Time to Warn Users About Black Friday and Cyber Monday Scams

Warn your employees to avoid the inevitable scams associated with these two “holidays,” or you risk compromising your company’s network.

With Black Friday and Cyber Monday right around the corner, cybercriminals are switching tactics. Rather than preying on the fear that our Microsoft Office, PayPal, or bank accounts have been locked, criminals are launching phishing scams that prey on our desire to get a great holiday shopping deal. After all, they know that at this time of year, consumers are spending money and looking for bargains.

And let’s be honest with ourselves: Even if your company discourages employees from shopping on their company-supplied computers or smartphones, it’s going to happen — especially at this time of year. And that puts your organization at risk.

Holiday phishing scams lure potential victims with offers of online deals and coupons. E-commerce retailers are primary targets for spoofing — during the holidays, Amazon tops the list of branded phishing scams, beating out Microsoft. However, legitimate brick-and-mortar stores are also aggressively offering coupons for Black Friday and Cyber Monday, making them targets for spoofing as well.

Unfortunately, at this time of year, people are more likely to be less suspicious and to fall victim to phishing emails featuring trusted retailer brands — particularly if they regularly receive emails from those companies. Research from Verizon also shows that users are significantly more susceptible when the attack comes in on a mobile phone.

Telling the Real Deals from the Fakes
The challenge email administrators and users face is how to tell the real holiday deals from the credential-harvesting phishing scams, which make up 40.9% of phishing attacks. In credential-harvesting attacks, the email itself mimics communication from the real brand, often using convincing logos and design.

Instead of the typical “ask” to change a password, however, the holiday phishing email will display a coupon or a special shopping offer of some kind. Other lures include bogus gift card offers, giveaways, contests, and too-good-to-be-true deals. The scams will also try to create a sense of “act now” urgency, like putting time limits on the deals.

The goal of the bad actor is to get the email recipients to click on a malicious link to a web page that spoofs the legitimate retailer or brand — the credential-harvesting page — and fools users into giving up their login credentials, credit card information, or personal data that can be used for identity theft.

Tips to Pass Along to Users
Education is critical to countering phishing scams. Research from Google found that even with on-the-job training and news coverage, 40% of people cannot define phishing correctly, and Gen Z users are even less likely to know what “phishing” means.

Sponsored Content
Cybersecurity Beyond the NetworkChris Kissel, Research Director at IDC, discusses the gap in current security postures and how a modern SOC requires a combination of automation and human tradecraft to successfully repel the adversary.

Brought to you by LookingGlass Cyber Solutions, Inc.

Black Friday and Cyber Monday present a great opportunity to caution your employees about the risks out there and tell them how to protect themselves. Share these tips, with the reminder that they apply year-round, not just during the holidays.

  • Hover over all URLs and make sure they are going to a legitimate website. Watch out for “lookalikes” such as “Amazon.co” instead of “Amazon.com,” and never trust shortened URLs. Check links for typos, repeated letters, or other flaws that can indicate a spoofed site. When in doubt, type the web address into your browser window by hand.
  • Pay close attention to the sender’s email address. The domain name should match the retailer’s legitimate website. If you’re reading email on your cell phone, expand the sender name to see the address.
  • Only download shopping apps from trusted stores, like the Apple App Store or Google Play.
  • If a coupon or deal is legitimate, the retailer won’t ask you to log in to see it. Don’t give away your login credentials to scammers.
  • If the deal seems to be too good to be true, it probably is. Don’t take the bait.

Remember, Black Friday and Cyber Monday scams depend on creating a sense of urgency, using these special shopping days to spur immediate action and grab deals before they’re gone. Resist the sense of urgency. Stop and think before you click.

Related Content:

 

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “When You Know Too Much: Protecting Security Data from Security People

Cyberattacks Now Cost Small Companies $200,000 on Average, Putting Many Out of Business

Scott Steinberg, special to CNBC.com
KEY POINTS
  • Forty-three percent of cyberattacks are aimed at small businesses, but only 14% are prepared to defend themselves, according to Accenture.
  • These incidents now cost small businesses $200,000 on average, reveals insurance carrier Hiscox, with 60% of them going out of business within six months of being victimized.
  • More than half of all small businesses suffered a breach within the last year.
  • Today it’s critical for small businesses to adopt strategies for fighting cyberthreats

GP: Hacker illustration

Annette Riedl | picture alliance | Getty Images

In an age of ongoing digital transformation, cybercrime has quickly become today’s fastest-growing form of criminal activity. Equally worrying for modern executives, it’s also set to cost businesses $5.2 trillion worldwide within five years, according to Accenture.

With 43% of online attacks now aimed at small businesses, a favorite target of high-tech villains, yet only 14% prepared to defend themselves, owners increasingly need to start making high-tech security a top priority, according to network security leaders.

“Modern IT infrastructures are more complex and sophisticated than ever, and the amount of virtual ground that we’ve got to safeguard has also grown exponentially,” explains Jesse Rothstein, CTO of online security provider ExtraHop. “From mobile to desktop interactions, cybercriminals can launch thousands of digital attacks designed to compromise your operations at every turn, only one of which ever needs to connect to cause serious disruption.”

As a result, he says, it’s guaranteed that virtually every modern organization’s high-tech perimeters will eventually be breached. This being the case, for small business owners, it’s no longer a matter of considering if security threats will arise, but rather thinking in terms of when.

