The real danger of Black Friday that could damage your company

An American retail tradition the Friday after Thanksgiving – Black Friday has now become a yearly addition to the shopping habits of people across the world. But the influx of ‘deals’ and the promise of purchasing big ticket items for a fraction of the price has produced both an economic and social debate around its positive and negative impacts. However, there is one issue that is often overlooked during the festivities – cyber security.

Business Leader spoke to some industry experts on the topic to find out more about the risks facing businesses across the UK.

Matt Horan, security director of C3IA Solutions, a cyber security company based in Poole, Dorset

The number of online scams has risen sharply this year because many more people have been buying online.

The new ‘virtual shoppers’ are being targeted by cyber crooks who are increasingly cunning.

Black Friday presents criminals with more opportunities to scam people, as shoppers around the globe look for bargains.

With the fraudsters often operating from foreign countries, convictions can be rare and this emboldens them.

People buying online should be aware of the scams that will be used.

Fake websites are common – they look and read like genuine ones and will take your money like genuine ones, but you won’t receive the goods.

What look like offers will be sent to email addresses and over other platforms, but they are not offers but scams.

Not only does this affect the victims, but also genuine retailers who will lose sales.

Always check the website before buying from it – does it have the correct address? If the link was sent to you, Google that company – if the offer was genuine it will still be there.

Counter-intuitively, younger people are more likely to fall for scams than older people because they are more likely to be relaxed buying online.

Etay Maor, CSO at IntSights

As with many cybercrime cases, both consumers and businesses need to take security seriously to help mitigate the risk of fraud. Consumers should be aware that cybercriminals are always looking for new ways to commit fraud and Black Friday is just one of many opportunities for them.

In previous years we have seen phishing and scam emails go out during the shopping season, enticing victims to provide credentials and card numbers on the promise of getting early or discounted deals. Basic security hygiene is always a must – keep your system up to date with security updates and patches, don’t reuse passwords, don’t use easy to guess passwords and opt in for 2 factor authentication (2FA), but most importantly – remain vigilant and don’t click/download/reply to anything that seems even mildly suspicious. If it seems too good to be true, it probably is.

Businesses have responsibility here as well. Aside from making sure their systems are properly secured and prepared for attacks (such as credential stuffing) they need to offer consumers additional security features such as opting in for 2FA and alerting on suspicious account activity. In addition, organisations must utilise threat intelligence to understand if cybercriminals are targeting them and selling their customer data and credentials, and use it to identifying potential attack vectors used by threat actors.

Attila Tomaschek, Digital Privacy Expert at ProPrivacy

With Black Friday this year almost entirely online, businesses need to be more vigilant than ever when it comes to shoring up their cybersecurity practices and protecting themselves and their customers from cyber threats. This means actively taking steps to address and mitigate various cyber threats that can lead to sensitive consumer data being compromised and ultimately, irreparable damage to a company’s brand.

Along with the typical cybersecurity threats that businesses need to protect against like DDoS attacks, phishing attacks, and ransomware attacks, businesses need to understand and prepare for a significant increase in client-side attacks like credit card skimming – or Magecart – attacks.

With an unprecedented number of shoppers relying on online shopping this year to complete their Christmas lists, cybercriminals are focusing their efforts on launching Magecart attacks that inject malicious credit card skimming JavaScript code into online retailers’ HTML code.

This allows hackers to easily steal payment details and other personal data that consumers enter into online checkout forms. Magecart attacks are becoming a more and more popular avenue of attack for criminals because they can be incredibly lucrative, and also because they can be nearly impossible to detect until it is far too late.

This type of attack can allow a hacker to skim all kinds of sensitive personal and financial consumer data like full names, billing addresses, credit card details, phone numbers, passwords, and more from online forms and send all that data to a server controlled by criminals.

It can take weeks before a business even knows that its site’s checkout page has been compromised by the malicious code. This is because the attack takes place on the client-side instead of on the backend and the data is transferred directly from the customer’s browser to the hacker’s server.

This means that businesses are often not aware that they have been targeted until they are alerted to credit card fraud or if they complete a thorough client-side code review.

Magecart attacks are a major cybersecurity concern, a concern that is only increasing in gravity, and one that should be on the radar of any business operating online, especially in such a year as this. Businesses that have their checkout pages compromised by a Magecart attack not only obviously put sensitive consumer data at great risk, but also risk significant damage to their brand reputation, considerable financial loss, as well as regulatory and legal issues.

