Don’t fall for a Black Friday scam: read CBR’s guide to cyber security when looking for Black Friday deals.
It makes sense that vendors would be worried about cyber security on Black Friday – a targeted cyber attack such as a Distributed Denial of Service could stump sales and wipe out a crucial chunk of revenue. But what cyber risks does Black Friday present to the consumer?
Highly billed events, including major sporting tournaments such as the Olympics, nowadays inevitably attract cyber criminals who see an opportunity to piggy-back on their popularity. Think of it this way: just as any legitimate business will try to cash in on a major search topic such as Black Friday, so will cyber criminals.
According to John Shier, Senior Security Advisor at Sophos, the threats fall into two broad camps, which can be combined or linked: defrauding for money or data theft.
One of the main threats, therefore, is fraudulent links and social media activity. Knowing that consumers will be searching prolifically for the best deal, criminals use deals as bait either for phishing scams or fraudulent websites that can infect their devices with malware.
Nick Shaw, vice president and general manager of Norton EMEA, highlights the danger of malicious links being indexed by popular search engines. If users fall for the scam and click the link, anything could happen.
“These sites will either try to trick people into purchasing goods which are fake or do not ever arrive, or will download malicious software to a device.”
A similar scam with a different delivery vector is phishing, where a targeted email could be sent promising discounted products or asking recipients to submit details in order to access such deals.
But some of the risks will come from people you know. Some fraudulent links may be appealing enough to get shared on social media, so it is important to examine any link purporting to be Black Friday-related with as much or more vigilance than usual.
The above methods are by no means exhaustive; text messages could also be used. Black Friday-related apps are another potential security risk.
“Something we have seen is with fraudulent branded mobile apps (most of them on Android) falsely claiming access to early Black Friday and Cyber Monday deals that attempt to convince victims to install the information stealing apps,” says Florian Malecki, international product marketing director, SonicWall.
Since many people don’t check app permissions before installing applications, it is possible for these apps to request
These threats should be taken more seriously than ever because hackers have got increasingly effective tools in their arsenals.
As Shier says, there have been many vast data breaches recently, meaning that many people will now have had data such as email addresses shared against their will online.
“Using that information hackers can start targeting in a way that they couldn’t before.”
More available personal details come in tandem with an increasing amount of contextual data. Location data is easily shared online, either through a smartphone location settings, a computer IP address, or linked to an email address.
These threats do not just affect the consumers on the receiving end, but can also spill into their workplaces. As Florian Malecki of SonicWALL says, many employees will conduct their shopping using their workplace computers; this means that ransomware or malware could use these employees to get into the enterprise network.
What does being vigilant mean? There are plenty of give-aways that will help distinguish between legitimate sites of vendors and scammers. It could be something as simple as a slightly misspelled URL or an inauthentic-looking company logo.
Shier uses the anecdote of a recent fraudulent URL he came across where instead of ‘.com’ the end of the URL was ‘.corn’, which at a glance looks identical. Alarm bells should also ring with short or compressed links, as there is no way of seeing what is at the other end.
When it comes to payments, avoid unknown merchants and look for a secure payments window.
As well as a mindset change, there are technological fixes. As a starting point, Shier encourages all individuals to patch all software. This is particularly relevant with browsers, which nowadays usually have some sort of built-in detection for suspicious URLs. Look for a TLS certificate, usually denoted through a padlock on the browser.
From a business perspective, Malecki highlights next-generation firewalls and application control that can restrict access to certain sites depending on time of day.
Antivirus goes without saying, but not just for desktop: all smartphone owners should at the very least install one of the many available antivirus apps, many of which are free.
Finally, the security mindset should ideally extend beyond the transaction to the products themselves. This goes for cheap IoT devices and smartphones: try to buy
“As a consumer you have to do your homework,” says Sophos’s Shier. In the future, Shier says that industry working groups may provide standards for secure products, but for now there is no good way to ascertain the quality of products apart from reading reviews and comments.
Finally, Shier warns that holiday season or no holiday season, there will be cyber criminals trying to defraud you or steal your data.
“Don’t forget the rest of the year – Valentine’s Day and Easter are coming,” he says.