This week marks Black Friday 2024! As the popularity of this event has skyrocketed in recent years, so have the cyber risks involved in buying and selling products. In the first of two articles, we have gathered some insights from cybersecurity experts who have their say on Black Friday, from the threats faced by consumers and vendors, to the best practices advised to stay safe.
Paul Bischoff, Consumer Privacy Advocate at Comparitech:
“Black Friday is one of the biggest shopping events of the year, offering consumers massive discounts and deals in stores and online. While it’s an excellent opportunity to snag bargains, it’s also a prime time for scammers to exploit eager shoppers. Identifying and avoiding these scams can save you from financial loss and keep your personal information secure.
Last year alone, consumers lost over $8.8 billion to online fraud, according to the Federal Trade Commission. Scam attempts always spike around Black Friday and Cyber Monday. But don’t worry – we’ll show you exactly how to spot these tricks and shop safely.
To protect yourself this Black Friday, you should be watching out for those too-good-to-be-true emails. For example, emails titled “90% OFF EVERYTHING!” from what looks like Amazon or Best Buy. The email appears perfect, down to the logo and formatting. But here’s the catch: clicking that “amazing deal” link could lead you to a fake website that steals your credit card information. In fact, according to Target’s security team, scammers frequently create fake Target websites during Black Friday, often using similar-looking domain names and copied logos to trick shoppers. The FTC reports that retail impersonation scams increase 75% during the holiday shopping season. Shoppers can protect themselves by following these steps:
- Hover over (don’t click!) email links to preview the real URL
- Look for spelling mistakes or unusual sender addresses (like [email protected])
- Type the store’s web address directly into your browser instead of clicking email links
Consumers also need to watch out for social media shopping traps. Social media platforms are flooded with fake stores during Black Friday, and many disappear after collecting payments. A few warning signs to take into consideration are brand new accounts with no customer review, prices that seem impossibly low, poor-quality product photos and pressure tactics such as “Only 2 left!” or “Offer expires in 10 minutes!”.
Also, during Black Friday, scammers flood the market with discounted gift card offers that would race any bargain hunter’s heart. But here’s the harsh truth: according to the FBI’s Internet Crime Report, gift card scams cost Americans over $148 million last year alone. A few smart shopping tips for consumers are:
- Only buy gift cards directly from authorized retailers
- Never purchase “discounted” gift cards from individuals online
- Check gift card balances immediately after purchase
- Keep your receipt until you’re sure the card works
- Never send gift cards in the mail”
Jamie Beckland, CPO at APIContext:
“With Black Friday just around the corner, e-commerce teams should be ready for anything. Load testing is common to ensure infrastructure can handle increased shopper traffic, but many overlook the threat of API misuse, which can open the door to bulk order abuse.
APIs run every part of the e-commerce stack, enabling seamless interactions between front-end systems, payment gateways, inventory management, and third-party integrations. However, poorly secured APIs can be exploited by malicious actors to execute bulk order scams—leveraging automation to exploit pricing errors, bypass purchase limits, or stockpile items meant for individual customers. These exploits are targeted and malicious, and often leverage the same APIs that power customer experiences.
To mitigate these risks, vendors should implement robust security measures such as rate limiting, authentication mechanisms like OAuth, and anomaly detection to identify unusual purchasing patterns. Regular audits and penetration testing can also help identify vulnerabilities before they’re exploited. By addressing API security proactively, businesses not only safeguard revenue but also ensure customer trust during the holiday rush. Black Friday should be a time for deals, not data breaches.”
Jamie Akhtar, Co-founder and CEO of CyberSmart:
“Black Friday offers bargains for savvy shoppers, but it also poses security risks for consumers and businesses alike. To illustrate what we mean, the UK alone saw losses exceeding £11.5 million due to online shopping scams between November 2023 and January 2024.
However, forewarned is forearmed, so here are some of cybercriminals’ top tactics for Black Friday scams.
Phishing Scams
While phishing scams are a year-round problem, the threat becomes particularly pronounced between Black Friday and Christmas. According to Bitdefender, 70% of Black Friday-themed spam emails in 2023 were identified as scams, revealing the scale of the problem.
Worse still, cybercriminals are increasingly using AI tools to create and distribute these scams, making them harder to identify.
Fake websites
Cybercriminals create imitation websites that closely resemble legitimate retailers. These sites often advertise unbelievable deals through search engines to lure shoppers into entering personal and payment information, leading to identity theft or financial loss.
Gift card frauds
Fraudulent schemes involving gift cards are another common tactic. Essentially, scammers sell fake or drained gift cards for large online retailers to victims.
Fake Order Confirmations
Scammers send emails or messages that mimic order confirmations for purchases that were never made. These communications often contain links to phishing sites or requests for personal or financial information.
Social Media Scams
We all remember the huge uptick in Facebook Messenger for Business scams during 2023 and cybercriminals use the same tactics to launch Black Friday scams. Scammers use social media to promote fake bargains or impersonate brands. Unfortunately, this usually pretty successful; fraud losses climb by around 20% in the festive shopping season.
Delivery Scams
Scammers may send fake delivery notifications via email or text, prompting victims to provide personal information under the guise of confirming a delivery.
Transaction Failure Scams
Victims receive spam emails claiming that a recent transaction has failed, tricking them into providing sensitive information to resolve the issue.
Account Verification Scams
These scams involve messages asking users to verify their accounts due to suspicious activity, leading them to phishing sites designed to collect login credentials.
How to protect yourself/your business:
For consumers
- Always verify the legitimacy of websites before making purchases
- Be cautious of unsolicited emails and messages
- Use secure payment methods like credit cards instead of wire transfers
- Look for signs of counterfeit goods and check seller reviews
For businesses
- Provide staff with training on the dangers of Black Friday shopping
- Implement MFA across all company devices and applications (including personal devices being used for work)
- Where possible, dissuade staff from using company devices for shopping
- Put clear usage and security policies in place for employees
- Mandate VPN use for all staff, particularly those working remotely.”
Andrew Bolster, Senior Manager, Research and Development, Black Duck.
“One thing consumers should be more vigilant for is ‘astroturfing’ product reviews and testimonials. In past years, we typically trusted the experience and advice of our neighbours and peers, and recommendations were worth their weight in gold, but in the world of online retailing in the context of modern Large Language Models, shoppers need to be aware of retailers or suppliers using AI generated synthetic reviews of their own products to drive sales. Shoppers should always take online reviews cautiously and with a grain of salt, and where possible, seek and share recommendations among friends and family.”
Thomas Richards, Principal Security Consultant, Black Duck.
“Consumers should be extra diligent this shopping season as we approach Black Friday and the holiday rush. With the number of breaches this year, a lot of consumer data is in the hands of malicious actors who can use it to craft very convincing messages via email and text. Consumers should be cautious when clicking links to emails that sound too good to be true. Yes, some holiday deals are very good, but that does not mean they all are. Always check the sending email address to be sure it matches the website of the company it is purporting to be from. If you receive an email from an online store that you don’t recognise offers amazing deals on hard-to-get items, it’s probably a scam. The best deals will mostly happen from established retailers or the company themselves.”