To mitigate the risk of being affected, companies should make sure their systems are constantly updated with the latest security patches, invest in monitoring tools to help detect irregularities and potential Magecart threats specifically, conduct regular proactive monitoring of client-side applications, and properly vet any third-party partners. Taking these steps won’t necessarily guarantee a business will be immune to Magecart attacks, but they can be tremendously helpful in effectively minimizing the risks nonetheless.

Guy Lloyd, Director of CySure

Black Friday generates a sense of urgency to grab the bargains before time runs out. It is the need to act quickly that is likely to be exploited by bad actors or cyber criminals at this time.

Individuals and employees can do a lot to protect themselves and their employer. Cyber security doesn’t need to be complex, costly or confusing. Modifying your behaviour and how you respond to the tricks that the bad actors are using costs nothing and goes a long way to protecting yourself.

There are likely to be a great number of alerts sent out (by email or text) saying that an account has been locked due to suspicious behaviour and inviting the person to reconfirm their account by logging-in via the supplied link. Never do this. Any notification that tells you to do something immediately, needs to be treated with suspicion. Taking 5 minutes to think about the request and checking with your bank will protect you. Banks do not ring telling you to move money.  If you want to check it is a genuine call, first hang up, then call a number of someone you know and then call the organisation using the number on their letter head or web page (that you enter yourself – rather than clicked on).

Be suspicious of emails purporting to come from a manager that ask you to transfer money.

Tim Walker, MD, Aura Technology Group

This year we’ve seen hackers step up their game as they took advantage of the pandemic – especially people working from home on less secure systems – to mount attacks on individuals, businesses and organisations including the NHS.

They have increased confidence and know that users are especially vulnerable this year to Black Friday scammers – when money is tight, good deals become more tempting and caution can go out of the window.

If you’re being rushed, alarm bells should sound. Hackers are particularly adept at convincing their targets to act quickly to secure a “deal” by saying stock is low or an offer is only available for a limited time, so slow down if you start to feel pressured to put in bank details or PayPal passwords. Stopping and thinking for a moment can prevent a costly mistake.

At this time of year we’re all used to seeing a rush of offer emails hit our inboxes, so we may be less vigilant than usual when it comes to scrutinising them. Watch out for any slightly amended email addresses – such as an email from Amozon instead of Amazon, or G00gle with zeroes instead of the letter O. These kinds of tricks are often used by scammers to direct users to fake sites and capture account or credit card details.

Beware also of a phone call out of the blue from a caller who says a transaction has failed or there is a problem with your account – these can be very convincing but are designed to generate panic so that account details can be harvested. If in doubt, put the phone down and either call a known customer service email or log in through the website address that you usually use to check that the problem is genuine.

And, as ever, don’t click on links you weren’t expecting, watch out for rogue attachments and remember – if something seems too good to be true, it probably is!

Matthew Helling, Head of Cyber Security Services at Softcat

Black Friday is a lucrative time of year for cyber criminals. And this year even more so, as COVID-19 restrictions make it difficult to visit stores.

We can expect to see a spike in phishing attempts and scam sites this week, designed to trick unsuspected consumers into giving over personal information like bank details, passwords and codewords. And with inboxes and social media feeds full of Black Friday promotional offers, it can be more difficult to spot the fakes.

There are risks for businesses too, particularly retailers who will see exceptionally high volumes of website traffic. This creates the perfect conditions for cyber criminals to launch distributed denial-of-service (DDoS) attacks, of which there are many types, but all have the potential to cost businesses huge sums of money in downtime and put enormous pressure on IT teams.

Volume-based, application-layer and protocol attacks can be launched individually, or in combination, to interrupt the normal functioning of a website or bring it down completely, meaning customers aren’t able to access the site and spend their money.

Defending against these attacks requires proactive planning. But even if it’s too late for this Black Friday, the threat remains all year around. One-stop DDoS protection products can be purchased from major cloud providers or CDNs to help load balance and prevent surges in traffic from bringing down a website. Vendors are also increasingly offering managed DDoS-as-a-service packages too, helping to protect retailers against the evolving threat landscape 365 days a year.

Awareness Training for all employees is another important proactive step for businesses to boost their cyber defenses and early detection systems. It enables everyone to understand the latest methods external actors might use, the signals of malicious activity and how to report it correctly.

