs that, if neglected, can allow attackers to exploit these new systems during the most important time of the year for some industries. Companies need to be extra vigilant this year to secure their systems from attack to prevent malicious traffic from flying under the radar. Any incidents need to trigger a root cause analysis that feeds into a get-well plan to close the hole and any ones like it.
Hank Schless, Senior Manager, Security Solutions at Lookout:
“People are shopping on their smartphones and tablets more than ever before. Threat actors know that. We receive messages about new deals and shipping updates through SMS and social media platforms all the time. Phishing campaigns based on an event, such as Cyber Monday, are built to imitate those communications. We’re programmed to interact quickly with notifications on our mobile devices. It also doesn’t help that mobile devices have smaller screens and simplified user experience that makes it more difficult to spot many of the red flags that would usually warn us of a phishing attack.”
“To protect yourself from mobile phishing attacks, you should never tap a link from a number or person you don’t recognize. If possible, contact the sender and validate the communication before interacting with the link. If you do tap one of these links, read the full URL in the browser. Phishing sites often use URL spoofing to look like a retailers website, for example, but when you view the full URL it’s actually something very different. You should also protect your phone and your personal data by using a mobile security app that offers phishing protection. Not only will this keep your personal data safe, but it also helps protect any work data you access from your personal smartphone or tablet.”
George Papamargaritis, MSS director at Obrela Security Industries:
“Online retailers and e-commerce businesses are key targets of DDoS attacks, especially during the period of peak sales, such as Black Friday / Cyber Monday. It is very important that retailers invest in the security monitoring of their ecommerce infrastructure to protect against this rise in threats.
For instance, by monitoring the identity service which provides authentication services to end customers, this can provide early warnings and help ecommerce sites take proactive actions before an incident takes place.
Furthermore, e-retailers should invest in threat detection mechanisms that specialise in ecommerce threat monitoring. Such analytics may include specialised visualisation techniques, which establish real-time trends of activity on business-critical ecommerce APIs. These are used as baseline to allow monitoring on the collected data points to track traffic trends, helping operations teams to analyse and predict threats quickly, before the impact operations.”
Steven Hope, CEO and co-founder of Authlogics:
“Retailers and consumers alike face a plethora of threats over the course of cyber week and Black Friday. One particular danger is the use of breached or re-used passwords within an organisation and among its customers. In fact, our research has shown that over 100,000 breached passwords within our database belong to some of the UK’s and the world’s largest retailers. What’s worse is that individuals are also using breached credentials, making them an incredibly easy target for threat-actors who can use these to gain access and launch phishing or ransomware attacks. Considering the fact that most retailers hold sensitive customer data, including payment information, this can be extremely harmful and lead to monetary loss, damage to reputation and even identity theft.”