It’s officially silly (shopping) season. Inboxes around the world are starting to fill up with crazy hot sales, festive deals, and year-end promotions.
With this in mind, I thought it would be prime time to cover the sinister side of pressure-cooker online shopping season. No, not because of the risk of dropping thousands of dollars on things you don’t need - the worse outcome - dropping thousands of dollars on nothing at all!
Not only is this important from a consumer perspective, I’ll be willing to bet that plenty of employees are jumping on company networks and doing a spot of shopping in their lunch breaks - making the crazy sales risky for your business, too.
And it started with a Frenzy
Get in on the Click Frenzy action this year? I’d like to call it the real start of the shopping season.
The 24hr event, held November 13-14 is now in its seventh year. In its inaugural year it drew a crowd of 1.6 million visitors, which had grown to 2.5 million visitors by 2017. We also have another couple of entrants in the mega 24-hr sale sphere coming up fast: Black Friday and Cyber Monday. These one-day sales promise outrageous bargains from some of Australia’s biggest retailers, such as Myer, Sony, Bonds, and Air New Zealand.
Black Friday and Cyber Monday are the US’s biggest shopping days, but they’re also carving out a path in Australia, too. And as awareness about these shopping events grows, so too do site visits - some industries (health and beauty) up by almost 50% year on year over 2016-2017 for Black Friday, and sales up overall by 16%. We no longer have to wait until the Boxing Day and New Year’s Sales - buy now!
Shopping that’ll make you throw sense out the window
Sales like these I like to call pressure shopping. They make people go mad – literally, get in a frenzy. I remember a time when people were getting physically trampled in the Boxing Day Sales, clambering over each other for a bargain. It’s madness. And although physical safety is assured from shopping online, digital safety is not.
Beware. Aussie consumers have reported over $2.7m in losses to online shopping scams so far this year - and that’s just what’s been reported.
While it can be a great time to pick up a good deal before festivities kick off (or to buy yourself a pressie), it’s also a great time for phishing emails to circulate. If you’re running a business and staff are online shopping at work and/or accessing their private emails, then it’s not only their problem, but your problem too.
Shopping out of our regular patterns
During the holiday season, we’re doing more shopping out of our comfort zone - buying gifts for other people in categories and with retailers we wouldn’t peruse ourselves. This might not only be from a Google search - perhaps it comes via an inbound email, or a recommendation on social media.
This is the time to stop and do some reconnaissance. Ask these questions:
- Are they a legitimate business? (Check reviews)
- Is this email coming from a legitimate address? (Check email domain)
- Are the links in the email going to the actual retailer’s website? (Compare with a Google search)
How might an online shopping scam work?
Let’s say a person clicks through an inbound phishing email, then reaches a retail website, “purchasing” items. This could have any number of lousy outcomes:
- They may receive “fake” items instead of the real ones they expected
- They may receive no items
- They may have their details stolen for fraud purposes
- The website may have a hidden payload inside that spreads malware.
Pressure tactics make the scene ripe for phishing
One-day sales like Black Friday put the onus on the customer to complete purchases as soon as possible, in case they lose the deal to someone who was quicker to click. The issue with this type of selling technique is that it’s also a technique used in phishing.
The time critical tactic is a classic technique used to encourage targets to put aside their usual routine and checks for validity. With buy now pay later options like AfterPay available, which experienced a 700% increase for fashion retailers alone (between 2016-2017), the barriers to purchase in an instant are even lower.
Letting the drive for grabbing a bargain overtake common sense can be a fatal mistake.
Consumers in bargain mode might see a one-day sale in their Inbox or on socials and simply click, click, click - because they’re already in that shopping groove - throwing regular security measures out the window.
This kind of mindless scrolling and surfing is synonymous with mobile use - bored on public transport, downtime at the desk, waiting for a breakfast buddy, in bed before sleep. Considering that mobile purchases have increased two-fold over the past 2 years, this makes mobile shopping perhaps even more vulnerable than desktop.
Be wary of parcel delivery and other sales-adjacent scams
It’s not just fake retailers that can trick consumers. There are other businesses involved in this chain that can also be mimicked – such as parcel delivery, tracking notifications, and banking services. We receive 10s, even hundreds of these messages across the course of the silly season - so it’s important to be able to weed the legitimate from the illegitimate.
I wrote last year about a fake DHL email that was doing the rounds which contained a trojan payload. Australia Post has just put out a similar bulletin about a scam email that looks to be from them. You’ll already be aware of faux banking emails, too, such as these Commonwealth Bank examples, or similar ANZ phishing attempts. There were even some fake bank apps available briefly on the Google Play store last year.
Avoid clicking through links on emails or downloading files unless you’re 100% certain that the sender is who they say they are.
Beefing up security
It’s always best to use a multi-layered approach with security. It’s just as important to fortify your business’s fortress in a technical sense as it is to educate your team as consumers and build a cyber-security culture.
I recommend MailGuard for beefing up your business email security, helping weed out the phishers and disable or quarantine likely hidden trojans in messages. It helps fight against those emails that look legitimate to the naked eye (be aware of how to spot a legitimate email address!).
Take the silly season as a good chance to give your staff a security refresher on the dangers of these types of online shopping events. Encourage your network to do the same to promote a wider security culture.
Share this article with them before they get to clicking.
Get the facts
Companies are spending more on cybersecurity now than ever before, but those funds aren't always targeting the most significant dangers. There seems to be a bit of a disconnect amongst many CEOs about the sources of cyber-threat.
Studies consistently show that more than 90% of cyber-attacks are perpetrated via email, yet email security is rarely the biggest item in cybersecurity budgets. If we’re going to win the battle against cybercrime we have to get real about the nature of the threat.
I’m on a mission to help business people understand cybercrime and protect their businesses from costly attacks. If you would like to learn more about the complex cybersecurity challenges facing business today, please download my e-book Surviving the Rise of Cybercrime. It’s a plain English, non-technical guide, explaining the most common threats and providing essential advice on managing risk.
You can download my e-book for free, here.
“Cybercrime is a serious and growing business risk. Building an effective cybersecurity culture within an organisation requires directors and executives to lead by example. Surviving the Rise of Cybercrime is a must-read for directors and executives across business and in government and provides strong foundations for leaders determined to address cyber risk.” - Rob Sloan, Cybersecurity Research Director, Wall Street Journal.
... ... ...
Hi, I’m Craig McDonald; MailGuard CEO and cybersecurity author.
Follow me on social media to keep up with the latest developments in cybersecurity and Blockchain; I'm active on LinkedIn and Twitter.
I’d really value your input and comments so please join the conversation.