Last year’s Cyber Monday was the biggest online sales day in history, with a whopping $3.45 billion (£2.62 billion) being spent. Cyber Monday has traditionally been a US phenomenon, following on from the Thanksgiving holiday and Black Friday the week before. However, people in the UK are embracing the big discounts before Christmas, particularly with the recent rise in interest rates. PwC has estimated that a quarter of UK shoppers will buy something over the Black Friday and Cyber Monday weekend. But shoppers aren’t the only ones looking for a so-called “steal” – cybercriminals will also be using all the weapons at their disposal to trick and scam vulnerable consumers. Shoppers need to be wary of imposter websites, phony charities, social media scams, and even in-person scams like delivery fraud and theft.
A recent example in the UK saw fake M&S, Tesco and Asda vouchers being shared via messages on WhatsApp – the scam encouraged users to click on a link and share the text with friends to receive a £250 cash voucher. Another form of scam was identified in mid-October when police issued a warning over a phishing email posing as an automatic customer email notification from firstname.lastname@example.org. The scam led unsuspecting users to an authentic looking website which asked them to confirm their names, addresses and bank card data, which the attackers then used for their personal gain.
Scamming Users: A Brief History
As internet and email usage has grown, so has cybercrime and the sophistication of phishing scams. According to Symantec, one in 131 emails now contains malware, and the most deadly phishing attacks we see today contain various ransomware strains that have the power to take down entire networks. For example, NotPetya got into corporate networks and accessed high administrative privileges in order to exploit, and one of its main routes to entry was via phishing emails.
Being duped by cybercriminals whilst online shopping can put organisations at risk as well as the consumer. We know that end users blend their work and personal activities on their work devices, which can put corporate data and networks at risk if a user clicks on a risky link or file whilst online shopping. In addition, the BYOD phenomenon means that users could be putting sensitive data at risk if they are using their own device to access corporate emails and files. This is especially scary considering Accenture’s recent findings that organisations pay an average annualised cost of $11.7 million to deal with cybercrime, which is up 23% from last year.
The human factor is a big issue because, unfortunately, many organisations assume that their employees know how to recognise and avoid attacks when this is simply not the case. We conducted our annual User Risk Report in June and found that in an in a survey of 2,000 people, 3 out of 10 people wouldn’t have a clue what phishing was, and 6 out of 10 wouldn’t be able to tell you what ransomware was. This is why as infosec professionals we need to stop relying purely on cyber-security technology and brushing aside user education as a pointless exercise. Rather, technology and education should integrate to fight as one against this common cause.
What To Teach Your Employees
With Cyber Monday rapidly approaching there are some quick fire “top tips” that you can share with your employees to help keep them, and the organisation, safe from scams and attacks. But remember, as with any form of education, the most effective way to educate people is to constantly reinforce key principles with end users.
1. Be Selective About Who You Shop With
Reputable stores are reputable for a reason. Larger organisations are taking enormous precautions to protect online shopping sessions and keep customer data safe. Shopping via an unknown entity can be risky, as scammers set up “dummy websites” to lure people into revealing personal data and credit card numbers with the promise of fabulous deals. If users are tempted by an online shopping site they're not familiar with, they should do their research. Online reviews and complaints can reveal the deals and sites that really are too good to be true.
2. Think Before You Click
Many legitimate emails and texts will flood your users’ inboxes this holiday season. But lurking among them are malicious phishing messages that are designed to steal data, login credentials and money. Scammers can embed dangerous links inside of text, URLs, and images that look safe. So though it’s tempting to “click here to take advantage of this great deal,” the safest route to a website is to type a known URL into a web browser. Users need to remember that the lure of getting something for nothing is a much-loved trick for scammers. In “too good to be true” offers, they will likely be asked to give up their email address, personal details, and even credit card numbers in order to “take advantage” of incredible deals.
3. Don’t Automatically Trust Familiar Brands
Scammers use known brands like Amazon and Asda to lure unsuspecting users into clicking links and downloading attachments. As well as this, phishing emails often urge users to act quickly without thinking, with messages that claim there are problems with an order, shipment, or reservation. Most reputable companies will not send these kinds of messages. And if users are worried, they should contact the company in question through a known, trusted source like a customer service number.
4. Get Savvy About Wi-Fi
If your users are making purchases on the go, it’s critical that they understand the implications of sharing private data over Wi-Fi. Firstly, if they haven’t had to put in a password, the Wi-Fi network is not secure. A secure network uses encryption measures and is protected by a strong password. They should never assume an open Wi-Fi network is safe from prying eyes. As such, it’s best to avoid entering any private information (including logins, passwords, and account numbers) while on a public network.
If they can’t wait for a secure network, they should use a VPN and make sure the all URLs they use start with “https”. In fact, https is a valuable addition to any online session that requires a user to enter private information, not just those over Wi-Fi.
5. Consider an Online-Only Credit Card
Encourage your users not to use debit cards for online purchases. Should a breach occur, a credit card offers them some protection because fraudulent purchases won’t empty their bank account.
It’s also wise to dedicate one credit card for online use that has a limited available balance. This will allow users to easily monitor their transactions and protect your accounts. Plus, if something bad does happen, they’ll only have to deal with one company to resolve any issues.
Amy Baker, Vice President of Marketing at Wombat Security Technologies
Image Credit: A. and I. Kruk / Shutterstock