Purchase with caution: scammers on the prowl for e-shoppers
Everybody loves a good sell-off. Take away the hassle of rubbing shoulders with fellow buyers, and the drive to buy might even be higher. Unfortunately, shoppers and retailers are not the only ones who love sales. Cybercriminals do, too.
Cybercrime, once a niche topic, has flooded the front pages of major news outlets recently. That’s hardly surprising, given business losses to online crime bloated by $10 billion in 2020. Enterprises, however, top the headlines due to flashy price tags threat actors put on their data. Everyday users still bear the brunt of the loss.
A recently published analysis by Group-IB, a cyber intelligence company, shows that fraud accounts for 73% of all online attacks. An additional 17% were classified as phishing attacks, a type of criminal activity when a threat actor issues fraudulent communication to a victim, masking to appear as a reputable source. Threat actors employ both to either steal users’ money or their data.
I would be shocked if we don’t see a huge number of phishing attacks around Prime Day,Dave Hatter.
“I would be shocked if we don’t see a huge number of phishing attacks around Prime Day,” Dave Hatter, a cybersecurity expert at IntrustIT, told CyberNews.
As data gathered by Digital Commerce 360 indicate, the global pandemic accelerated e-commerce growth by two years, contributing an additional $105 billion in US online revenue last year. Criminals do take note. And when’s a better day to search for victims than a mass shopping spree like the one happening on coinciding Amazon’s Prime Day, Targets Deal Days, and Walmarts Deals for Days.
According to Bolster, a fraud prevention company, the ongoing Prime Day is expected to surpass the last year’s event. And criminals have already taken notice. The volume of newly created Amazon phishing and scam sites has increased dramatically.
2,805 sites appeared online in the first five months of this year, a whopping seven times more than 2020. Similarly, data collected after the 2020 event shows that the number of scammer sites increased 17 times compared to a previous period.
Inventive scammers created ‘Early Prime Day Deals’ promotions that closely resemble Amazon’s site intending to steal shopper data.
Even though not all signs of a forgery are hidden, such as an unusual site host or a misspelled URL, few take notice. Enticed in a shopping frenzy, many customers are too distracted and focused on discounts to take necessary safety precautions.
“With retail sales expected to surge this summer and through to the end of 2021, malicious actors may look to take advantage of consumers during shopping events like Amazon Prime Day or Black Friday, so customers should be cautious of fraudulent activity,” claims Todd Moore, VP of Encryption Solutions at Thales.
With the three most prominent retailers in the US holding sales simultaneously, it’s open season for scammers. According to Hatter, threat actors are fully aware of the opportunities that present themselves during major online sales.
At least in the US, online shopping is usually the more convenient option with a vast network of delivery centers and same-day delivery available in most populated areas.
More so, a year behind the screen has taught millions of people how to shop online, who previously might have held off such ventures.
“If you’re a bad guy, why wouldn’t you try to send out some phishing emails that spoof real emails from these organizations. And unfortunately, people click those links, they enter their credentials because they land on a doppelganger or lookalike website, and you know, bad guys get it,” Hatter explained.
Even though plenty of scammers target every one of us, there are relatively easy ways to prevent online theft. According to Hatter, shoppers should get into a habit of using a password manager that allows them to have strong passwords and remember them.
“Make sure you’re not on a doppelganger or a lookalike website. One of the ways that you can check for that is by clicking on the home link and seeing if it takes you to the site you’re supposed to be on,” Hatter told CyberNews.
You should also be using a privacy-safe browser and checking whether you’re utilizing a secure version of hypertext protocol. If it’s secure, your retailer’s address should start with ‘HTTPS’ instead of ‘HTTP.
Using a credit card meant solely for online shopping would add an even additional layer of security. A low card limit and no ties to savings or other accounts help prevent losing significant amounts of money even if card data is stolen.
The Holy Grail
However, there is one security measure that’s almost guaranteed to prevent cybercriminals from stealing your valuable data – multifactor authentication (MFA). Recommended for businesses by the FBI, MFA has the potency to block any unintended access to users’ accounts.
MFA requires whoever is trying to log in to provide two or more pieces of evidence to verify their identity. In the event of a stolen password, threat actors are unlikely to access an account since additional steps are required that usually involve account holders’ smartphones or other personally owned devices.
Businesses are now seeing the light and prioritizing security above offering what they see as a frictionless experience for customers because they are getting tired of litigation and reputational damage due to security breaches,Jenn Markey.
According to Hatter, MFA can also have an indirect positive effect.
“If you have traditionally used MFA on an e-commerce site, and then you go to log in, and it doesn’t prompt you for that MFA one-time passcode, that should be a strong red flag that something is not right,” Hatter told CyberNews.
The level of security-enabled MFA can be as high as 99%, as highlighted by Microsoft.
Jenn Markey, Product Marketing Director at Entrust, a global secure transaction solutions provider, says that some of the recent major hacks could have been avoided by something as simple as MFA.
“There is always more that organizations can do, but MFA is a foundation piece, and without it, all other initiatives would be moderate. MFA would have prevented the Colonial Pipeline cyber-attack and the RockYou2021 password leaks,” Markey told CyberNews.
Virtually, all major e-commerce players offer their users additional protection of personal accounts via the MFA. The European Union has even pushed this further with Payment Services Directive 2 (PSD2) that requires a Strong customer authentication (SCA).
That means that all electronic payments are performed with multifactor authentication. Even though it’s not the same as protecting your Amazon, Target, or Walmart account, it’s a start.
In general, the use of MFA, however, has one drawback – it causes friction in the checkout process. In other words, inexperienced users get frustrated by the additional security requirements and might redirect their purchasing power to a retailer that does not use such protections.
“[…] retailers tend to shy away from adding security measures that will inject friction into the checkout process. Retailers in Europe pushed back hard against PSD2’s Strong Customer Authentication (SCA) requirement that took effect December 31, 2020,” Markey claims.
There doesn’t seem to be any technical difficulties for e-shops to require their customers to use MFA to prevent scams. Hatter told CyberNews that current technology allows access to MFA to virtually anyone via many devices, thus keeping a potential loss to businesses at a minimum.
“There’s just no reason I can think of why companies would not want to turn it on. Other than it creates friction, it makes people angry at first. People get very frustrated, but at the same time, it’s one of the best things you can do to secure your account,” Hatter said.
According to Markey, retailers have always been skeptical towards any innovation that stands in the way of customers giving them their money. However, with an increase in cybercrime, e-commerce platforms will have to factor in cybercrime costs.
“Businesses are now seeing the light and prioritizing security above offering what they see as a frictionless experience for customers because they are getting tired of litigation and reputational damage due to security breaches,” Markey told CyberNews.
More from CyberNews:
Subscribe to our newsletter