In a year gutted by a worldwide pandemic, the 2020 year-end holiday and shopping season will be unlike any other.
Be it marking Thanksgiving, Christmas and the New Year while socially distancing (Zoom family dinners, anyone?), to organizing year-end company parties and team-building sessions for remote employees, we are finding all sorts of inventive, COVID-safe ways to connect, celebrate & reflect as we enter 2021 with cautious optimism.
You can count on one thing to remain the same though: Cybercriminals exploiting the year-end festivities to trick users.
It starts with what I like to call silly (shopping) season, beginning with Click Frenzy, Black Friday and Cyber Monday in November, and lasts till the Christmas and New Year holidays at the end of December. The period includes mega sales promising outrageous bargains from some of the biggest retailers – sales that are enormously popular around the world. Cyber Monday, for example, has become the biggest event on the shopping calendar, raking in US$9.4 Billion in 2019, according to Adobe Analytics.
And this year, the numbers are expected to be bigger. Online shopping has already spiked due to the COVID-19 pandemic, with more people turning to the Internet to shop for goods, including essentials (online grocery sales in Australia, for instance, shot up by more than 45% since the advent of the pandemic). The holiday season is expected to accelerate this trend. According to a recent survey from CreditCards.com, more than 70% of Americans will make most of their holiday purchases online this year, compared with 51% in 2019.
Unfortunately, cybercriminals know all this too, and are likely to capitalize on the opportunity to trick your employees, who may be more distracted and vulnerable following a particularly difficult year. With workforces becoming increasingly remote, employees may be using corporate devices on home networks to indulge in some retail therapy and shop the best deals of the season. The heightened risk of cybercrime during this period is not only their problem, but a company-wide issue.
Over the next couple of months, your employees’ social networks and personal & professional inboxes will be flooded (if they aren’t already) with special deals and incentives advertising cars, computers, clothes, television sets – you name it. Letting the drive for grabbing a bargain overtake common sense can be a fatal but very real mistake. Employees in bargain mode might see a one-day sale and simply click, click, click - because they’re already in that shopping groove - throwing regular security measures out the window. Someone in your finance department, for example, may excitedly click on a fraudulent email advertising an amazing Black Friday deal using her work computer. This may initiate the download of a malicious payload, resulting in compromised browser security and a whole computer system, including sensitive company data, to potentially fall victim to malicious intent.
And this is already happening. Authorities worldwide are warning about the uptick in scams related to online shopping. UK’s National Cyber Security Centre has issued a new alert urging online shoppers searching for Black Friday bargains to stay safe, adding that “at this time of year…inboxes are filling up with promotional emails promising incredible deals, making it hard to tell real bargains from scams”. The Australian Consumer & Competition Commission reports that Australians have already lost approximately $7 million this year to online shopping scams, with the majority being delivered via email. Similarly, The FBI warns of “major online scams ahead of the holiday season”, urging users to watch out for fraudulent phishing emails that are hitting inboxes, purporting to be from Amazon and asking people to update their payment information.
It’s not surprising to see the acceleration of email-borne cybercrime during this period, with scammers using lures like year-end shopping deals and gifts (like this e-Gift offering a free massage) to trick users. Towards the end of every year, my team at MailGuard intercepts several email scams that exploit the brands of retailers. Additionally, it’s not just retailers that are the subject of email scams during this period. There are other businesses involved in this chain that can also be mimicked – such as parcel delivery, tracking notifications, and banking services. This is a period when e-commerce is boiling over and credit card companies, retailers and couriers are all frantically trying to keep up with customer demand. The use of global online payment systems like PayPal, for example, is at an all-time high during the season, and cybercriminals exploit this spike to trick users, citing issues with their accounts to spark panic and urgency (like this phishing email scam we intercepted at the end of last year).
As crazy hot sales and year-end promotions start to fill inboxes, here are some tips for you and your teams that can help reduce the risk of online fraud and keep your business cyber secure this festive season.
1) Be wary of emails containing too-good-to-be-true shopping deals
If it’s too good to be true, it probably is. Scammers often advertise benefits or items at unbelievably low prices in order to spark excitement and distract users from checking the legitimacy of the email. We often intercept email scams involving free services, gift cards, surveys offering special discounts if you participate, and many more. If your employees have received such an email, it’s the time to stop and do some reconnaissance. Ask these questions:
- Are they a legitimate business? (Check reviews)
- Is this email coming from a legitimate address? (Check email domain)
- Are the links in the email going to the actual retailer’s website? (Compare with a Google search)
The US Cybersecurity & Infrastructure Security Agency (CISA) also recommends following the below tips to avoid being scammed while shopping online:
- Do business with reputable vendors – Before providing any personal or financial information, make sure that you are interacting with a reputable, established vendor. Some attackers may try to trick you by creating malicious websites that appear to be legitimate, so you should verify the legitimacy before supplying any information. (See Avoiding Social Engineering and Phishing Attacks and Understanding Web Site Certificates for more information.) Attackers may obtain a site certificate for a malicious website to appear more authentic, so review the certificate information, particularly the "issued to" information. Locate and note phone numbers and physical addresses of vendors in case there is a problem with your transaction or your bill.
