This week marks Black Friday 2024! As the popularity of this event has skyrocketed in recent years, so have the cyber risks involved in buying and selling products. In the second of two articles, we have gathered some insights from cybersecurity experts who have their say on Black Friday, from the threats faced by consumers and vendors, to the best practices advised to stay safe.
Tim Ward, CEO and Co-Founder of ThinkCyber Security:
“Black Friday, Cyber Monday, and the holiday season are some of the busiest times of the year for online shoppers. Unfortunately, they’re also prime opportunities for cybercriminals to exploit consumers’ hasty shopping habits. With so much focus on finding the best deals, many shoppers are more vulnerable to scams, especially those disguised as unbeatable offers, unexpected refunds, or delivery notifications.
Psychology plays a significant role in how scammers succeed. Our brains are wired to seek shortcuts and rely on heuristics—mental rules of thumb—to simplify decision-making. During the holiday season, we’re inundated with “amazing deals” and promises of massive savings. This constant exposure to offers can prime us to expect such opportunities everywhere, making us more likely to fall for scams. The mere-exposure effect, a principle of cognitive psychology, explains that the more familiar something feels, the more we trust it—regardless of its legitimacy. Scammers exploit this by crafting offers that appear increasingly credible with repeated exposure.
Scarcity is another tactic commonly used by both legitimate marketers and cybercriminals during the holidays. Phrases like “Offer ends today,” “Limited stock,” or “Don’t miss out!” are designed to create urgency and push consumers into acting quickly. Scammers leverage this psychological pressure to lure victims into clicking on fraudulent links or sharing personal information.
So, how can we help shoppers protect themselves from these risks? Education and awareness are key. For example, “re-priming” individuals by exposing them to examples of scams can make them more alert to offers that seem too good to be true. By bringing the possibility of a scam to the forefront of their minds—especially when interacting with emails or online offers—we can help them pause and evaluate the situation more critically.
Another approach is to guide individuals from relying on intuitive, automatic decisions (System 1 thinking) to more deliberate, cautious decision-making (System 2). For instance, reminding users to verify unfamiliar senders or question urgent calls to action can encourage them to think twice before clicking. Additionally, providing examples of phishing emails that use scarcity tactics can empower individuals to recognise and report suspicious messages.
Finally, it is crucial to foster an environment where people feel comfortable asking questions or reporting concerns. Real-time nudges—such as alerts for potentially risky emails—can further reinforce secure behaviours. By increasing familiarity with common scams and building awareness, we can empower consumers to shop confidently and safely during the holiday season.”
Darren Guccione, CEO and Co-Founder of Keeper Security:
“Black Friday kicks off the holiday shopping season, with retailers competing for online customers by offering enticing discounts. However, behind these tempting deals and flashy banners, cyber threats may be lurking. The wide array of offers by online shopping platforms can also attract cybercriminals looking to hack accounts, steal banking information or trick shoppers into clicking on malicious links. As tempting as a deal may be, it’s crucial to follow some important security measures to ensure a great find doesn’t turn into a digital nightmare.
- Choose Websites Carefully: With so many deals, it’s easy to click on the first link or the next ad seen on social media or your web browser. However, not all websites are equally secure. Stick to well-known retailers, research reputable brands and ensure that the URL starts with “https” to guarantee a minimum level of security.
- Update Devices: Cyber attacks often exploit vulnerabilities in outdated systems and applications. Make sure your phone, computer and all applications are up-to-date before shopping online. With the latest versions of an operating system and antivirus programs, online security is strengthened.
- Protect Passwords: Every online store requires its own account, but many people reuse the same passwords across different sites. This habit makes it easy for cybercriminals to infiltrate multiple accounts with one compromised credential. Use unique, complex passwords for each site, and, if possible, use a password manager to simplify management and enhance security.
- Use Secure Payment Methods: Online shopping requires sharing financial information. Choose payment methods that offer security, like credit cards or secure payment services such as PayPal. To prevent card information from being easily accessible, don’t save it directly on websites or browsers, and never share your financial information via email or messaging – even in the retailer’s chatbot feature.
- Be Cautious of Deals That Seem Too Good to Be True: Cybercriminals know how to leverage the excitement of the season by offering overly tempting deals. Be wary of unrealistic discounts or offers that pressure you with limited stock. If a website seems suspicious, verify the legitimacy of the offer through other channels before clicking on it.
- Enable Anti-Phishing Warnings: High shopping seasons are ideal for phishing attempts. To avoid falling into these traps, learn to recognise suspicious emails. Grammar mistakes, poorly reproduced logos or strange links can be red flags. If you receive an offer by email, don’t click immediately – visit the official website through a search engine instead.
- Avoid Public Wi-Fi: Free Wi-Fi is convenient but not secure. For safer shopping, use your home network or your mobile connection while you’re making purchases. Public networks could expose your sensitive data to hackers who monitor user traffic.”
