In a year gutted by a worldwide pandemic, the 2020 year-end holiday and shopping season will be unlike any other.
Be it marking Thanksgiving, Christmas and the New Year while socially distancing (Zoom family dinners, anyone?), to organizing year-end company parties and team-building sessions for remote employees, we are finding all sorts of inventive, COVID-safe ways to connect, celebrate & reflect as we enter 2021 with cautious optimism.
You can count on one thing to remain the same though: Cybercriminals exploiting the year-end festivities to trick businesses.
It starts with what I like to call silly (shopping) season, beginning with Click Frenzy, Black Friday and Cyber Monday in November, and lasts till the Christmas and New Year holidays at the end of December. The period includes mega sales promising outrageous bargains from some of the biggest retailers – sales that are enormously popular around the world. Cyber Monday, for example, has become the biggest event on the shopping calendar, raking in US$9.4 Billion in 2019, according to Adobe Analytics.
And this year, the numbers are expected to be bigger. Online shopping has already spiked due to the COVID-19 pandemic, with more people turning to the Internet to shop for goods, including essentials (online grocery sales in Australia, for instance, shot up by more than 45% since the advent of the pandemic). The holiday season is expected to accelerate this trend. According to a recent survey from CreditCards.com, more than 70% of Americans will make most of their holiday purchases online this year, compared with 51% in 2019.
Unfortunately, cybercriminals know all this too, and are likely to capitalize on the opportunity to trick our customers & their employees, who may be more distracted and vulnerable following a particularly difficult year. With workforces becoming increasingly remote, employees may be using corporate devices on home networks to indulge in some retail therapy and shop the best deals of the season. The heightened risk of cybercrime during this period is not only their problem, but a company-wide issue.
Over the next couple of months, employees’ social networks and personal & professional inboxes will be flooded (if they aren’t already) with special deals and incentives advertising cars, computers, clothes, television sets – you name it. Letting the drive for grabbing a bargain overtake common sense can be a fatal but very real mistake. Employees in bargain mode might see a one-day sale and simply click, click, click - because they’re already in that shopping groove - throwing regular security measures out the window. Someone in your client’s finance department, for example, may excitedly click on a fraudulent email advertising an amazing Black Friday deal using her work computer. This may initiate the download of a malicious payload, resulting in compromised browser security and a whole computer system, including sensitive company data, to potentially fall victim to malicious intent.
And this is already happening. Authorities worldwide are warning about the uptick in scams related to online shopping. UK’s National Cyber Security Centre has issued a new alert urging online shoppers searching for Black Friday bargains to stay safe, adding that “at this time of year…inboxes are filling up with promotional emails promising incredible deals, making it hard to tell real bargains from scams”. The Australian Consumer & Competition Commission reports that Australians have already lost approximately $7 million this year to online shopping scams, with the majority being delivered via email. Similarly, The FBI warns of “major online scams ahead of the holiday season”, urging users to watch out for fraudulent phishing emails that are hitting inboxes, purporting to be from Amazon and asking people to update their payment information.
It’s not surprising to see the acceleration of email-borne cybercrime during this period, with scammers using lures like year-end shopping deals and gifts (like this e-Gift offering a free massage) to trick users. Towards the end of every year, my team at MailGuard intercepts several email scams that exploit the brands of retailers. Additionally, it’s not just retailers that are the subject of email scams during this period. There are other businesses involved in this chain that can also be mimicked – such as parcel delivery, tracking notifications, and banking services. This is a period when e-commerce is boiling over and credit card companies, retailers and couriers are all frantically trying to keep up with customer demand. The use of global online payment systems like PayPal, for example, is at an all-time high during the season, and cybercriminals exploit this spike to trick users, citing issues with their accounts to spark panic and urgency (like this phishing email scam we intercepted at the end of last year).
As crazy hot sales and year-end promotions start to fill inboxes, here are some tips that you can share with your customers as you continue conversing on bolstering their cyber defences amid this period of heightened risk:
1) Be wary of emails containing too-good-to-be-true shopping deals
If it’s too good to be true, it probably is. Scammers often advertise benefits or items at unbelievably low prices in order to spark excitement and distract users from checking the legitimacy of the email. We often intercept email scams involving free services, gift cards, surveys offering special discounts if you participate, and many more. If your customers have received such an email, it’s the time for them to stop and do some reconnaissance. Ask these questions:
- Are they a legitimate business? (Check reviews)
- Is this email coming from a legitimate address? (Check email domain)
- Are the links in the email going to the actual retailer’s website? (Compare with a Google search)
The US Cybersecurity & Infrastructure Security Agency (CISA) also recommends following the below tips to avoid being scammed while shopping online:
- Do business with reputable vendors – Before providing any personal or financial information, make sure that you are interacting with a reputable, established vendor. Some attackers may try to trick you by creating malicious websites that appear to be legitimate, so you should verify the legitimacy before supplying any information. (See Avoiding Social Engineering and Phishing Attacks and Understanding Web Site Certificates for more information.) Attackers may obtain a site certificate for a malicious website to appear more authentic, so review the certificate information, particularly the "issued to" information. Locate and note phone numbers and physical addresses of vendors in case there is a problem with your transaction or your bill.
