Are you safe this holiday season?

Black Friday is just days away, and over half of UK consumers are set to shop on the day, reported PerformanceIN. Predictably, a majority of the shopping will be done online. Businesses and consumers are equally wary of possible online scams and cyber-attacks. But are we really aware of the threats?

"As this holiday season approaches, the Cyber-security and Infrastructure Security Agency (CISA) encourages users to be aware of potential holiday scams and malicious cyber-campaigns, particularly when browsing or shopping online," said an announcement from the US department of homeland security.

Consumers and businesses are showing unprecedented interest in improving their cyber-security posture. However, many security research organisations have predicted bleak situations.

About 65% of online shoppers say their holiday shopping plans will put them at higher risk of being targeted by fraudsters, according to a survey. Reports say that snares have already been placed.

The party has begun 

Scammers are on the prowl since Halloween. Cofense found out a stream of spam mails inviting many to a neighbourhood Halloween party, which were actually laced with the Emotet Trojan, wrote the Bleeping Computer.

“Emotet delivers malicious documents as either part of a reply chain or as a finance-themed (such as invoice, new document, bank transfer, and quotation) phishing email,” read a Cofense blog post on the Trojan.

“Financially motivated attackers always capitalise on the biggest trends. Attacks rising during the holidays aren’t new, however, they are getting more sophisticated. We’ve seen holiday-based phishing attacks, but incorporating sophisticated malware such as Emotet is a relatively newer trend,” said Tarik Saleh, senior systems engineer and malware researcher at DomainTools.

Unlike the previous years, consumers are more aware of the dangers that lurk behind tempting and outlandish offers. However, the fear of being scammed still remains high among consumers.

“Increased spending during the 2019 holiday season opens the door to more frequent and more serious security risks. As our study reveals, consumers are concerned about two security risks above all others – 65% of the surveyed holiday shoppers said they feel they’re at a higher risk of having their financial information exposed during the holiday season and 66% believe they could easily become a victim of fraud,” read the Terbium Labs survey report.

“When asked about the riskiest places to shop, consumers expressed the most concern about shopping online. About 35% of consumers rated online stores as the primary source where their personal and/or financial information could be vulnerable to compromise, compared to physical retail locations (20%).”

Retail sales, wholesale risk

As the online retail markets gear up with their offers, cyber-criminals are looking to capitalise on the customer loyalty retailers have built, and maximise their potential returns. 

“Through malicious domains, counterfeit goods, coupon/gift card scams and impersonations on social media, bad actors engage directly with unwary consumers in a way that they previously could not,” read the retail industry threat report by ZeroFOX.

"According to HubSpot, it costs a business about 5-25x more to acquire a new customer than to sell to an existing one, and existing customers spend 67% more than new customers,” said Roger Magoulas, vice president - Radar at O'Reilly Media.

“Business leaders are well aware that customers no longer base their loyalty on just products or services, or even price. Customer experience is now the name of the game, and if you cannot meet customer demands and expectations, they will simply move on to your nearest competitor,” he said.

Retailers go all-out to retain this consumer loyalty by offering festival deals, consumer loyalty programmes and easy-to-use apps with further offers. While the offers become fodder for phishing campaigns, app security that is compromised for convenience is exploited by hackers.

Returning risks

The latest edition of the annual fraud attack index by Forter shows that after-sales deals such as loyalty programs and return policies are being exploited by criminals. Loyalty fraud increased by 89% year over year, while the total dollar amount in online fraud increased by 12% year over year, said the Fraud Attack Index report. 

“A clear trend in online fraud is emerging,” said Forter CEO Michael Reitblat “The industry as a whole has done a tremendous job detecting and preventing payment fraud at the point of transaction. This eliminates the amateurs. We’re seeing fraudsters now shift their efforts earlier in the customer journey, gaining access to consumers’ accounts.”

Only 15% of the top 20 European-wide online retailers are proactively blocking fraudulent emails from reaching customers, meaning 85% of Europe's top online retailers are leaving customers open to email fraud, said Proofpoint’s quarterly analysis of highly targeted cyber-attacks.

In the UK, only four of the top 10 online retailers have implemented the strictest level of protection by email authentication protocol DMARC. The situation was even worse in countries such as Germany and Sweden, where 95% of top online retailers may be exposing themselves and their customers to cyber-criminals on the hunt for personal and financial data by not implementing email authentication best practices, said the Proofpoint report.

The ZeroFOX report listed five categories of potential risks.

Domain-based attacks: Malicious, spoofed and impersonating domains represented the largest attack tactic targeting the retail industry. 

Customer Scams: Scams offering “something for nothing” frequently target retail consumers, including gift card, coupon and giveaway scams.

Counterfeit Goods: Fake versions of legitimate products, posted to marketplaces and malicious domains, represent risks to brand reputation and customer trust. 

Impersonations: Bad actors pretend to be retailers and their high-profile executives on social media to gain direct access to employees and customers.

Information Exposure: Data breaches can be detrimental to a retailer’s brand, targeting executives and customers.

Take a second look

Security researchers and regulators prescribe various precautions to avoid risks: avoid using the same password twice; watch out for look-alike sites; stay away from outlandish offers; visit the actual website instead of clicking the link on the mail. 

However, they are unanimous when it comes to using public WiFi while you are out shopping. Don’t.

“Avoid buying when you're connected to public Wi-Fi,” said Robert Capps, vice president at NuData Security. “If you are in transit when you find the best gift for your dad, use your mobile data service, or wait until you get home to hit buy and send your credit card and identity information.”

“Free/open-access WiFi is not secure,” said the Proofpoint report. “Cyber-criminals can intercept data transferred over unprotected WiFi, including credit card numbers, passwords, account information, and more.”

Even riskier is charging your phone on a public port, especially while you are travelling during the holidays.

“Travellers should avoid using public USB power charging stations in airports, hotels and other locations because they may contain dangerous malware,” warned the Los Angeles County district attorney’s office.

“In the USB charger scam, often called “juice jacking,” criminals load malware onto charging stations or cables they leave plugged in at the stations so they may infect the phones and other electronic devices of unsuspecting users,” the announcement said.

Accessing internet from a secure environment does not guarantee app security. Avoid going to search engines to download an application from a particular retailer or brand, warns NuData Security’s Capps.

“Go to the source! Most major brands will provide a link to download their legitimate app on their website. When downloading apps, always use a reputable app store: Google Play or the Apple App Store perform more checks on app safety and security before they are released,” he said. 

Consumers should have a backup payment mechanisms in place in case the primary one is compromised, said Sam Curry, chief security officer at Cybereason. 

“Report issues early and often. Make sure the passwords are strong and unique and fresh for your credit and retail accounts. If that's hard, consider investing in a password vault now as your holiday present!"