As the virtual doors of e-commerce swing open for a weekend bookended by Black Friday and Cyber Monday deals and discounts, the bustling online market provides many avenues for phishing attacks, emails scams, malicious websites, and more. Even vigilant shoppers are more vulnerable during this time of year as it is an opportune time for credit card fraud and identity theft, which adds another layer of risk.
For businesses, the holiday season means security teams have to step up their vigilance in an effort to counter fraudsters and protect both the business and customers.
This blog post delves into the most common cyber threats that emerge during the holiday rush and provides useful tips to help both shoppers and businesses ensure a safe and secure holiday online experience.
Holiday-Based Threats in the eCommerce Landscape
Ahead of the festive season, authorities are already cautioning eager bargain hunters about the risks that come with shopping online.
The National Cyber Security Centre (NCSC), part of the UK’s intelligence agency, warned that cybercriminals this year may leverage AI technology to create more convincing scam content, malicious adverts, and spoofed websites.
Similarly, the Canadian RCMP have also sent out cybersecurity tips for a safer holiday season, offering ways people can protect their personal and financial information while buying online.
The FBI and CISA this year released a cybersecurity advisory urging businesses to stay vigilant against the spike of ransomware campaigns that occur during holidays and long weekends when offices are usually closed or operating with a leaner workforce. Threat actors continue to leverage widely-celebrated holidays to get a head start on conducting impactful attacks.
Top Scams to Watch Out for This Cyber Week
Cyber Week, the shopping period made up of Thanksgiving, Black Friday, Small Business Saturday, and Cyber Monday, broke eCommerce records last year. On Cyber Monday only, consumers drove $11.3 billion in online sales and a whopping $35.3 billion in total for the entire holiday season. According to reports, mobile shopping, buy-now-pay-later incentives, curbside pickup, and discounts in the face of growing global inflation all contributed to the skyrocketing shopping rates.
While online retailers continue to make bank during Cyber Week, businesses and shoppers alike are increasingly impacted by cyber attackers all waiting for the biggest online shopping events of the year. Here are the most commonly used threat tactics and how to guard against them.
Email Scams & Social Engineering
Email phishing scams are a prevalent threat, involving deceptive messages that appear as legitimate promotional offers or urgent notifications. These are designed to trick recipients into revealing sensitive information or tempt them into downloading malware. Social engineering plays a pivotal role, manipulating shoppers to divulge personal details or click on malicious links.
Email scams often involve gift card fraud with scammers coercing victims to purchase gift cards under the guise of resolving issues, subsequently taking off with the funds. Fake order confirmations are also common during the holiday season, often including convincing logos and graphics to trick shoppers into clicking on malicious links thinking they are contacting customer support to dispute the non-existent purchase.
Social media platforms are also breeding grounds for scams during Cyber Week, with fake advertisements, pyramid schemes disguised as gift exchange games, and too-good-to-be-true deals leading users to spoofed websites.
How To Stay Safe
To safeguard against these threats, vigilance and good cyber hygiene are prerequisites:
- Operate with caution as a default – Verify incoming emails and messages and avoid clicking on suspicious links. Check that the sender’s email address is correct, look for official branding, and be aware of the tone of the message.
- Don’t rush to respond – Scammers like to send fake confirmations for expensive goods or services, or claim the recipient has been or will be charged for something they never ordered. The ploy is to instill a sense of urgency and encourage the intended victim to click a malicious link. For any unexpected communication that implies some form of payment is due or forthcoming, verify its legitimacy through official channels rather than relying solely on email notifications.
- Be wary of gift card scams – When confronted with requests for gift card purchases, check the request through a trusted source.
- Inform and stay informed – Knowledge is power, and in a connected world, we are all part of the solution. Keep up to date with blogs and social media accounts from state and local authorities, which often post warnings and spikes, and share with others. The more people are aware of scams the less successful they are.
- Report suspicious activities – If you think you may have fallen victim to a scam, it’s important both to report it to relevant authorities and organizations such as your employer or your bank and to take action quickly. Reset passwords where necessary and enable multi-factor authentication (MFA).
Spoofed Websites, Malvertising & E-Skimming
Major Cyber Week discounts create a prime hunting ground for threat actors employing sophisticated techniques such as spoofed websites, malvertising, and e-skimming to exploit unsuspecting shoppers.
Spoofed websites mimic legitimate online retailers, leading users to unwittingly share personal and financial information. Malvertising infiltrates legitimate advertising networks, placing malicious ads on seemingly trustworthy websites and compromising the user’s device upon interaction. E-skimming involves the malicious injection of code into online payment forms, enabling cybercriminals to intercept and steal sensitive payment information during transactions.
How To Stay Safe
To shield against these threats:
- Double-check website URLs – Does that website address look correct? Check for legitimacy, ensuring web addresses match the official domain of the retailer.