- Make sure your information is being encrypted – Many sites use secure sockets layer to encrypt information. Indications that your information will be encrypted include a Uniform Resource Locator (URL) that begins with "https:" instead of "http:" and a padlock icon. If the padlock is closed, the information is encrypted. The location of the icon varies by browser; for example, it may be to the right of the address bar or at the bottom of the window. Some attackers try to trick users by adding a fake padlock icon, so make sure that the icon is in the appropriate location for your browser.
- Be wary of emails requesting information – Attackers may attempt to gather information by sending emails requesting that you confirm purchase or account information. (See Avoiding Social Engineering and Phishing Attacks.) Legitimate businesses will not solicit this type of information through email. Do not provide sensitive information through email. If you receive an unsolicited email from a business, instead of clicking on the provided link, directly log on to the authentic website by typing the address yourself.
- Check your statements – Keep a record of your purchases and copies of confirmation pages, and compare them to your bank statements. If there is a discrepancy, report it immediately. (See Preventing and Responding to Identity Theft.)
2) Know how to spot a malicious email
I’ve often said that if we want to make businesses safer from hacking and cybercrime, we must give teams the knowledge to make good security choices. It doesn’t just happen; it’s a matter of generating awareness throughout the entire team and empowering them to think of themselves as the first line of defense. And with more employees working remotely this year, this knowledge becomes more critical than ever.
Knowing how to spot a malicious email can undoubtedly get tricky – cybercriminals are, in fact, coming up with new, innovative ways every day to deceive you into thinking a hoax email is a real one. Their techniques range from using high quality graphical elements through to ironically using safety features (such as safety questions) to trick users into clicking on malicious links.
As a precaution, users should not click links within emails that:
- Are not addressed to them by name.
- Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
- Are from businesses that they were not expecting to hear from.
- Take them to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from.
Remind your customers & their teams that whenever they get an email asking them to click on a login link or disclose personal information, they should be skeptical. In addition, they should be suspicious of any email that asks them to view or download files. It’s always a good idea to hover a mouse pointer over links in emails and check the domain they’re pointing to. If they look suspicious or unfamiliar, don’t open them. The best option is to type the address directly into a web browser if they’re not sure about the link. Similarly, users can check the sender details of emails by clicking on the ‘details’ link in the address header. In the ‘details’ drop down button, they will be able to see the full email address of the person or company who sent the email. Look closely at the sender address and check for anything odd or inconsistent about the URL or spelling.
3) Good password hygiene is critical
It’s 2020, and weak passwords like “123456” are still commonly used, with experts warning scammers take less than a second to crack them. As hackers continue using techniques like password spraying (the technique that led to the massive Citrix data breach ) to hack into accounts and steal sensitive data, it’s vital to ensure your customers’ password game is strong.
When purchasing goods online, many retailers require users to create online accounts within their platforms. Choosing strong and unique passwords for each account is advisable, making sure users are not saving any confidential banking and/ or credit card data online while making their purchases. It’s particularly dangerous to use the same password as the one used in their primary email account. Hackers who have obtained the password for a primary email account might be able to access other accounts linked to that email too (banking, shopping, secondary email accounts, etc), enabling them to not only steal confidential data but also users’ identity. Remind businesses to take advantage of reputable services such as HaveIBeenPwned to see if emails and/or passwords have been compromised in any data breaches. They can also use multi-factor authentication (MFA) to protect their passwords making it harder for phishing scammers to hack into systems. When a user wants to login to an account they have to pass a second stage of authentication which commonly involves downloading an authenticator app on a mobile device.
4) Adopt a multi-layered approach to email security
I also recommend proactively assisting your customers in reviewing their email security measures to mitigate the risks of online shopping scams perpetrated via email. Taking a multi-layered approach is fundamental. We know that nine out of 10 businesses are being impacted by phishing, even when most businesses have an email security solution in place. No one vendor can stop all threats, so it’s crucial to remind customers that if they are using Microsoft 365 or G Suite, they should also have a third-party email security specialist in place to mitigate their risk. For example, using a third-party cloud email solution like MailGuard.
2020 was a particularly difficult year, and we are all still grappling with the current pandemic, and the enormous health and economic stresses that it triggered, threatening business continuity and operational resilience among many companies. As the year ends, the last thing our customers need is for a cyber-attack to mar the much-needed joy of the festive period: gratitude for our teams and families, a celebration of our collective achievements, and excitement for what the next year will bring.
Unfortunately, the year-end shopping season is, and will always remain, hunting season. Use it as an opportunity to give your customers a security refresher on the dangers of these online shopping events and how to remain protected. Encourage your network to do the same to promote a wider security culture.
I wish all businesses a cyber safe and secure shopping season.
What strategies are you advocating to your clients, to ensure their businesses and their data are protected from online shopping scams? I'd love to hear your views. Leave your comments below.
Talk to us
MailGuard's partner blog is a forum to share information and we want it to be a dialogue. Reach out to us and tell us how we can serve you better. You can connect with us on social media or call us and speak to one of our consultants.
Australian partners, please call us on 1300 30 65 10
US partners call 1888 848 2822
UK partners call 0 800 404 8993