Widely regarded as the official start to the Christmas shopping season, Black Friday and Cyber Monday are exciting because many retailers announce limited-time sales that promise huge savings to die-hard consumers. Not even the pandemic looks like it will dent consumers’ enthusiasm. In September 2020, for instance, Bloomberg shared research from Deloitte that holiday spending was expected to increase between 1% and 1.5% largely because of e-commerce shopping. Reuters wrote a month later that U.S. online spending during the holidays would likely increase by 33% to $189 billion due to a flood of early promotions from retailers.
In their fervor to save money and score big, however, some shoppers don’t take the necessary precautions to protect their personal and financial data. Attackers are well aware. They use various means to abuse this excitement and prey upon holiday shoppers.
The problem is that many people aren’t familiar with these types of attacks. Indeed, 60% of information security professionals told Tripwire in a Twitter poll in 2019 that they don’t think their non-infosec friends and family could spot an email scam. Even more than that (84%) said there’s not enough digital security awareness among the public around the holidays.
All of us at The State of Security want everyone to stay happy, safe and digitally secure for the holidays. Towards that end, let’s discuss some digital threats that shoppers need to watch out for on Black Friday and Cyber Monday. We’ll also highlight some security best practices that consumers can use for the holiday shopping season.
1. Phishing Attacks
In a phishing attack, a bad actor tries to trick you into doing something you wouldn’t ordinarily do like clicking on a suspicious link for a Black Friday or Cyber Monday sales deal. Phishing links commonly lead to fake login pages that prompt you to authenticate yourself on one of your web accounts. You might think you’re logging into your Amazon account, for instance, but that’s not the case. You’re actually just handing your username and password over to an attacker, details which the malicious actor can abuse later.
To protect against a phishing attack, you should exercise caution around the links you receive from people whom you don’t know. You should also always verify the legitimacy of a web page’s domain before attempting to sign in with your login credentials.
2. Financial Malware
Sometimes a phishing email doesn’t come with a link. Sometimes it comes with a malicious attachment. Yes, it may profess itself to be a special Black Friday announcement, but it could just contain an image and some malicious macros.
If you decide to enable content, you could unknowingly install malware onto your device. Those programs can then steal your banking credentials using fake login pages. Alternatively, they could log all of your keystrokes including some of your other account credentials.
You can protect yourself against financial malware by installing an anti-virus solution onto your computer and keeping it up to date. Admittedly, many of those products are limited in their effectiveness because they are signature-based. Still, they do provide some protection.
You should also enable two-factor authentication on your accounts. Doing so will help prevent attackers from accessing your accounts even if they make off with your username and password.
3. Online Scams
Black Friday and Cyber Monday scams come in many forms. Some tell you that you have a package waiting for you at the post office. Another says it’s giving away unbelievable coupons for a well-known retailer. Others still offer refunds for Black Friday or Cyber Monday purchases. Regardless of the form they take, all Black Friday and Cyber Monday scams are meant to trick you into forfeiting your personal and/or financial data. Attackers can then abuse that information to commit credit card fraud or to steal your identity.
Scams try to lure you in with what you want to hear. With that said, if an offer seems too good to be true, it probably is. If you have any doubt, contact the company making the offer directly and confirm whether the deal is legitimate.
4. ATM Skimming
Black Friday and Cyber Monday shoppers oftentimes withdraw money from the ATM when they’re out at the mall. Unfortunately, those machines are susceptible to their own share of digital attacks. One of the most prevalent methods is ATM skimming, an attack where actors affix small electronic devices to an ATM that helps them steal unsuspecting people’s credit and debit card information.
The attack usually consists of two parts: a skimmer that copies the information stored on your payment card and a camera that watches you enter your PIN. Don’t forget that attackers can get very crafty when it comes to deploying skimmers and hidden cameras. This makes it hard to defend against an ATM skimming attack.
In general, if you know you’re going to be doing some shopping that day, try to use an ATM that’s located inside your bank instead of one that’s outside and therefore vulnerable to tampering. If you need to use a public ATM, shield the keypad when you enter your PIN and look for anything that seems out of place on the terminal before swiping your card.
5. Device Theft
In the rush of a Black Friday and Cyber Monday shopping spree, people sometimes don’t keep track of their personal items. For instance, you might be looking at a new TV and forget to pick up your device when they leave the store. That’s bad news, especially if an actor with bad intentions picks it up.
Those actors can potentially use the device to change the login credentials on any of your accounts. They could also steal your photos, contacts and messages for the purpose of committing identity theft, extortion or a whole slew of secondary attacks.
Fortunately, you can protect your phone against device theft by implementing one of the pre-programmed locking mechanisms on your device. You should also activate a feature like Find My iPhone for iOS that helps you to remotely track and/or wipe your device if you misplace it.
Black Friday & Cyber Monday Risks from a Business POV
Shoppers can take several precautions, including those explained above, to make it harder for attackers to target their personal and financial information on Black Friday and Cyber Monday. Not all of these steps can help businesses to protect themselves around the holiday season, however. That’s unacceptable given the fact that 58% of businesses don’t step up their own security practices around the holidays, as Tripwire learned in its poll last year.
Tim Erlin, VP of Product Management & Strategy at Tripwire, puts the holidays’ risks facing businesses into perspective for us:
Because it’s a busier time and more money is flowing through their systems, attackers will be more likely to target businesses with the hope that the surge in transactions will serve as a smokescreen.
In particular, ransomware and other types of malware are a concern for businesses around this time of the year. Cybercriminals that are targeting businesses ultimately just want the organization to pay the ransom, which can be avoided by having good incident response measures and secure, up-to-date backups in place.
Given those risks, businesses should balance their investments in security awareness training for employees with those in robust security measures that can help to scan their systems for suspicious activity. Learn how Tripwire’s solutions can help in that regard.