Cybercriminals are Watching: As shoppers prepare for holiday deals, they must remain vigilant against cyber threats, as hackers are also gearing up to take advantage of online vulnerabilities.
Don’t Let Deals Derail Security Awareness: While chasing discounts, consumers should prioritize their online security; staying informed about scams can protect their financial and personal information during the festive frenzy.
Shop Smart: Secure Your Data First!: Before indulging in holiday shopping, ensure that personal data is secure through updated software and safe browsing habits to avoid being targeted by cybercriminals.
Deals Aren’t Worth Compromised Security: Remember that no discount is worth risking your online security; prioritize safe shopping practices to ensure a joyful and secure holiday season.
The holiday shopping season is here, bringing with it the excitement of Black Friday and Cyber Monday deals. But while consumers and retailers gear up for a shopping frenzy, cybercriminals are preparing too—ready to exploit any vulnerabilities they can find.
Consumers and retailers should be on high alert. Unfortunately, Black Friday and Cyber Monday are prime hunting grounds for cybercriminals looking to exploit vulnerabilities. From counterfeit websites to sophisticated phishing scams that prey on unsuspecting shoppers, the risks are real, and the stakes are high.
For this Q&A, I spoke with Corey Nachreiner, Chief Security Officer at WatchGuard Technologies. We explore the emerging cyber threats targeting holiday shoppers, proactive security measures for retailers, and how consumers can keep themselves protected during the busiest shopping season of the year.
1. Is there an uptick in specific scams or attacks during Black Friday or Cyber Monday?
Over the past few years, a number of new consumer scams have emerged to take advantage of unsuspecting holiday shoppers. In addition to run-of-the-mill phishing attempts, one of the most common scams is bogus orders or package delivery scams using fake email or app notifications to get users to click a malicious link.
We’ve also seen an uptick in the number of counterfeit websites and charities that look very legitimate. These scammers often entice consumers with way-too-good-to-be-true deals and even websites sporting the SSL/TLS badge (the little lock that appears in your web browser to indicate a secure site). It might look official, but it’s important to always double-check an unfamiliar website with the Better Business Bureau (BBB) or another online reputation checker to verify it’s a legitimate and trusted merchant before purchasing anything there.
The growing number of scams can make some people wary of shopping online. As a retailer, it’s essential to highlight what you’re doing to keep shoppers safe and provide extra resources for them to trust their business with you. A lot of forward-thinking vendors offer a Trust Center page to tell consumers all the practices they do, including sharing formal cybersecurity certifications, to keep their organization and their customers safe.
2. Are there new hacking trends that have emerged this year that retailer CTOs should be aware of?
Globally, malware threats continue to evolve and multiply, and the retail sector is no exception. In Q2 of 2024, our Threat Lab team observed seven new malware families in the top ten most common malware attacks (typically, we see two or three). With the advent of artificial intelligence, the number of emerging threats could continue to snowball, and retail organizations’ cybersecurity teams need to take a proactive approach to be prepared to thwart incoming attacks.
Businesses of all types are defending against a broad range of attacks, many of which target their own web applications and management systems. Management software, such as HP Intelligent Management Center and Oracle Enterprise Manager Grid Control, remains a repeat target for bad actors. Companies need to strengthen their organization's culture with a skeptical yet polite approach, utilizing cybersecurity training to help employees understand today’s threats and avoid clicking malicious links, sharing private data, and more that could compromise your organization's secure systems.
More generally, we see attackers leveraging more “living off the land” techniques in their attacks, which means they leverage legitimate operating systems and IT tools to do their dirty work rather than installing traditional malware. It’s harder for legacy security software to detect the difference between intentional vs. malicious use of some of these legitimate tools.
3. What proactive measures should retailers take to strengthen their cybersecurity during the holiday season?
Retailers face a significant challenge to protect some of the most sensitive information out there: consumer data and payments. A 2024 Verizon report shows that system intrusions, social engineering, and web vulnerabilities cause 92% of retail data breaches. Cybersecurity incidents in the retail sector surged nearly 80% last year, highlighting the growing sophistication of cyberattacks.
Credential theft is now a top target for hackers, shifting focus from payment data as security improves. Stolen credentials give attackers access to internal systems, allowing for fraudulent purchases or further breaches. System intrusions, social engineering, and web application attacks remain common tactics.
To protect against these threats, retailers should implement simple but essential security measures, including multi-factor authentication (MFA), to safeguard their users and networks. In today’s threat landscape, it’s also important to bolster data protection solutions to limit access to sensitive information, secure coding and web application scans to protect their websites, and ensure regular system updates to close unpatched security gaps. Firewalls and network segmentation can help prevent and contain potential breaches, while employee training on identifying phishing scams can prevent social engineering attacks.
4. What proactive measures can consumers take to protect themselves from scams during the holiday season?
Black Friday and Cyber Monday shopping events are expected to eclipse records again this year generating $75B, up 5% from the year prior. This holiday season, it’s important for the consumer to practice skepticism and caution when shopping online. Always make sure to enter your confidential information only on websites you trust. If you receive promotional emails, always triple-check the sender and preview any links before clicking on them. When you see a deal you might like in an email, rather than clicking the link, perhaps visit the retailer’s page manually and find the deal there. While it may take more steps, it will save you from clicking a link that may be a scam.
Avoid entering secure information online while connected to a public or insecure network whenever possible. If this is necessary, use a VPN while browsing the internet if you have one.
Finally, I like to have a separation between my credit card and online retailers whenever possible. Consider alternate payment platforms, like PayPal, Apple Pay, Google Pay, or your preference. They will still use your debit or credit card but keep that information from the online retailer. That said, credit cards do often offer decent reimbursement for fraud, so make sure to use a payment provider that also offers such protection services.
5. How can retail organizations build trust for their customers when it comes to their security?
In the age of digital supply chain attacks and Black Friday phishing scams, online retailers need to demonstrate the steps they’re taking for their consumers to feel safe shopping with them online.
Retailers who spend the effort to create a "Trust Center" page on their site, letting their customers know more about how they secure their infrastructure, how they protect and use their customers' personal data, and what compliance or trust certifications and seals they've earned, are poised to drive more sales during the holiday season than ones who are not transparent about their security. Set up a trust center to show (and not just tell) customers how you are keeping their more sensitive and personal data safe, and you will be more likely to earn their trust, loyalty, and, ultimately, their business.
Takeaways
As the big digital shopping days approach, vigilance is key for shoppers and retailers. By adopting proactive measures, understanding the evolving threat landscape, and building consumer trust, retailers can protect themselves and their customers from becoming victims of holiday-season cyber scams. Meanwhile, shoppers must take charge of their online safety by applying basic but crucial security practices.
Cybersecurity should be on everyone's holiday checklist—because the season of giving shouldn't be a season of taking risks.
Subscribe to The CTO Club’s newsletter for more cybersecurity tips, tools, and best practices.