As the holiday season nears, retailers are gearing up for sales while cybercriminals sharpen their spears for phishing attacks on unsuspecting shoppers. Experts have detailed potential threats on this year’s Black Friday and Cyber Monday and advised shoppers on how to avoid them.
One of the biggest shopping days of the year is, unsurprisingly, one of the biggest scam days, too. While shoppers are counting the days to the sales, cybersecurity experts are observing a significant surge in phishing attacks.
Cybercriminals take advantage of the upsurge in retail activity by targeting shoppers with too-good-to-be-true deals, impersonating known brands, and leading them to fake URLs where personally identifiable information (PII) and credit card numbers might be stolen. Malware attacks, through seemingly innocent holiday-themed downloads, are also widespread.
"In October alone, we saw nearly 35,000 Black Friday scam-related sites looking to lure victims,"Lynette Owens, Vice President of Global Consumer Education at Japanese cyber-security firm Trend Micro, told Cybernews.
According to her, the company has already seen a 9.46% increase in Black Friday shopping-related scam URLs, with scammers geotargeting shoppers in California at a higher rate.
Another popular tactic used by cybercriminals is sending text messages impersonating vendors to steal private information.
Owens has noticed a surge in text message scams targeting Walmart shoppers this year. Victims are prompted to provide their personal and credit card information with a link in an SMS message, offering them the chance to buy a new Samsung QLED 4K TV with Walmart rewards points.
“Such texts request information or claim a refund is due and usually contain links. Again, never engage with these types of texts. Instead, log in to your account to review if there are any issues with your recent orders,” says Guy Bauman, Co-Founder & CMO at Ironvest.
Account Takeover Attacks (ATO) are another type of attack that’s expected to be prevalent this Black Friday. This involves a scammer stealing a real user's login details to hijack their account.
A seemingly harmless website might contain harmful code that silently seizes a valid login session from other accounts that the user is logged into. Sift, a fraud management company, found an alarming 131% rise in ATO attacks in the first half of 2022, a trend that will only accelerate during the holidays.
“In fact, last year we noticed these types of attacks spiking almost 3000% during Black Friday/Cyber Monday weekend, in addition to a 62% increase in attempted payment fraud during the same time,”Rebecca Alter, Trust and Safety Architect at Sift, told Cybernews.
Alter also believes that Gift Card fraud, a big issue in recent years, will again be prevalent this time around. Last year, according to the FTC, consumers were swindled out of more than $228 million by this type of scam.
“Gift card scams are attractive to fraudsters because they lack proper security features, and most recipients don’t spend the funds right away – which allows time for fraudulent activity,” explained Alter.
The golden rule: Don’t rush to click unknown links
Shoppers are advised to think twice before clicking on any links in emails, especially from unknown sources and ad campaigns on social media. Experts advise users to carefully check the sender’s email address, as threat actors might be impersonating well-known brands.
The increased presence of retail brands on social media makes it easy for threat actors to collect and repurpose trademarked data for fake websites and profiles. They then lure consumers with counterfeit ad campaigns, posts, and messages.
“The fast-moving nature of social media means that this type of brand impersonation is often difficult for consumers to spot until it’s too late. It’s also costly for retailers in terms of revenue loss and the scars left on their brand reputation,” John Wilson, Senior Fellow of Threat Research at Fortra, told Cybernews.
During the holiday season, cybercriminals take advantage of everyone’s guard being down. In a rush to secure purchases, retail consumers quickly click, log in, and give away valuable information.
“Online shoppers may feel rushed, search for bargains, think they can’t find the same deal or gift on another website, and seize on the first item that fits what they’re looking for. People need to think twice before clicking on a link that might not be what it seems,”Kurt Sanger, Cybersecurity Expert at Batten Safe and former Deputy General Counsel with U.S Cyber Command, told Cybernews.
- Always examine the legitimacy of the deals offered to you on social media or via email. To-good-to-be-true kind of deals are likely to actually be too good. Always double-check on the official brands' sites for information instead of following the sketchy links through.
- While communicating with vendors on major market platforms like Amazon, always stay on the vending platform. Never share payment details via email, and avoid off-platform payments to ensure refund options.
- While dealing with Direct-to-Consumer (D2C) vendors, don't share personal info over email. Resolve issues through the brand's website, not email.
- Use virtual credit cards to protect real card info, which limits exposure to fraud for a single purchase and guards against breaches on retail sites.
- Ignore unsolicited texts claiming to be from vendors. Verify issues by logging in rather than clicking links.
- Use 2FA for bank and credit card access.
More from Cybernews:
Subscribe to our newsletter