Worse, the consequences of cyberattacks continue to grow, with digital incidents now costing small businesses $200,000 on average, according to insurance carrier Hiscox, and 60% going out of business within six months of being victimized. The frequency with which these attacks are happening is also increasing, with more than half of all small businesses having suffered a breach within the last year and 4 in 10 having experienced multiple incidents, reveals Hiscox.

At the same time, though, according to Keeper Security’s 2019 SMB Cyberthreat Study, 66% of senior decision-makers at small businesses still believe they’re unlikely to be targeted by online criminals. Similarly, 6 in 10 have no digital defense plan in place whatsoever, underscoring the need for heightened industry awareness and education across the board.

“Attackers are getting smarter, attacks are occurring faster, and incidents are becoming more complex,” cautions Justin Fier, director of cyberintelligence and analytics at cyberdefense firm Darktrace. “The latest cyberattacks speedily exploit vulnerabilities in computer networks — which [can be infected] like human immune systems, changing thousands of times per second — and can overtake even major networks in an hour and a half.”

HANDOUT Darktrace

A visualization of the Darktrace artificial intelligence in action.
Photo courtesy Darktrace.

—What’s more, given that digital threats tend to go an average of 101 days before being detected by business operators, the damage to an organization from such compromises can quickly add up.

Consider the case of humanitarian aid trip organizer Volunteer Voyages, a single-owner small business which suffered $14,000 in fraudulent charges after an online thief pilfered its debit card information, which the bank refused to reimburse. Or that of popular online food delivery startup DoorDash, which suffered a major data breach this past September, with hackers having accessed sensitive user data for over 4.9 million customers, resulting in tens of thousands in expenses. Likewise, government contractor Miracle Systems, which provides IT and engineering services to over 20 federal agencies, recently suffered losses of $500,000 to $1 million due to an internal server breach.

However, considerable as they are, these charges do not factor in additional damage to intangible assets such as brand reputation and customer goodwill. Case in point: Miracle and its clients were later shocked to discover that their data was openly being advertised for sale by hackers on international cybercrime forums for a starting price of $60,000.

Factor in additional expenses such as regulatory compliance, attorneys’ fees, technical investigations, and loss of customer revenue and relationships, and ancillary costs associated with cyber attacks can quickly compound for a small business.

Ironically though, even with 480 new high-tech threats now introduced every minute, according to anti-virus provider McAfee, human error still remains one of the greatest threats to organizations’ well-being. With just 3 in 10 employees currently receiving annual cyber security training, it’s all too easy for enterprising con artists or e-mail scammers to circumvent even the most cutting-edge digital safeguards.

Noting this, the over 30.2 million small businesses in America now at risk of digital disruption are advised to adopt a comprehensive mix of both high- and low-tech strategies for combating cyber threats, including:

  • Making daily backups and duplicates of data and files that can be retrieved in the event of system compromise or ransomware (malicious software that holds accounts/networks hostage until large sums of money are paid).
  • Installing and regularly updating anti-virus, network firewall, and information encryption tools to scan for and counteract viruses and harmful programs; guard against incoming network or denial-of-service attacks; and keep sensitive information safe.
  • Routinely monitoring and scanning any device that’s connected to a computer system or network, and prohibiting the use of removable media (e.g. USB drives) at work.
  • Limiting employees’ access to only the files, folders, and applications that are required to perform routine on-the-job tasks.
  • Providing regular, up-to-date training for staffers at least every 90 days on the latest online threats and trends in cybercrime.
  • Engaging in teaching drills and exercises grounded in real-world everyday scenarios that test employees’ ability to detect scammers and respond appropriately to fraudulent requests.
  • Instructing staff about the dangers of clicking on unsolicited email links and attachments, and the need to stay alert for warning signs of fraudulent emails (among the fastest-growing forms of “phishing,” a.k.a. online con artistry, today).
  • Utilizing multifactor authentication (requiring multiple checks and approvals) before authorizing any major, uncommon, irregular, or allegedly time-sensitive requests.
  • Conducting ongoing vulnerability testing and risk assessments on computer networks and applications to seek out and address possible points of failure before they arise.
  • Implementing artificially-intelligent cyber analytics tools that can scan networks, user accounts, and applications to determine what passes for normal behavior, and auto-detect and immobilize suspicious activities before they spread.

Noting that threats can come from both internal staffers and external sources alike, and the growing amount of sensitive information that modern businesses must juggle, today’s best cyberdefenses are now multipronged, experts warn.

“It’s important to take a multi-faceted approach to cybersecurity,” explains Dan McNamara, chief technology and security officer at MedReview, whose 300 employees provide medical and patient record support services to hospitals and healthcare providers nationwide.

“As our organization has grown, so has the number of cyberattacks it faces. … In the last two quarters alone, we saw 12 to 15 million breach attempts, many of which take place during early morning hours and weekends. [To safeguard ourselves,] we try to embrace AI and autonomous services; implement real-time cybersecurity tools; and encourage every person on staff to play a role in combating online threats.”

More importantly, says McNamara, whose company has yet to suffer a single data breach in 40 years, similar shifts in thinking can help other small businesses immediately start bolstering their digital defenses. ”[We believe that] every employee is now responsible for helping maintain security; we try to train everyone from the person manning the front desk up to the CEO on what constitutes smart high-tech behaviors.”