December 22, 2017

‘Tis the season for shopping… and seasonal phishing campaigns

Across the world, Black Friday and Cyber Monday sales signal the beginning of a seasonal frenzy in which shoppers hunt down bargains for their loved ones. Reflecting changes in long-term behaviour, they increasing dodge crowded malls and high streets, and splurge online using credit and debit cards instead. This holiday season, US internet spending is expected to surpass that made in stores for the first time, according to Deloitte, a professional services firm.

Combined US sales on Thanksgiving Day and Black Friday soared by almost 18 percent to $7.9 billion in November; and spending this Cyber Monday rocketed to $6.6 billion, making it the country’s largest shopping day in history. However, these bonanzas are dwarfed by China’s Single’s Day, the world’s biggest online retail event. It started life as a lonely hearts day but transformed into a spree after Alibaba identified a commercial opportunity in 2009. Buyers spent a record $25 billion over 24 hours on November 11th, up from $17.8 billion in 2016.

These trends benefit customers and retailers alike, but pose risks as well. Cyber-crime has rocketed as technology proliferates, and there is no busier time for hackers than amid the Christmas shopping spree. According to Barclays, more than a quarter of all online scams in the UK occur during the holiday period. It estimates that seasonal cyber-crime will cost victims £1.3 billion this year. Other data show that global e-commerce fraud grew by 31% over the 2016 season, costing merchants 7.5% of annual revenue. Threat Metrix, a US-based digital identity company, predicts that there will be 50 million global cyberattacks over the 2017 holiday period.

Each holiday season, online fraudsters hire new armies and develop ever-evolving techniques to hack accounts or steal financial data, leaving security experts to play catch-up. This year has seen a marked uptick in banking Trojans, a kind of malware used to steal login credentials. Bot attacks are also likely to increase this Christmas, as leaked credit card data becomes more available on the dark web. During some peaks, more than 90 percent of retailers’ web traffic will come from automated bots running mass tests of identity credentials, Threat Metrix says.

Retailers pose an increasingly attractive target as they amass growing databases of customers’ information. Customers who increasing shop via mobile phones tend to save credit card information to their sites and apps. A flurry of same-day deliveries causes problems because hackers use stolen data can wreak havoc without time for retailers to catch on. And fraudulent gift cards can take victims to dangerous sites, or initiate a download that compromises their device. This time of year also marks an increase in seasonal phishing campaigns, which lure customers into disclosing their financial data, sometimes through adverts promising goods at mark-down prices.

Bricks-and-mortar retailers are not infallible either: Point-of-sale (POS) systems are an increasingly popular point of attack for acquiring transaction data. Consumers can protect themselves by looking out for the padlock symbol and “https” in the address bar on retailers’ website, or eschewing public Wi-Fi while shopping online. However many still lack a basic knowledge of how to protect their data or stay safe online. Many retailers, too, are grappling with the basics of cyber security. As attacks increase, the pressure to protect themselves and their customers – whether through better network and domain security, stronger passwords or digital identifiers that leverage biometric technology – is rising. This will likely be the most criminal Christmas yet.