- Ensure a vendor has secure payment methods in place – Don’t enter personal or financial information in web forms that are not clearly secure. Check that the URL of the site is prefixed with “HTTPS” and look for trust seals or security badges, including those from SSL certificate providers and payment processes. Also, reputable online vendors typically offer a variety of secure payment options. Look for familiar and trusted payment methods such as credit cards, PayPal, or other well-known processors.
- Consider payment options carefully – Use credit cards or pre-paid credit or debit cards to purchase items. Avoid paying by bank transfer as money sent this way is unrecoverable.
- Block the spam – Install reputable ad blockers to mitigate the risks of malvertising, blocking potentially harmful ads.
Credit Card & Identity Fraud
Threat actors take advantage of the hustle and bustle of the holiday period to steal credit card details and digital identities. Credit card fraud involves the unauthorized use of credit card information for illicit transactions, often through compromised online platforms. Identity fraud, on the other hand, entails the theft of personal information to impersonate individuals for fraudulent activities.
The malware intercepts and captures user input, such as credit card information entered during online transactions, without the knowledge of the website owner or the unsuspecting users. The harvested data is then exfiltrated to remote servers controlled by cybercriminals, who can exploit it for various fraudulent activities, including unauthorized transactions and identity theft.
How to Stay Safe
To protect against credit card and identify fraud:
- Use secure and reputable payment methods – Prepaid credit cards, gift vouchers or gift cards, PayPal, Apple Pay, Google Pay, or Amazon Pay reduce the need to share bank details directly when making online purchases.
- Use retailer apps where available – Many reputable retailers have their own apps allowing users to shop and pay directly through the mobile app.
- Monitor bank statements regularly – Be alert for suspicious transactions and set up transaction alerts that can aid in early detection of unauthorized activity.
- Be cautious about sharing personal information – Only provide personal information to trusted and verified sources.
- Implement strong, unique passwords – never reuse passwords and use a password manager to test password strength. Make sure passwords aren’t simple variations on common phrases.
- Develop situational awareness – Refrain from using public Wi-Fi for financial transactions, or typing sensitive passwords in public places, such as cafes, bars and restaurants that may be over-looked by CCTV.
Protecting Online Shoppers | What eRetailers Can Do
As the digital marketplace intensifies during events like Black Friday or Cyber Monday, eCommerce retailers will look to fortify their websites and enhance their cybersecurity posture to ensure the safety of their online shoppers. While security measures are a year-round endeavor, business leaders and security teams can use the following checklist to do a routine check on their systems ahead of the holiday rush.
- Ensure data security – Robust encryption protocols, such as Transport Layer Security (TLS), Perfect Forward Secrecy (PFS), or HTTP Strict Transport Security (HSTS), helps secure data transmitted between users and the website.
- Review and respond – Threat actors change tactics frequently and rapidly, and new software bugs are quickly exploited. Regular security audits and vulnerability assessments can identify and patch potential weaknesses in the website’s infrastructure, blocking potential entry points for cyber attackers.
- Leverage modern defenses – eCommerce businesses should invest in advanced firewalls, intrusion detection systems (IDSs), and monitoring solutions to detect and prevent unauthorized access or malicious activities.
- ‘Patch early, patch often’ is still good advice – Keeping software, plugins, and third-party integrations up to date is crucial to minimize the risk of exploitation by cyber threats.
- Develop a culture of awareness – Regular employee training on cybersecurity best practices, including recognizing and avoiding phishing attempts, contributes to a more vigilant workforce.
- Guard the tradesman’s entrance – Carefully vet and monitor third-party vendors, ensuring that they adhere to strict security standards and are also ready for the holiday season.
- Prepare for the rush – Ahead of the sales season, load testing and performance monitoring are essential to ensure that the website can handle increased traffic without compromising security.
- Know how to react – A robust incident response plan (IRP) should also be in place, detailing the mitigation steps and communication plans to be followed in the event of a breach.
From email scams and social engineering to spoofed websites and malvertising, the eCommerce landscape is rife with potential threats, especially during the most festive time of year. The surge in online activities, especially during Cyber Week, attracts not only eager shoppers but also opportunistic cyber threat actors aiming to exploit the spike in traffic.
For businesses, fortifying endpoint security involves implementing advanced detection and monitoring solutions, regularly updating software, and enforcing strict access controls. Protecting sensitive data demands comprehensive identity security measures, including MFA and user behavior analytics.
Shoppers, too, play a pivotal role in their own online safety. Utilizing secure and updated devices, being wary of phishing attempts, and ensuring secure connections during transactions are essential for the upcoming long weekend. Adopting strong, unique passwords for each online account and enabling MFA adds an extra layer of defense against unauthorized access. Regularly monitoring bank statements for suspicious transactions is a proactive step that can help detect and mitigate potential fraud.
Businesses strengthening their platforms this season rely on SentinelOne’s AI-powered security platform to defend against today’s most advanced threats. Covering multiple attack surfaces, learn more about the market’s leading cybersecurity solution by contacting us today or booking a demo.