Jasmine Eskenzi, Founder and CEO of The Zensory, says:
“With Black Friday imminent, many of us may be planning to peruse the latest deals online. But with time pressures (one day only!) and emotive language (unmissable deals!) hidden within marketing materials and ‘across the whole site’, many of us may be put in a position where we feel pressured to make purchases that we may otherwise have not made. But why? And how can we make more conscious purchasing decisions this Black Friday and Cyber Monday?
The Psychology of Stress:
When we’re presented with ‘urgent’ decisions (like an ‘unmissable’ deal written in big red letters), our minds enter a state of stress. This leads us to something called ‘amygdala hijack’. Ultimately, the stress response ‘hijacks’ the area responsible for our fight, flight and freeze response (the amygdala). When our amygdala is activated, this leads to decreased activity to our prefrontal cortex, the part of our brain responsible for attention, memory and focus, located at the front of the brain. So this means, when we’re under high stress, we actually struggle to think clearly, retain information, and our impulse, inhibition and cognitive functions are decreased. These techniques are also often used by hackers to trick victims into giving away sensitive information.
Tips:
- Take a breath: It sounds deceptively simple, but one way to get your brain out of ‘fight or flight’ mode is to take a deep breath. Breathe deeply into your belly and become mindful of your surroundings using your five senses (touch, sight, hear, smell or taste). This is a grounding exercise.
- Be conscious of scams: In amongst the flashy deals will be cybercriminals looking to exploit unsuspecting victims. Phishing emails may look like they’re from a legitimate source, but they could be fake emails intending to steal credentials or money. Be mindful of the source an email comes from, hover over the email address, don’t click any links if you’re unsure of their legitimacy (search directly).
- Ruminate on deals: Alongside taking breaths and practicing grounding exercises, remember that it’s okay to take a step back and revisit an offer later on, especially if it’s not something you were planning to buy (there’s always cyber monday, wink wink). By being more conscious about the things you’re buying, you save money and avoid making impulsive buys.”
Ben Hutchison, Associate Principal Security Consultant, Black Duck.
“Sadly, the old adage that ‘if it looks too good to be true, it usually is’, still holds true today, even during this time of year. Unfortunately, fantastic-sounding discounts that suddenly appear as emails, text messages, or ads while browsing may not be trustworthy and could compromise consumers’ details, devices, and information.
Consumers can minimise these risks by not replying to or clicking on any such offers, links, or adverts and should attempt to verify any deals by going to a more trustworthy source, such as the company’s website or store home page directly. Attackers may set up spoof versions of these legitimate websites, so users should always ask themselves if this is a domain/website address they recognise and not only rely on suggestions in search results. Users should also follow general cyber security hygiene techniques, such as ensuring their devices and browsers remain up to date. If in doubt about the legitimacy of a promotion, advert, or discount, users may want to consider contacting a sales or support representative via an alternative contact method obtained from a trusted location, or in the case of a local store/chain, users can physically visit the store and confirm if the promotions are legitimate.
Organizations can also take steps to mitigate such exploits from being successful if targeted against their employees/environment through defence in depth mechanisms and good security practices. These may include network segmentation, email security and scanning measures, link verification, DNS filtering, leveraging endpoint detection and response solutions, limiting code/file access and execution where practical.”
Javvad Malik, Lead Security Awareness Advocate at KnowBe4:
AI-Generated Fake Reviews
AI has allowed scammers to flood product pages with well-written and convincing fake reviews of products. This can lead to boosted ratings of products which may not be of good quality, or may not even exist at all.
Tip: Look for verified purchase reviews and be wary of products with sudden spikes in positive feedback.
Deepfake Influencer Endorsements
We’ve seen criminals use deepfake technology to create fake video endorsements or promote get rich quick schemes. Be careful if you see your favorite influencer pushing a particular product, especially if it’s for a lesser-known brand.
Tip: Cross-reference endorsements on the influencer’s official social media accounts.
Erich Kron, Security Awareness Advocate at KnowBe4:
The simplified ability to create websites quickly and with little effort, either through the use of generative AI or even basic scripts, is allowing bad actors to quickly and easily create these stores at a large scale. The holiday season is a perfect time for bad actors to create these stores while people are caught up in the rush of shopping for loved ones and friends.
Research the organization you are looking to purchase from, with a focus on Independent feedback about the seller, and the age of search engine results. If all of the results you get about the vendor are very recent, this could be a big red flag.
When making online purchases, wherever possible use a credit card rather than a debit card, as they tend to have better fraud protection for the consumer and the risk of having your bank account drained by an unscrupulous scammer that you gave your debit card to, goes away.
If using an online payment provider such as PayPal, cash app, Venmo, etc., make sure that you are using a service that provides protection to yourself. Scammers will often try to use the friends and family option or a service that does not provide fraud protection, so it’s critical to understand your options.