Mark Slater, Head of Threat Intelligence, CyberGuard Technologies

With Black Friday approaching many consumers will be looking to bag themselves a bargain in online purchases.  However, Black Friday and the run up to Christmas can also prove financially rewarding to cyber criminals. Many of us have in the past received SPAM emails claiming to be from Amazon, PayPal or one of the many other online entities we have accounts with.  At other times of the year these emails may be easy to spot and ignore.  However, at a time of year when we are genuinely expecting multiple emails from these vendors there is likely to be an increased ‘hit’ rate for the cyber criminal where consumers open the SPAM email and are duped into disclosing their account details to the cyber-criminal.

Cyber criminals may bypass the consumer altogether and target the online store directly.  During 2020 many vulnerabilities have been identified in the software which powers some online stores.  By exploiting these vulnerabilities, an attacker can install malicious code onto the site which would allow the skimming of card details used to make online purchases.  In mid-September, over 2000 online stores were compromised in one weekend by exploiting a bug in a version the popular Magento eCommerce platform.

Security HQ CEO Feras Tappuni

SecurityHQ are expecting a significant surge in activity throughout Black Friday this year. Traditionally an American concept, Black Friday is now a global event, with millions around the world taking advantage of its offers and sales. This, combined with an increase in online shopping as a result of COVID-19, provides the perfect opportunity for cyber criminals. With the prospect of a good deal, people rush into making purchases. This is an issue, as few will notice a misspelt URL on an insecure site. Many deals offered on Black Friday can seem too good to be true, and that is often the case. To reduce your chance of paying the ultimate price for a one-off bargain, we suggest when shopping online that devices are up to date and patched properly. Ensure that password protocols and the creation of strong passwords are maintained and, ideally, use an app or a trusted retailer. When entering bank details, we suggest that you use a credit card over a debit, as this has greater protection if an insecure transaction is made.

Yoav Keren, CEO of BrandShield

Black Friday is going to be a feast for scammers as e-commerce booms because of the pandemic. In the first three months of the pandemic, e-commerce jumped from 14% of total US commerce to 20%.  Cybercriminals are flooding the internet with phishing scams, fraudulent websites and counterfeit goods.  Opportunistic counterfeiters are taking advantage of shaky supply chains to capitalise on in-demand goods such as the PlayStation 5.   Counterfeiters take note of popular products that are out of stock and jump on the opportunity. It’s not just dodgy websites. Amazon frequently plays host to counterfeits.   The problem is that the e-commerce giant isn’t held accountable for selling fakes.

Between third-party websites, mobile apps, marketplaces, and social networks, counterfeiters are using every channel at their disposal to gain visibility – and buyers.  One of the most significant growth areas is social media. More and more shoppers are finding products through social media and peer-to-peer apps, providing counterfeiters with another gallery for their wares.  Fighting counterfeits is a big challenge for brands. Shoppers tie the brand’s reputation to the mere existence of counterfeits. Thankfully, there are tools out there to help them, but they need to get into the fight.

Mark Nutburn from the British Assessment Bureau

If you set out to design a perfect day for cybercriminals it would be hard to imagine one offering more potential than the Black Friday online sales.

Launched a decade ago in the UK by Amazon, these days Black Friday is less a single day, 27 November, than several weeks leading up to it when consumers are offered claimed bargains. Now factor in 2020’s pandemic and closed shops and it’s likely this year consumers will be unusually eager to buy and online retailers desperate to oblige.

This raises the stakes for businesses, which can end up not only losing sales over weeks but fielding calls from scammed consumers. Banks, meanwhile, must approach Black Friday with trepidation. Broadly speaking, there are two types of Black Friday fraud – those pushing fake bargains, and those which simply use Black Friday as a lure for general phishing attacks and credit card scams that otherwise happen on any day of the year.

Black Friday retail scams are usually basic, using email, social media lures or fake mobile apps to push consumers to fake websites and domains impersonating real ones. These often use short-lived lookalikes, the damage from which is usually specific sums of money charged for goods which never turn up.

Arguably, phishing scams borrowing Black Friday are more dangerous. The intention behind these is to break into valuable accounts, including bank accounts, or to take control of credit cards to make numerous charges. This can lead to major fraud, which can extend to identity theft at one extreme.

It’s not always clear whose problem this is but fighting back requires the sort of user education retailers and banks are perfectly placed to conduct. The biggest defence is to start using multi-factor authentication, and to persuade customers to turn it on. There’s a debate about whether SMS is a secure compared to mobile apps that generate one-time codes but it’s better than nothing and presents an extra hurdle many attackers won’t be able to climb over.

