It’s December, Christmas music is everywhere and the holiday season is in full swing. As people look to buy gifts for loved ones, there are ‘unmissable deals’ around every corner. Unfortunately, it is not just shoppers looking to take advantage of these offers – scammers are also looking to exploit these deals.
A recent report has uncovered the diverse and wide ranging scams being deployed over the holiday season. Cyber criminals are impersonating well known brands and offering unsuspecting individuals irresistible deals. These scams go even deeper, with entire fake websites being generated to target specific demographics based on personal information collected through further scams. As online shopping continues to grow in popularity, social media is becoming many consumers’ go-to option for purchases. Scammers take advantage of this boom through popular sites such as TikTok to reach a broader audience.
In order to acquire the relevant personal information to pull off these scams, cyber criminals target brands and retailers to harvest this data. Dan Bridges, Technical Director – International at Cyware, explains how “retailers collect and store vast quantities of data, much of it sensitive customer data like credit card details of personally identifiable information (PPI) – a treasure trove for attackers. Malicious actors often target businesses when they are at their busiest, like during Black Friday, Cyber Monday, and the holiday shopping season.”
Shobhit Gautam, Staff Solutions Architect at HackerOne, echoes this warning, revealing that “retailers are already a top target for bad actors, and there’s been a rise in cyberattacks in the past year. This year, retailers will also be handling a massive volume of sensitive, personal information, including payment details, names, and addresses. Increased online sale activity and depleted security teams due to the holidays and time away heightens the chance of cyberattacks, leaving consumer data ripe for the picking.”
With 41% of retail cyber attacks last year stemming from vulnerabilities and another 22% from compromised credentials it is critical that security measures are as robust as possible as retailers prepare for seasonal traffic surges.
The festive period will see retailers come under heavy attack, piling on additional pressure as they are already faced with significant issues such as reduced staffing during the holiday rush. In light of this, retailers are starting to take steps to bolster these defences before it is too late.
As HackerOne’s Gautam observes: “Some retailers use bug bounty programs and the security researcher community to help fill skills gaps on their teams and proactively find vulnerabilities, which can reduce the chances they become a successful target for cybercriminals during the holiday rush.”
“While being proactive and implementing security controls is vital”, he adds, “organisations must also plan and prepare for their worst-case scenarios. It is essential to have a tried and tested incident response plan handy and ensure the backups are ready if things go south. Not only on the retailer side, but with the rise in the use of AI for social engineering attacks (such as phishing and vishing), consumers must be vigilant when clicking on sale links and URLs.”
Collaboration is key when it comes to defending against the sheer diversity of attacks from cyber criminals, Cyware’s Bridges explains. “Threat intelligence helps enterprises get ahead of attacks, but it isn’t easy to segregate, correlate, and prioritise the huge volumes of available threat data to create a ‘single source of truth.’ Just adding threat intelligence isn’t enough. We must connect the dots.
“This next-generation approach to cybersecurity – often referred to as cyber fusion – unifies all security functions such as threat intelligence, security automation, threat response, security orchestration, incident response, and others into a single connected platform which detects, manages, and responds to threats in an integrated and collaborative manner.
“The importance of collaboration – inside and outside the organisation – cannot be overstated. Collective defence focuses on an open, trusted ecosystem where security teams are empowered to work much more closely with trusted community peers as you manage intelligence, develop detections and response plans, and respond to threats.
“At the end of the day, threat intelligence only works when it can communicate the relevant data to the right people, at the right time, so they can quickly take meaningful action,” Bridges concludes. “As has been written about many times over, there is no silver bullet when it comes to tackling cybercrime – whether it’s a genuine mistake or a deliberate, targeted attack – but by fusing disparate elements of the cybersecurity stack, the risk of falling victim will be reduced.”
In the words of Sir Cliff Richard, Christmas is a time for giving and a time for getting. However, this Christmas it is crucial that retailers and consumers give even more than they get in the fight against scammers