As consumers throughout India rush to do last-minute shopping for Diwali, retailers have good reason for concern. Amid the preparations for the fireworks, candle-lighting and family gatherings, a surge in online shopping – on Amazon, Snapdeal, Flipkart, CashKaro, and other popular ecommerce sites – at this time of year also means an increase in cyber security threats, as criminals plan to take advantage of the increase in e-commerce activity for their own malicious purposes.
A new report from Human Layer Security company Tessian highlights the fact that cyber attacks are at their worst around the holidays – when people searching for good deals are most likely to fall prey to a variety of attacks, including emails touting discounts that are used as lures in malicious scams.
For many retailers, it’s an ongoing challenge for their Security Operations Center (SOC) teams to secure the organization’s data, team, processes effectively. With so much data being created, it’s challenging for security teams to mitigate the relevant security threats and reduce the business risk.
Cyber attacks are at their worst around the holidays
Yet, the news isn’t all bad; there are clear ways to mitigate the risks: With appropriate education of employees, warnings for consumers, and an investment in the development of robust cyber security policies at the organizational level, you can improve your cyber security stance and protect your organization’s consumer data. Here are three important insights into what you can do to keep consumer data safe this holiday season:
With the Lights, Rangolis and Diyas of Diwali – Shine a Light on Malicious Activity Online
The Diwali season is a common time for cyber criminals to implement a range of brand impersonation attempts – malicious behaviors allowing them to steal consumer data. For example:
- Credit cards may be stolen or faked, leading to account takeover.
- Threat actors may try to breach your internal network, initiating malicious activities that put both your company and your customers at risk.
- If you work with developers who set up independent websites for testing purposes, this can create vulnerabilities that can lead to an attack.
The Diwali season is a common time for cyber criminals to implement a range of brand impersonation attempts – malicious behaviors allowing them to steal consumer data.
There are many ways for malicious actors to steal information - the most common of which include:
- Spear-phishing attacks, or email messages that appear to be trustworthy but take customers to malicious sites, which install malware on vulnerable end points.
- Domain spoofing, or websites that seem like legitimate ecommerce sites but are, in actuality, malicious programs, designed to obtain consumer credit card details.
- A picture of a product that disguises an injection of malware, so that a customer browsing on an ecommerce site who clicks on a product ends up clicking on a malicious plugin.
We recommend carrying out a threat and exposure assessment - an exercise that proactively searches the clear, deep and dark web for targeted threats or exposures a malicious actor could exploit to compromise your critical infrastructure and sensitive information. This type of exercise seeks to find information used in the reconnaisance stage of an attack such as evidence of domain spoofing, phishing sites, and exposed credentials and then provides recommendations on mitigation. Ideally this should be an ongoing process that can continuously feed into your SOC and IT decisions.
Bring in the Blessings of the New Year – by Helping Consumers Protect Themselves Online
Encourage customers to make smart decisions using basic data hygiene and security steps when shopping online this Diwali season, for example:
- Avoiding using public Wi-Fi – Avoid typing in your personal details or credit card information when working on a public Wi-Fi network.
- Making purchases on well-known sites – Look carefully at a website before making a purchase to ensure you’re buying from a reputable vendor. Make sure the domain name of a website is written accurately - and that you don’t see any obvious misspellings. Check that the logo on a site is the original logo.
- Looking for the HTTPS address starter and padlock icon – Websites with SSL certificates are safer, as they encrypt the information that you enter. Moreover, if you click on the padlock icon, you can see the identity of the website owner – and who issued the certificate.
- Checking a website asks for a CVV code – Because CVV codes help to verify the user of a credit card, they reduce the risk of credit card fraud. If a site does not ask for a CVV code, it’s best to do your shopping elsewhere.
Moreover, customers can spot malicious activities themselves and avoid falling into the traps laid by threat actors if they know what to look for. Emails that have a sense of urgency or panic (“Buy now before the deal runs out!”), spelling and grammatical mistakes in the email or website address or content, and requests to provide confidential information or open an attachment are all “red flags.”
Before You Enjoy the Fireworks, Implement Strong Processes to Protect Your Organization
You can mitigate the risk of cyber security attack by adopting processes that protect the consumer data collected by your organization, including:
- Threat-centric vulnerability and penetration testing – Traditional vulnerability scanning lacks the external intelligence required to focus on those exposures or vulnerabilities that can be exploited in the wild. This is why organizations need to have a threat-centric approach that:
- Discovers and collects infrastructure and asset vulnerability information
- Prioritizes those vulnerabilities by correlating against external vulnerability intelligence
- Validates these vulnerabilities will impact your critical assets through attack path simulations
- Remediates these high risk vulnerabilities through changes to configurations, policies or SOC content
- Multi-factor Authentication (MFA) and password updates – The risk of breach is significantly mitigated when an organization uses MFA on every system. Moreover, you can further reduce the risk by forcing users to update their passwords regularly – and by ensuring that they choose passwords that are strong and complex.
Emails that have a sense of urgency or panic (“Buy now before the deal runs out!”), spelling and grammatical mistakes in the email or website address or content, and requests to provide confidential information or open an attachment are all “red flags.”
In the Run-Up to the Upcoming “Festival of Lights” - Invest in Protecting Consumer Data This Year
With Diwali symbolizing the victory of light over darkness and good over evil, it’s the perfect time to invest in improving your defenses against the “dark side.”
The unfortunate truth is that together with the delicious samosas and deep-fried puris, there is a marked increase in the number of cyber attacks that comes with the high level of ecommerce activity leading up to Diwali. And retailers can avoid costly cyber attacks by being informed and taking the necessary preventative actions.
As retailers, the new year is a time for evaluation and assessment – a chance to redirect efforts at the organizational level. By working with an advanced Managed Security Services Provider (MSSP) such as CyberProof, you can take steps to improve your organization’s cyber security stance and protect consumer data.
As we approach this festival full of light, the CyberProof team wishes you and yours a very happy Diwali!
Contact us to learn more about how we can help your organization mitigate the risk of attack.