The Dark Side of Black Friday

by | Nov 29, 2019 | Insights, Security | 0 comments

Black Friday Cyber Security
With the Black Friday and Cyber Monday events rapidly turning into a two week season in its own right there has possibly never been a better time for the savvy shopper to grab a pre-Christmas bargain but equally, for the less vigilant online purchaser, it has never been easier to fall foul of the tricks of Cyber criminals.  This is the dark side of Black Friday.

With one report by the Centre for Retail Research for VoucherCodes suggesting that spending in the UK over the fortnight set to hit £29.57 billion, the highest in Europe across the period and a staggering 29% higher than second placed Germany, it is clear to see that Brits are lured by a deal.  Many of these offers however prove too good to be true.

In light of the recent survey findings from Barclays that almost a quarter of 18 to 34-year-olds have fallen for a Black Friday scam in the past five years with average losses of £661 per victim through tricks such as fake adverts, selling non-existent goods, and personal data theft, how do consumers stay safe online?  On the flip side how do retailers give confidence to online purchasers that they are who they say they are while protecting their customers identity and transactions?

Would you click me?

Amazon Scam 3

If you said yes, you’ve fallen for a well-practiced cyber-attack, this email formed part of a recent large scale campaign targeting unwary Amazon shoppers. Cyber criminals use emails like these to initiate their attacks.  Scams can be initiated by text message, phone call or by social media but ones that arrive in your inbox are called ‘phishing emails’.

What is phishing?

Phishing is a form of fraud in which an attacker imitates a reputable person or company in an email or other communication channels. The attacker sends out emails in order to distribute malicious attachments and links. These links have a range of different functions such as redirection to malicious sites, installation of malware such as keyloggers, spyware or ransomware, stealing login details and identity theft. In some cases, it’s easy to spot a phishing email but sometimes it’s a lot more difficult and it’s easy to fall into the trap. It’s not just emails they use. ‘Smishing’ is when the attacker targets a victim via text messages and ‘Vishing’ where they target directly over the phone.

Phishing can often be initiation phase or reconnaissance stage for future attacks. For example, having been lured in to giving away personal information after clicking on a malicious link in an email, attackers may use those details for subsequent emails or phone calls.

“It’s not just consumer who are at risk. Phishing accounted for 21% of all breaches in 2019 and is used by all threat actors, from cyber criminals to nation states. Malicious emails are becoming harder to identify as fake and once a victim clicks on a link attackers are using an increasing amount of encryption to hide their activities. Over 71% of phishing sites use secure HTTPS connections so that they get the ‘padlock’ in the browser that everyone has been trained to look for. ”

David Warburton  |  Senior Threat Research Evangelist EMEA  |  F5 Labs

For consumers

As always, make sure, no matter if you’re using desktop or smartphone, you keep your OS, apps, browsers and security software such as Anti-Virus or Anti-Malware up to date before you start shopping.

Top tips on defending against Phishing

  1. Don’t click on any links in emails that you weren’t expecting to receive, it’s always safer to type in the address of the website yourself or look it up using a popular search engine.
  2. If the email has a sense of urgency like “You have 24 hours” it’s likely to be a phishing email, most reputable companies will give you plenty of notice.
  3. Check who the sender is. Is it their usual email they use to contact you?
  4. Check for slight spelling errors and mistakes throughout the email.
  5. If it opens in a generic, impersonal tone such as “Dear user” it’s likely the same email has been sent to multiple people as spam. Be mindful, however, that even if it is personalised your details may have been grabbed from large scale data breach.
  6. If you’re not sure about an email, call the sender using a number from their site. Don’t call the number in an email or pop-up.
  7. If it sounds too good to be true it most likely is.

 

For Businesses

It isn’t just a home user problem; we no doubt all have access to the internet at work from our company computers.  What happens if we are phished while in the office?

Organisations and businesses can fall victim to phishing attacks too. Not all attacks are discovered but this doesn’t mean that they’re less damaging than the known attacks. Phishing can cause breaches resulting in; reputational damage, loss of custom, loss of company value, regulatory fines and business disruption. If the phishing is targeting an organisation, then phishing can lead to attackers gaining a foothold within the company network. Every organisation needs a phishing response and to have robust infrastructure and application security to defend against multi-phased attacks.

As Phishing is a diverse attack vector there is no silver bullet for protection.  You will have to consider the use of people, processes and technologies in combination to deal with this constant threat. Technology solutions which can help include:

  • Mail Gateways to inspect and filter inbound and outbound email, blocking malicious content and attachments.
  • Endpoint Security to provide anti-virus and anti-malware controls against known and unknown threats.
  • Web Proxys and SSL inspection to restrict the domains that users can access and detect malware as it tries to download to client devices.
  • Data Loss Prevention to monitor and control what information can pass between teams and out with your organisation.
  • Application Delivery Controllers to quickly add Multi-factor authentication to any application and provide layer 7 Web Application Firewall capabilities.

 

We can help

As a business it is sometimes hard to know who to turn for advice or to understand where to direct your efforts for best affect.  At FullProxy we offer businesses a free Cyber Security Review to provide you with a deeper insight and awareness of your security infrastructure, offering advice on essential next steps, industry best practice and ongoing ways to improve your security posture and address compliance concerns while lowering your security risk and exposure.

FullProxy are also able to provide further services around Penetration Testing, Ethical Hacking and Certificate and Cryptographic Review to give visibility of your web app and web site security.

If you would be interested in speaking to one of our experts about a free Cyber Security Review then email direct to

blackfriday@fullproxy.com

 

By Ewan Ferguson

Check Out These Related Posts

0 Comments