Steve Timothy, IT Security and RDS Manager at Ricoh UK.

The fact that people have been unable to shop for non-essential items during this lockdown physically has meant that bargain hunters have had to go online. As a result, there has already been a surge in phishing emails offering deals and discounts where the only thing they’re offering is a link to malware. Businesses need to be extra vigilant and provide increased cybersecurity training during this period. We always recommend running simulated cybersecurity training to educate employees on what to look for and what to do – the added sense of reality can eliminate the dangerous “wouldn’t happen to me” mentality. Organisations should also make sure to have a last line of defence technology and support, such as with Ricoh’s Cyber Security Practice, which can ensure damage is minimised and business operation can continue should the worst happen.

People should also be wary of the cut-price bargain tech products on offer. Malware can be loaded into the most innocuous and seemingly innocent products, including USB chargers for phones, and even smart products such as doorbells. Always remember the adage, if it’s too good to be true it probably is, so do some due diligence. Ask yourself, does the seller look legit? Comb through the reviews, even if they’re all positive have they been uploaded at the same time and do they look like the same person wrote them?

Mark Nutburn from the British Assessment Bureau

If you set out to design a perfect day for cybercriminals it would be hard to imagine one offering more potential than the Black Friday online sales.

Launched a decade ago in the UK by Amazon, these days Black Friday is less a single day, 27 November, than several weeks leading up to it when consumers are offered claimed bargains. Now factor in 2020’s pandemic and closed shops and it’s likely this year consumers will be unusually eager to buy and online retailers desperate to oblige.

This raises the stakes for businesses, which can end up not only losing sales over weeks but fielding calls from scammed consumers. Banks, meanwhile, must approach Black Friday with trepidation. Broadly speaking, there are two types of Black Friday fraud – those pushing fake bargains, and those which simply use Black Friday as a lure for general phishing attacks and credit card scams that otherwise happen on any day of the year.

Black Friday retail scams are usually basic, using email, social media lures or fake mobile apps to push consumers to fake websites and domains impersonating real ones. These often use short-lived lookalikes, the damage from which is usually specific sums of money charged for goods which never turn up.

Arguably, phishing scams borrowing Black Friday are more dangerous. The intention behind these is to break into valuable accounts, including bank accounts, or to take control of credit cards to make numerous charges. This can lead to major fraud, which can extend to identity theft at one extreme.

It’s not always clear whose problem this is but fighting back requires the sort of user education retailers and banks are perfectly placed to conduct. The biggest defence is to start using multi-factor authentication, and to persuade customers to turn it on. There’s a debate about whether SMS is a secure compared to mobile apps that generate one-time codes but it’s better than nothing and presents an extra hurdle many attackers won’t be able to climb over.

Karneet Chowdhury, Business Manager at Direct Line – Business

With key retail milestones such as Black Friday approaching and Christmas shopping well underway, it’s important for businesses to stay vigilant and do as much as possible to safeguard their enterprise.

Cyber threats have been rising since the pandemic, we know many small businesses that may have been forced to close during lockdown periods have pivoted to take their business online. Our recent research reveals the most common form of cyber-attack is a phishing attempt, with computer viruses taking second place. It’s attacks of this nature that businesses will have to watch out for as cyber criminals may seek to capitalise both during busier periods and once lockdown rules become more relaxed to allow non-essential businesses to reopen their doors.

A successful attack has the potential to cripple a small business’ finances at the worst possible time – costing SMEs £4,294 on average. This is significant given our research also revealed that two fifths of SMEs hold less than £10,000 in cash reserves. As a result of cyber-attacks, almost two in ten (18 per cent) small businesses reported that their client relationships had been damaged, while 13 per cent said that the attack had impacted the reputation of their business.

Despite the clear impact, many small business owners still aren’t taking the right precautionary measures, reflected by 70 per cent confirming they had no specific insurance policy in place to protect their livelihood in the event of cybercrime. Other precautionary measures are often also overlooked, such as minimising the risk of human error, encrypting sensitive files and taking steps to ensure business recovery in the event of an attack.

When it comes to reducing the impact of cyber-attacks, helping provide peace of mind and minimising repercussions for small businesses during this challenging economic period, having the right insurance in place is key. Through investment in the right cover, businesses can avoid any nasty surprises during the all-important holiday season and beyond.