Escaping the fraudster’s paradise this Black Friday
Experts share their best tips to duck and weave fraudster’s Black Friday traps
Black Friday and Cyber Monday are the world’s most significant shopping events. Occurring every year, they attract billions of consumers with miraculous deals, from the latest gaming systems to spa weekends. In the UK alone, spending is expected to reach £3 billion over the weekend.
Given the need to keep pace with the ever-changing wants and needs of consumers, retailers are constantly finding new ways to engage with them. While this provides never-before-seen digital experiences, it also opens the door to various new opportunities for fraudsters to try and exploit. As a result, Black Friday and Cyber Monday attract a swathe of fraudsters armed with the latest technologies to trick you into parting with your Christmas cash. Luckily, there are experts working day and night to help safeguard consumers and retailers against malicious actors.
Trust: an important asset
During peak demand periods like the one around Black Friday and Cyber Monday, malicious actors’ preferred mode of attack is a social engineering campaign, usually in the form of phishing emails that show remarkable offers. “The goal is to deceive victims into divulging sensitive information, such as credit card details and personally identifiable data”, says Vlad, Threat Intelligence Analyst, Searchlight Cyber. “One prevalent tactic is malvertising, which targets bargain-hunting customers. These unsuspecting users may end up with their devices infected while seeking a good deal. This emphasises how crucial it is for customers to shop online with extra caution over the holidays. Shops imitating reputable products and adverts directing them to questionable websites should be avoided.”
David Warburton, Director at F5, agrees. “One of the best ways consumers can protect themselves from these risks is to ensure they visit a brand’s official website and check if the promotions coincide with what was advertised on the email.”
It is important to understand that not everything that looks safe, is indeed safe. “Consumers should recognise that the security padlock and ‘http’ in a web address are not signs of security”, Warburton advises. “In fact, it is common for most phishing websites to have both, with the aim to provide a false sense of security to consumers who don’t pay too much attention to a website’s name. Consumers need to stay vigilant this Black Friday to avoid being scammed.”
Retailers are responsible for protecting customers against fraudsters
Consumers are not completely naïve and oblivious to the rise of cyber threats, in both quantity and complexity. NCSC research shows that seven in 10 British people worry that AI will make it easier for criminals to commit online fraud. Retailers have the responsibility to protect them from this.
The most obvious way for businesses to protect consumers is to introduce strong security measures, such as Multi-Factor Authentication (MFA). Research conducted by Ping Identity found that half of consumers report that tools like MFA make them feel more protected against fraud, something ecommerce companies have already taken note of and are continuing to implement.
Hickey argues, “Businesses today have to ensure security measures are not only robust, but user-friendly, avoiding the imposition of burdens upon users and addressing potential pitfalls for human error via the introduction of tools such as MFA.”
“Modern authentication solutions, like passwordless or MFA, in the customer log-in and purchase process will ensure the safety of customers’ identifiable data,” adds Matthew Berzinski, Senior Director, Ping Identity. “During busy shopping periods and beyond, this extra layer of security could lead to increased revenue, satisfaction and brand loyalty as consumers trust the retailers.”
Ian McShane, VP of MDR at Arctic Wolf agrees, “The key opportunity for those creating well-crafted scams is that many of us reuse the same password across personal and business-related sites. Even more risk is added when people use their work email addresses as account credentials, meaning, if they fall for one scam, it’s not only their personal account credentials at risk, but the credentials for everything which uses that password.”
He adds, “Businesses can help guard their employee’s personal and business credentials by encouraging the use of password managers and multifactor authentication, not just for work but for all online accounts.”
Enhancing security measures as a priority
Savvy attackers are always looking for ways to install malicious malware or collect customers’ confidential payment details and data. “An added seasonal gift is when they are also given the opportunity to infiltrate the networks of people using corporate devices to shop, because even one compromised business credential on one employee device can lead to costly business damage and disruption to their employer,” explains David Higgins, Director of the Field Technology Office at CyberArk. “Robust identity security is crucial to stop Black Friday being the gift that keeps on giving for attackers, preventing sensitive data loss and service disruptions”.
Higgins insists that the only way for businesses to build and maintain trust from customers is, “To prioritise the enhancement of security procedures, confirming identities and validating participant credentials before any online interaction.”
Data and automation also have a role to play
Ryan Sheldrake, Field CTO EMEA at Lacework believes the best way for young companies in the retail sector to tackle key dates like Black Friday and the demand surges that accompany them is to embrace data and automation. “It is the only way to keep pace and ensure their environment moves around to meet demand and control risk during the busiest traffic week of the year. Cloud asset data can be used for preventative controls and misconfiguration detection (CSPM), arguably one of the most significant threats whilst leveraging public cloud, as many retailers do.”
But this is not enough. “On top of this, retailers must deploy threat detection in runtime, as the systems processing transactions and taking users’ card details and addresses must be secure. It’s not enough to merely deploy misconfiguration detection. If, for example, an access key is compromised, CSPM will not detect this. The damage radius needs to be quantified, put in context, triaged, and remediated as rapidly as possible.”
Fail to prevent, prepare for an event
As the digital retail experience continues to evolve, businesses and consumers must ensure they are on the highest alert for the latest scam techniques. It is up to both sides to keep themselves and one another as safe as possible when interacting with online events like Black Friday. Fortunately, myriad tools are in place to ensure that keeping safe is possible. However, it takes the buy-in from both parties to ensure that safety becomes a reality.
Matt Berzinski – Ping Identity
Ian McShane – Arctic Wolf
Ryan Sheldrake – Lacework
David Warburton – F5
David Higgins – CyberArk