Black Friday, Cyber Monday scams are on the loose, businesses need to prepare

Consumers stumbling to the couch in a turkey-induced coma with their laptop or phone in hand ready to hit the cyber-holiday sales are not alone in being targeted by cybercriminals.

Retailers and businesses also may be affected by the dramatic increase in malicious threats that target shoppers looking for buys on Black Friday and Cyber Monday. This can include being hit with ransomware and having to make the decision whether or not to pay up or risk losing sales during the busiest shopping period of the year.

For retailers much of the damage done may be to their reputation as malicious actors generate hundreds of brand and website-specific email scams and fake websites designed to confuse and entice anxious shoppers.

A study by Zerofox’s Alpha Team has already identified 61,305 potential scams spread across 26 brands. Brick and mortar retailers are the primary focus with 92 percent of the campaigns spotted using a store brand in some manner.

“Scammers likely target brick and mortar retailers in such high quantities because these kinds of scams will be attractive to a larger pool of consumers and thereby potential victims. Fewer consumers are in the market for luxury goods and high-end jewelry than are shopping at large brick and mortar stores that appeal to multiple price points. Brick and mortar stores also carry a wide range of goods, from electronics to jewelry, versus stores that only sell one kind of good,” the report stated.

The threats are generally centered on email campaigns that use the one lure every shopper is interested in, something for nothing. This is usually in the form of a gift card or coupon, but to obtain these items the shopper/victim is required to enter some level of information, at the very least an email or physical address.

The permanent members of Santa’s naught list also use social media to attract victims. This is done by creating fake accounts and then loading posts with hashtags designed to catch a shopper’s eye, such as #blackfriday or #cybermonday.

Some of the more technical threats involve typsquatting or  creating domains based on popular shopping sites like Amazon, Apple and Target.

“ZeroFOX Alpha Team found 124,000 domains that contain the brand name out of the list of 26 selected for this report. The team filtered the 124,000 domains by Certificate Issuer for legitimate domains,” the security company said.

The massive uptick in internet traffic also presents an opportunity for attackers and a danger to corporate entities whose workers may use either company equipment or its network to make purchases. Tim Erlin, vice president of product management and strategy at Tripwire, cited a recent Tripwire Twitter survey that found 84 percent of security professionals are concerned there is not enough security awareness for consumers to keep them safe online during the holiday shopping season.

“For businesses, there are two ways to look at cyber risks around Black Friday. The first is that, simply because it’s a busier time and more money is flowing through their systems, attackers will be more likely to target them, hoping for the busyness to serve as a diversion. The second way to look at it is from an employee perspective: staff may be shopping online from business-owned assets, thus potentially opening them up to Black Friday scams. For this reason, it would be worth it for business to focus on education and training on how to recognize scams and phishing attempts,” Erlin said.

Then there are the direct threats to business. A retailer, delivery company or distributor’s worst fear is not being able to operate during this time.

“Ransomware and other types of malware are also a concern for businesses around this time of the year. Those that are targeting the business itself ultimately just want the organization to pay the ransom, which can be avoided by having good incident response measures in place and secure, up-to-date backups,” Erlin said.

In addition to being shut down another huge potential headache is discovering credit card skimming malware like Magecart residing in a chain’s POS system, noted a Sucuri study. It could also mean a retailer could be held liable for any fraudulent charges made on a customer’s card in cases where the cards was not present for the purchase.

“New consumer habits, such as buy online, pick up in store (BOPIS), now allow customers to pick up products at a physical locations after purchasing them on the retailer’s website – so these transactions become classified as card-not-present. Unfortunately, there are still retail merchants that have little to no authentication process for in-person pickups, making them likely targets for abuse due to a lack of security controls,” Sucuri said.

There are steps e-commerce sites and retailers with an online presence can take to protect themselves not only during the holiday season, but all year long, said Kaspersky.