For one day a year, on 23 November this year, retailers take advantage of consumers’ appetite to spend by offering “loss leader” deals, which they advertise broadly on email and social media.
The purpose of these offers is to entice shoppers to retailers’ sites and stores and convince them to buy more than the too-good-to-be-true TV for R500. And cybercriminals know and take advantage of this.
There’s good news and bad news for Black Friday shoppers this year. The bad news is that cybercriminals are using new tactics that make it harder to spot fake deals. The good news is that with robust cybersecurity awareness training, an understanding of the new attack methods and sophisticated email security systems, consumers can protect their money and personal information, and businesses can better protect their sensitive data and systems.
Black Friday is like Christmas for hackers. While you’re shopping for bargains, they’re shopping for your credentials, which they use to log into your internet banking and other online accounts to steal your money.If cybercriminals have your login details, they can access your profile even on sites implementing good security practices. Criminals are hitting various online services with credentials in the hopes of a password and username being accepted as legitimate.
Black Friday grows every year in South Africa. Last year, sales increased by 2571% over 2016 as more retailers jumped on the bandwagon. This year will be even bigger, which means gullible and uninformed consumers – many of whom work for enterprises - are ripe for the picking. And chances are they aren’t aware of the new tactics being used against them.
Ok, maybe not everything. But a lot of what we know about cybersecurity, and the tips and tricks that protected us in the past, no longer apply to some phishing attacks.
As we’ve already learnt, we’re often told to be suspicious of ridiculously cheap deals, but on Black Friday, ridiculously cheap is expected, so we’re not likely to question R500 TVs.Another thing we’re told is to look for the green or black padlock on a website, or for the all-important ‘s’ in ‘https’ of the site’s URL. But we can’t even trust this anymore. That’s because cybercriminals can create or buy a real security certificate for their fake website in minutes.
One site issued over 14,000 SSL certificates to “PayPal” sites – 99% of these were used for phishing fraud. So, while a fake website looks secure, it really isn’t.
So, what security advice is still valid?
Cybercriminals increasingly use various forms of domain similarity– when they subtly change characters and words in URLs and email addresses to match a trusted organisation. These types of attacks often bypass certain email security systems because the sites and email senders aren’t known to be malicious.
To create lookalike domains, attackers often use non-Western character sets to display letters that look identical to the naked eye. Mimecast.com, for example, looks like мімесаѕт.com in Cyrillic. You might think we’re getting fancy with our font. We’re not. Combined with a legitimate certificate, it becomes much harder to spot a fake website.
This creates prime conditions for a successful phishing attack: nearly half of all South African firms in a recent Vanson Bourne and Mimecast research report saw an increase in targeted spear phishing attacks using malicious links over the past year.
Consumers and businesses can stay safe this Black Friday.
The threat landscape has evolved yet again. We can never let our guard down and we have to assume that we’re never completely safe – even if we have robust security systems in place. Apple CEO Tim Cook said recently that cyber resilience is like running on a treadmill. You can’t just stop. If you do, you’ll fall off and will probably get hurt.
Stay alert. Stay safe. And happy shopping!