It’s been an upside-down year where none of the old rules seem to apply – even to Christmas shopping. For retailers, this year’s holiday season is starting earlier than ever and is expected to include a record number of e-commerce transactions, in what Gartner terms “a digital-first 2020 holiday season” – as COVID-19 prompts people all around the globe to do practically all of their holiday shopping online.
Perhaps not surprisingly, cyber criminals are planning to take advantage of this for their own nasty purposes. Cyber security threats are expected to be on the rise over the holiday season – with threat actors intending to lure online shoppers to malicious websites or find new ways to exploit e-commerce vulnerabilities.
Top Cyber Security Threats Used by Hackers to Snare Online Shoppers
Threat actors use a wide range of tactics to “hijack” shoppers and steal their credentials. Here are some of the most common cyber security threats used to trick consumers online:
- Spearphishing attacks – Let’s say a potential customer receives a message with a gift card or promo code that advertises great deals on a popular e-commerce site. The message encourages consumers to leave behind their personal details in exchange for the card or code. The message looks trustworthy – but it takes the customer to a malicious site that leads to the installation of malware on vulnerable end points. Note that this type of attack is not only sent by email; it can also utilize Smishing (an SMS message) and vishing (voice communications).
- Domain spoofing – This refers to websites that look like popular e-commerce sites, but are actually malicious programs masquerading as legitimate online stores. They often have domain names that are slightly misspelled. Consumers think they are making purchases from a legitimate source, but in reality have been lured onto a malicious site built to steal their credentials.
- Customer journey hacking – In this case, a potential customer starts out on a legitimate e-commerce site but ends up on a malicious site. Here’s how it works: Customers browsing on their favorite sites click on a picture of a product. So far, so good – right? But sometimes that picture of a product actually is an injection of malware, disguised as an advertisement or even as a chatbox plugin. (Yes, that’s right: A chatbox isn’t always a chatbot. In some cases, a chatbox under a chatbot might be a malicious plugin that was injected into another website.)
The bottom line is that due to the effective brand impersonation attempts of threat actors, customers are not always aware that the link they clicked is taking them to a malicious site.
Malicious Actors Target Retailers During the Holiday Season
In the retail industry, there’s a particular problem with fraud and insider threats because retailers typically have unusually high employee turnover. The industry generally relies on the use of seasonal workers, and there’s also a heavy dependence on third parties for key business operations that can’t be staffed at each retail location. These are things that raise the chances of a retailer being breached.
During the holiday season, in particular, retailers need to watch out for direct cyber security threats and attacks and malicious behaviors targeting consumer data. Common cyber criminal tactics include:
- Account takeover – Stolen or fake credit cards, or compromised credentials, are used by threat actors to buy goods from a legitimate vendor.
- Breach – Threat actors find ways to access the internal network of a legitimate retailer and initiate fraudulent activities, posing a threat to both the company and the consumers.
- Application testing websites – Retailers typically work with a large number of developers. The issue with this is that developers often set up independent websites for testing purposes, and these kinds of sites can serve as a weak point. There are issues of GDPR compliance that relate to unprotected websites used for testing applications – and they also can create vulnerabilities that open a company up to attack.
How Retailers Can Help Consumers Identify Malicious Activities
Retailers can help consumers avoid falling for malicious lures by sharing key information about how to spot suspicious messages and websites – i.e., teaching them how to notice suspicious activity or traits that ought to raise a “red flag.” The following are potentially problematic types of content that can be frequently identified, if consumers learn how to keep an eye out for them:
- Unexpected requests
- Messages with a sense of urgency or panic
- Content littered with spelling and grammar errors
- Spoofed or misspelled email addresses or website addresses
- Requests to fill in a form, click a link to a site, or open an attachment
- Requests to pay an invoice or make a purchase
- Requests to reply with confidential information
Online Shopping – “Best Practices”
By offering tips, retailers can help educate consumers on basic data hygiene and security steps. You can encourage consumers to stay safe by following these guidelines when making online purchases:
- Buy from reputable vendors. Online shoppers should make sure that the domain name of a website is correct, and check if there are any misspellings of a company name or its well-known domain name. In addition, it’s important to have a good look at the appearance of the website. Check that the website’s logo is actually the original logo, and that there are no flaws or misconfigurations in it.
- Check that the site URL begins with HTTPS. If a special deal can be redeemed only with a specific link attached to a social media post or email, customers should learn to check the site’s website certificate. Websites that use SSL certificates have an HTTPS address starter, as well as a padlock icon that appears in the address bar; and this indicates that information you input into that site is encrypted. You can click on the padlock to view details, such as the website owner’s identity and the certification authority that issued the certificate.
- Be careful when making a payment. Online shoppers using credit cards should check that websites are requesting the three-digit CVV card security code. The CVV code helps verify that you are the one who is using your card – because nobody other than you should know the code. In essence, asking for a CVV code is a means of reducing the risk of credit card fraud. It should be viewed as a good sign when a site requires that you input a CVV code; it indicates that the company running the site is working to prevent fraudulent transaction on the site.
- Don’t use public WiFi networks when shopping online. When online shoppers work on public WiFi systems while making purchases, they are opening up their laptops (and their credit card details) to an increased risk of attack. You can mitigate the risk by using a VPN or turning off file sharing.
Take the Necessary Steps to Protect Your Organization’s Consumer Data
It’s not just about modifying consumer behavior. This holiday season, every retailer should take some basic steps – in order to keep consumer data safe. This is particularly important since, due to COVID-19, so many IT and business teams are working remotely, and it’s critical to have strong processes in place. Some fundamentals include:
- MFA: Use multi-factor authentication on every service to prevent attacks from using your credentials, in case of a breach.
- Passwords: Change passwords regularly to avoid the use of credentials that have already been compromised. Make sure that passwords are strong and complex.
- Cooperation and communication: Be sure your credit card provider will notify you, for example, if any irregular transactions take place.
From a more global perspective, optimizing monitoring processes and implementing automated vulnerability and penetration testing are also key to mitigating the risk to an organization.
By taking the time to address these and other key issues related to consumer data protection, retailers can go a long way toward alleviating the risks posed to online shoppers by cyber security threats – throughout this holiday season.