- Make sure your information is being encrypted – Many sites use secure sockets layer to encrypt information. Indications that your information will be encrypted include a Uniform Resource Locator (URL) that begins with "https:" instead of "http:" and a padlock icon. If the padlock is closed, the information is encrypted. The location of the icon varies by browser; for example, it may be to the right of the address bar or at the bottom of the window. Some attackers try to trick users by adding a fake padlock icon, so make sure that the icon is in the appropriate location for your browser.
- Be wary of emails requesting information – Attackers may attempt to gather information by sending emails requesting that you confirm purchase or account information. (See Avoiding Social Engineering and Phishing Attacks.) Legitimate businesses will not solicit this type of information through email. Do not provide sensitive information through email. If you receive an unsolicited email from a business, instead of clicking on the provided link, directly log on to the authentic website by typing the address yourself.
- Check your statements – Keep a record of your purchases and copies of confirmation pages, and compare them to your bank statements. If there is a discrepancy, report it immediately. (See Preventing and Responding to Identity Theft.)
2) Know how to spot a malicious email
I’ve often said that if we want to make our businesses safer from hacking and cybercrime, we must give our teams the knowledge to make good security choices. It doesn’t just happen; it’s a matter of generating awareness throughout the entire team and empowering them to think of themselves as the first line of defense. And with more employees working remotely this year, this knowledge becomes more critical than ever.
Knowing how to spot a malicious email can undoubtedly get tricky – cybercriminals are, in fact, coming up with new, innovative ways every day to deceive you into thinking a hoax email is a real one. Their techniques range from using high quality graphical elements through to ironically using safety features (such as safety questions) to trick users into clicking on malicious links.
As a precaution, don’t click links within emails that:
- Are not addressed to you by name.
- Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
- Are from businesses that you were not expecting to hear from.
- Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from.
Remind your employees that whenever they get an email asking them to click on a login link or disclose personal information, they should be sceptical. In addition, they should be suspicious of any email that asks them to view or download files. It’s always a good idea to hover a mouse pointer over links in emails and check the domain they’re pointing to. If they look suspicious or unfamiliar, don’t open them. The best option is to type the address directly into a web browser if they’re not sure about the link. Similarly, employees can check the sender details of emails by clicking on the ‘details’ link in the address header. In the ‘details’ drop down button, they will be able to see the full email address of the person or company who sent the email. Look closely at the sender address and check for anything odd or inconsistent about the URL or spelling.
3) Good password hygiene is critical
It’s 2020, and weak passwords like “123456” are still commonly used, with experts warning scammers take less than a second to crack them. As hackers continue using techniques like password spraying (the technique that led to the massive Citrix data breach) to hack into accounts and steal sensitive data, it’s vital to ensure your employees’ password game is strong.
When purchasing goods online, many retailers require users to create online accounts within their platforms. Choosing strong and unique passwords for each account is advisable, making sure your employees are not saving any confidential banking and/ or credit card data online while making their purchases. It’s particularly dangerous to use the same password as the one used in their primary email account. Hackers who have obtained the password for a primary email account might be able to access other accounts linked to that email too (banking, shopping, secondary email accounts, etc), enabling them to not only steal confidential data but also users’ identity. Employees can take advantage of reputable services such as HaveIBeenPwned to see if emails and/or passwords have been compromised in any data breaches. They can also use multi-factor authentication (MFA) to protect their passwords making it harder for phishing scammers to hack into systems. When a user wants to login to an account they have to pass a second stage of authentication which commonly involves downloading an authenticator app on a mobile device.
4) Adopt a multi-layered approach to your email security
I also recommend ensuring your business email security is up to scratch to prevent being duped by online shopping scams perpetrated via email. Nine out of 10 cyber-attacks start with an email, so I encourage companies to adopt a strategic, multi-layered approach when it comes to their email security. It’s sometimes referred to as a ‘defense in depth’ approach, designed to defend a system against attacks using several different methods and solutions, in the event that if one fails, the others will stop the threat.
You may already have native security from your email hosting provider, like Google or Microsoft, but it’s key to remember that no one vendor can stop all attacks. It was our rationale for developing our latest solution, MailGuard 365, co-built with Microsoft to protect Microsoft 365 users. We know threats get through even the most robust defenses, so after a traditional mail-exchange vendor has scanned an email, and after it has by-passed Microsoft 365, our new solution sits as the last line of defense to stop anything that has evaded detection. For more information on how MailGuard 365 can enhance your business email security, feel free to reach out to my team at firstname.lastname@example.org.
2020 was a particularly difficult year, and we are all still grappling with the current pandemic, and the enormous health and economic stresses that it triggered, threatening business continuity and operational resilience among many companies. As the year ends, the last thing our businesses need is for a cyber-attack to mar the much-needed joy of the festive period: gratitude for our teams and families, a celebration of our collective achievements, and excitement for what the next year will bring.
Unfortunately, the year-end shopping season is, and will always remain, hunting season. Use it as an opportunity to give your staff a security refresher on the dangers of these online shopping events and how to remain protected. Encourage your network to do the same to promote a wider security culture.
I wish you all a cyber safe and secure shopping season.