The end of November is a busy time in the United States. On Thanksgiving, friends and family gather together to give thanks for good food and good company. Once they’ve put away the leftovers, many Americans don their coats and head to the malls for Black Friday.
The official start to the Christmas shopping season, Black Friday is exciting because many retailers announce limited-time sales that promise huge savings to die-hard consumers. In their fervor to save money and score big, however, some shoppers don’t take the necessary precautions to protect their personal and financial data. Attackers are well aware; they use various means to abuse this excitement and prey upon holiday shoppers both online and in stores.
The problem is that many people aren’t familiar with these types of attacks. Indeed, 60 percent of information security professionals told Tripwire in a recent Twitter poll that they don’t think their non-infosec friends and family could spot an email scam. Even more than that (84 percent) said there’s not enough digital security awareness among the public around the holidays.
All of us at The State of Security want everyone to have a happy and digitally secure holiday. Towards that end, let’s discuss five digital threats which shoppers need to watch out for on Black Friday. We’ll also highlight some security best practices for the holiday shopping season.
1. Phishing Attacks
In a phishing attack, a bad actor tries to trick you into doing something you wouldn’t ordinarily do like clicking on a suspicious link for a Black Friday sales deal. Phishing links lead to fake login pages that prompt you to enter your credentials in for one of your web accounts. You might think you’re logging into your Amazon account, for instance, but that’s not the case. Instead, the attacker steals your username and password, details that they can abuse later.
To protect against a phishing attack, you should exercise caution around the links you receive from people whom you don’t know. You should also always verify the legitimacy of a web page’s domain before attempting to sign in with your login credentials.
2. Financial Malware
Sometimes a phishing email doesn’t come with a link. Sometimes it comes with a malicious attachment. Yes, it may profess itself to be a special Black Friday announcement, but it could just contain an image and some malicious macros.
If you decide to enable content, you could unknowingly install a piece of malware like the ServHelper backdoor or HawkEye onto your machines. Those programs can then steal your banking credentials off fake login pages. Alternatively, you can inadvertently download a keylogger that logs all of your keystrokes including some of your other accounts’ credentials.
You can protect yourself against financial malware by installing an anti-virus solution onto your computer and keeping it up to date. Admittedly, those products are limited in their effectiveness because they are signature-based. Still, they do provide some protection.
You should also enable two-factor authentication on your accounts. Doing so will help prevent attackers from accessing your accounts even if they make off with your username and password.
3. Online Scams
Black Friday scams come in many forms. Some tell you that you have a package waiting for you at the post office. Another says it’s giving away unbelievable coupons for a well-known retailer. Others still offer refunds for Black Friday purchases. Regardless of the form they take, all Black Friday scams are meant to trick you into forfeiting your personal and/or financial information. Attackers can then abuse that information to commit credit card fraud or to steal your identity.
Scams try to lure you in with what you want to hear. With that said, if an offer seems too good to be true, it probably is. If you have any doubt, contact the company making the offer directly and confirm whether the deal is legitimate.
4. ATM Skimming
Black Friday shoppers oftentimes withdraw money from the ATM when they’re out at the mall. Unfortunately, those machines are susceptible to their own share of digital attacks. One of the most prevalent methods is ATM skimming, an attack where actors affix small electronic devices to an ATM that helps them steal unsuspecting people’s credit and debit card information.
The attack usually consists of two parts: a skimmer that copies the information stored on your payment card and a camera that watches you enter your PIN. Don’t forget that attackers can get very crafty when it comes to placing their skimmers and hidden cameras. This makes it hard to defend against an ATM skimming attack.
In general, if you know you’re going to be doing some shopping that day, try to use an ATM that’s located inside your bank beforehand instead of one that’s open to tampering. If you need to use a public ATM, shield the keypad when you enter your PIN and look for anything that seems out of place on the terminal before swiping your card.
5. Device Theft
In the rush of a Black Friday shopping spree, people sometimes don’t keep track of their personal items. For instance, you might be looking at a new TV and forget to pick up your device when they leave the store. That’s bad news, especially if an actor with bad intentions picks it up.
Those actors can potentially use the device to change the login credentials on any of your accounts. They could also steal your photos, contacts and messages for the purpose of committing identity theft, extortion or a whole slew of secondary attacks.
Fortunately, you can protect your phone against device theft by implementing one of the pre-programmed locking mechanisms on your device. You should also activate a feature like Find My iPhone for iOS that helps you to remotely track and/or wipe your device if you misplace it.
Black Friday Risks from a Business POV
Shoppers can take several precautions, including those explained above, to make it harder for attackers to target their personal and financial information on Black Friday. Not all of these steps can help businesses protect themselves around the holiday season, however. That’s unacceptable given the fact that 58 percent of businesses don’t step up their own security practices around the holidays, as Tripwire learned in its poll.
In anticipation of increased cyber-attacks, does your company step up security practices, including employee training, during the holiday shopping season? 🛒🛍️🛒🛍️🛒
— Tripwire (@TripwireInc) November 15, 2019
Tim Erlin, VP of Product Management & Strategy at Tripwire, puts the holidays’ risks facing businesses into perspective for us:
Because it’s a busier time and more money is flowing through their systems, attackers will be more likely to target businesses with the hope that the surge in transactions will serve as a smokescreen.
In particular, ransomware and other types of malware are a concern for businesses around this time of the year. Cybercriminals that are targeting businesses ultimately just want the organization to pay the ransom, which can be avoided by having good incident response measures in place and secure, up-to-date backups.
Given those risks, businesses should balance their investments in security awareness training for employees with those in robust security measures that can help scan their systems for suspicious activity. Learn how Tripwire’s solutions can help in that regard.