There is an uptick in cybercriminal activity during the final months of the year due to higher online retail activity – 90 million people shopped online on Black Friday 2021, spending $10.7 billion and 77 million on Cyber Monday, spending $8.9 billion. Compared to 2020, the 2021 Black Friday/Cyber Monday saw a 90% jump in mobile traffic and a 46% increase in desktop traffic.
Adobe expects netizens to splurge approximately $209.7 billion in the two months between November 1 through December 31, 2022. It is safe to say that there will be many distractions to lure in unsuspecting shoppers. There is also a relaxed attitude across organizations with a sense of being off-duty. However, cybercriminals never are.
“The holiday period is not just a time for bargain hunters, it’s also a time for criminals to hunt for financial information, sensitive data and new victims. People need to know the threats, they need to understand what to do, and what to look for. By helping people with the right security behaviors, we’ll keep more people safe,” Oz Alashe, CEO of CybSafe, told Spiceworks.
Besides carrying out run-of-the-mill scams, threat actors purposely turn on the aggression to exploit any publicly disclosed zero-day vulnerabilities. This has given rise to two of the most significant cyber incidents in recent years – the SolarWinds software supply chain attack that came to light in December 2020, and the Log4Shell vulnerabilities, first exploited in December 2021.
“As we enter into one of the busiest seasons of the year for online activities, it is imperative that users remain vigilant in preparation for the upcoming wave of expected cyber attacks,” Stu Sjouwerman, CEO at KnowBe4, told Spiceworks.
“The world is slowly but surely returning to normalcy post [the] pandemic. However, for many of us, spending more time online, especially when shopping and connecting with friends and family, is the new normal. This presents more opportunities for social engineering attacks and for bad actors to exploit organizations.”
So before you give into the allure of a deal too good to be true this Cyber Monday or any upcoming Christmas/Hanukkah sale, consider the following advice Spiceworks collated from security domain experts.
Security tips for the holiday season for consumers
Online shoppers are an easy target simply because of the higher number of consumers going online, resulting in greater transaction volumes. Surya Varanasi, CTO at StorCentric, believes consumers may be looking to save up by grabbing the best available deals.
“With inflation hitting its highest level since 1982, and a recession looming, retailers must ensure they are in an ideal position to meet customer demand, service expectations and capitalize on a time when consumers may be open to loosening their purse strings,” Varanasi said.
To cater to this increased interest, marketers amp up promotional campaigns. So it is challenging to spot malice in an email deluge. Scammers may try to steal personal and financial information through phishing to compromise data, deploy malicious software, steal identities, and dupe consumers off money.
“When it comes to phishing emails, these are increasingly common – and purport to be from banks to best selling brands,” Rachel Jones, CEO of SnapDragon Monitoring, told Spiceworks. “Increasingly sophisticated scams range from brand websites being duplicated, to what look like genuine ‘special offer’ emails and social links, all which ensnare unsuspecting shoppers. Serious fraud can result as financial details are captured and non-existent products are never delivered…the list is endless causing irreparable emotional and financial damage.”
Here’s what consumers need to stay wary of, according to KnowBe4:
- Verify links by checking domain spellings. Malicious sites often have slight modifications or can also be entirely unfamiliar.
- Only tread and shop on sites you’re familiar with or are reputable.
- Thoroughly review reseller and auctioneer profiles and check their history of selling.
- Research the parent company of a website if you are shopping from it for the first time.
- Monitor credit card usage after using it for a transaction.
- Verify confirmation emails.
- Refrain from shopping on social media.
“Much more needs to be done by businesses and online platforms to protect the consumer but, at the moment, the onus is very much on the shopper to ensure they are buying genuine products from genuine sellers,” Jones added.
Security tips for the holiday season for organizations
Ransomware gangs could ramp up operations during the holiday season against organizations with their guard down. Organizations also have more to lose; thus, the payoff is significantly higher than targeting individual users.
“While retailers are well aware of the importance of uptime and data security, many continue to struggle, particularly during high-stakes shopping periods,” Varanasi added, highlighting the need for a rock-solid backup plan in place in case of a ransomware attack. “This is a time when data backup and data security best practices are critical.”
“Today, many backup and security processes have become highly automated. But, as ransomware and other malware attacks continue to increase in severity and sophistication, it is clear that proper cyber hygiene must include protecting backed up data by making it immutable and by eliminating any way that data can be deleted or corrupted,” Varanasi said.
Varanasi suggests policy-driven data integrity checks “that can scrub the data for faults, and auto-heals without any user intervention.”
For recovery, Brian Dunagan, VP of engineering at Retrospect, stressed the ability to detect ransomware or any other malware-based attacks clubbed with a high availability solution to mitigate the cost of downtime, which can have an “impact on a retailer’s business reaches far beyond the immediate loss in sales.”
“My advice to them is this,” Dunagan said. “It is a given that you must deploy data security and high availability (HA) solutions. A simple 3-2-1 backup strategy is also essential (i.e., always have at least three copies of data; two onsite on different media, and one in an offsite location). However, as a successful cyberattack is likely just around the corner, you must be able to detect ransomware as early as possible to stop the threat and ensure your ability to remediate and recover.”
“A backup solution that includes anomaly detection to identify changes in an environment that warrants the attention of IT is a must. Administrators must be able to tailor anomaly detection to their business’s specific systems and workflows, with capabilities such as customizable filtering and thresholds for each of their backup policies.”
Varanasi opined that dual controllers and RAID-based protection should help organizations provision uninterrupted data access as part of their high availability solutions in case of a cyberattack or a simple component failure. “In this manner, recovery of data will also be faster because RAID-protected disk arrays are able to read faster than they can write,” Varanasi said.
While Varanasi and Dunagan’s suggestions hold well as a response mechanism, DH2i CEO and co-founder Don Boxley recommended organizations avoid the issue entirely with a software-defined perimeter (SDP).
“As we head into what is arguably one of the busiest and most important seasons of the year for retailers, maintaining data access and security is paramount. What is virtually impossible to accomplish with VPNs can now however be achieved with the more modern, innovative and real-world proven software defined perimeter (SDP),” Boxley told Spiceworks.
“SDP enables organizations to build a secure software-defined perimeter and use Zero Trust Network Access (ZTNA) tunnels to seamlessly connect all applications, servers, IoT devices, and users behind any symmetric network address translation (NAT) to any full cone NAT: without having to reconfigure networks or set up complicated and problematic VPNs. By leveraging SDP this holiday shopping season, organizations can ensure safe, fast and easy network and data access; while slamming the door on any potential cybercriminals or Grinch.”
Jones pointed out that organizations can do more to help consumers stay safe. “Businesses must communicate with their customers about this [phishing email] threat, making clear what a genuine emails looks like and warning customers to be diligent, what a fraudulent email may seek to request (and what a genuine one would never do) and to seek direct advice if the slightest bit concerned,” Jones said.
“If a business sees its site is being duplicated by criminals, they must ensure it is taken offline with speed and efficiency before it causes harm. Common themes for fake sites are slight alterations in spellings, new domains (.co rather than .com for example). We would always recommend the shopper seeks out the genuine brand’s site with care and attention.”