With Black Friday and Cyber Monday being one of the most popular online shopping events of the year, it’s important for both businesses and individuals to be vigilant about their online safety.
In a 2019 survey from Barclays it was discovered that almost a quarter of 18 to 34 year-olds have fallen for a Black Friday scam in the previous five years.
More recently Barclays found more than half of Britons (59%) will change their usual behaviour while looking for good deals this festive season, with 38% planning to shop in the Black Friday sales around 26th November. Almost a fifth of Black Friday shoppers (18%) said they felt under pressure last year to buy items as quickly as possible, and 14% said they would shop on unfamiliar websites if they had particularly good prices.
With average losses of £661 per victim through tricks such as fake adverts, selling non-existent goods, and personal data theft, how do consumers stay safe online? And, on the flip side, how do retailers give confidence to online purchasers that they are who they say they are while protecting their customers’ identities and transactions?
So what is the most common way people are the victim of a cyber attack or online fraud around the festive season? The answer is Phishing.
What is Phishing?
Phishing is a form of fraud in which an attacker imitates a reputable person or company in an email or other communication channels. The attacker sends out emails in order to distribute malicious attachments and links. These links have a range of different functions such as redirection to malicious sites, installation of malware such as keyloggers, spyware or ransomware, stealing login details and identity theft. In some cases, it’s easy to spot a phishing email but sometimes it’s a lot more difficult and it’s easy to fall into the trap. It’s not just emails they use. ‘Smishing’ is when the attacker targets a victim via text messages and ‘Vishing’ is where they target directly over the phone.
Phishing can often be an initial phase or reconnaissance stage for future attacks. For example, having been lured into giving away personal information after clicking on a malicious link in an email, attackers may use those details for subsequent emails or phone calls.
Protecting Yourself Whilst Shopping Online
So, what can you do to protect yourself online whilst shopping online for Christmas presents or treating yourself to a Black Friday deal?
We have a few tips for staying safe online:
- Make sure, no matter if you’re using a desktop or smartphone, you keep your OS, apps, browsers and security software such as Anti-Virus or Anti-Malware up to date before you start shopping.
- Look out for spam emails and deals that look too good to be true – they often are!
- Don’t click links if you are unsure about them
- Check the website you are buying from is genuine, safe and secure – check the domain name is spelt correctly, look for a padlock symbol on your browser’s URL bar and https:// instead of http://
- Keep the software on your devices up to date – this reduces the chances of you being vulnerable to hackers and viruses
- A Password Manager app can help create strong, unique passwords for each online shop account and online banking logins
Protecting Your Business on Black Friday
Black Friday scams and cyber attacks aren’t just a problem for the purchaser. Organisations and businesses can fall victim to attacks too. Not all attacks are discovered but this doesn’t mean that they’re less damaging than the known attacks.
If a business falls victim to a Phishing attack this can cause breaches resulting in; reputational damage, loss of custom, loss of company value, regulatory fines and business disruption. Phishing within an organisation can also lead to attackers gaining a foothold within the company network which could put all company and customer data at risk. Every organisation needs a phishing response and to have robust infrastructure and application security to defend against multi-phased attacks.
As Phishing is a diverse attack vector there is no silver bullet for protection. You will have to consider the use of people, processes, and technologies in combination to deal with this constant threat.
Technology solutions that can help include:
- Mail Gateways to inspect and filter inbound and outbound email, blocking malicious content and attachments.
- Endpoint Security to provide anti-virus and anti-malware controls against known and unknown threats.
- Web Proxys and SSL inspection to restrict the domains that users can access and detect malware as it tries to download to client devices.
- Data Loss Prevention to monitor and control what information can pass between teams and out with your organisation.
- Application Delivery Controllers to quickly add Multi-factor authentication to any application and provide layer 7 Web Application Firewall capabilities.
Black Friday is fraught with malicious activity looking to take down your web application servers at the most critical time to have the greatest impact on your business and your customers. Distributed Denial of Service (DDoS) Attacks to rock your Web platform and take it down could cost you a lot of business and cause irreparable reputational damage in the process.
Hackers may also use Brute Force attacks against your customer login pages and try 1000s of passwords simultaneously, or Credential Stuffing Attacks using known to be valid user credentials against your customer database.
It’s not just about what we can see, it’s more about what we can’t see and that’s what we should be most concerned about. Would you know if you were under attack from cyber criminals and what action to take should a breach be discovered? What if you’ve already been attacked by some black hat hacker inserting a Stored Cross Site Script within your web code just waiting for your busiest day of the year to take advantage? What if you didn’t even know of the compromise until it was too late, and the damage was done?
We often hear businesses say: “It’s all good, we’re protected with our Internet edge firewall, in fact, we have a bunch of firewalls so we’re covered, thanks,” but how well are you really protected? A lot of the time the fundamentals of good security are not particularly well understood, and the ever-increasing application layer attack surface is often overlooked.
How FullProxy Can Help
As a business, it is sometimes hard to know who to turn to for advice or to understand where to direct your efforts for best effect. At FullProxy we offer businesses a free Cyber Security Review to provide you with a deeper insight and awareness of your security infrastructure, offering advice on essential next steps, industry best practice and ongoing ways to improve your security posture and address compliance concerns while lowering your security risk and exposure.
FullProxy is also able to provide further services around Penetration Testing, Ethical Hacking and Certificate and Cryptographic Review to give visibility of your web app and website security.
If you’d like to discuss or review your current security posture or would like to know more about how we can protect your business please feel free to get in touch and one of our team of Cyber Security Consultants would be happy to help.