Black Friday is nearly upon us, and shoppers are already moving to catch some of the early deals of the sale period, often unaware of the marked increase in fraud seen around Black Friday. The increase in sales around this time means more funds are circulating, and this attracts the attention of fraudsters. The circumstances of this year also mean that online sales are going to be a particular focus, pushing customers and retailers into an environment where fraudsters have more opportunities than in the brick and mortar world of high street shopping.
To help protect against the threats to customers and retailers, some basic guidelines should be considered on both sides. These guidelines apply year-round, but need particular attention in a period where fraudsters are working harder to capture a slice of the legitimate online sales.
Protecting yourself as a customer
The rush to catch a bargain before it expires or sells out is a powerful way to get would-be customers to make mistakes they normally would not. Shoppers should bear the following points in mind before rushing to hit 'buy' on deals this weekend to avoid potential financial headaches.
Firstly, shoppers need to be conscious of how they arrive at a website. Criminals who have set up malicious or fraudulent websites will often lure in victims with well-crafted emails that make tempting offers of bargains. If an email is received with a tempting offer, shoppers should consider going to the side directly rather than clicking on links – this lets them ensure that they are visiting the site they intended to visit instead of being quietly redirected to a malicious site via a well-crafted email link.
Shoppers should then consider site credibility - where possible, they should try to make use of known sites whose brands they trust, or whose credentials can be validated via online reviews. While on these notionally trusted sites, customers should keep an eye out for signs that a site might not be what it claims. Unprofessional product images or descriptions, functional errors, and even unusual or inappropriate elements in the address bar such as a .org instead of a .com can be signs that the site is not credible.
Where it can be seen that all of the above tests have been passed, shoppers need to consider their payment and, where possible, make use of credit cards over debit cards. Credit cards offer a level of distancing between the money a person has in their bank account and any online transaction, and fraudulent card charges can typically be reversed and recovered quickly. Where criminals obtain debit card details the impact is more direct and immediate, as well as being more difficult to reverse.
Finally, shoppers should watch for websites asking for unusual information, particularly personal information with no clear association to the purchase that you are making. If a site attempts to collect unusual personal information or attempts collection well in advance of taking your order, you should approach the site carefully, and consider shopping elsewhere.
Shoppers should also ensure their local protection is up to date; anti-virus tools and any web protection mechanisms should be checked periodically to ensure they are running the most recent versions to offer as much protection as possible.
Protecting yourself as a merchant
Elevated commercial activity over the Black Friday weekend also creates an opportunity for criminals to profit by directly targeting retailers and ecommerce platforms. This is particularly pressing this year as the global pandemic has forced many retailers to shift their activities online, sometimes without implementing protections which would be expected for more established online retailers. All online retailers should take steps to defend against likely threats in advance of the Black Friday weekend.
A common criminal tactic is to compromise the back-end of a website and insert a "skimmer" into pages where customers input payment card details. These skimmers are able to collect payment card data as it is inputted and send it directly to the criminals. Over the Black Friday period, this tactic could enable a criminal to harvest large volumes of payment card data, particularly as national lockdowns and individual health concerns are likely to result in less shopping at brick and mortar locations. Operators of retail and ecommerce sites are advised to monitor the integrity of code deployed to public facing webservers and be prepared to respond quickly if a compromise is detected. Operators should also consider monitoring weblogs for evidence of user traffic being redirected to unexpected locations.
The potential for heightened user traffic as a result of the pandemic also creates opportunities for extortion, particularly in a year when the retail sector has been under increased financial pressure. If a criminal were able to disrupt a retailer's operations, such as by launching a denial of service attack or by deploying ransomware on critical systems, then the victim could feel a great deal of pressure to collaborate with the attacker's demands. Retailers and ecommerce platforms should give consideration to this possibility and take steps to both improve resilience to these types of attacks and plan how the organisation will response to a credible extortion threat.
While eagerly anticipated by many bargain hunters, the Black Friday weekend is a period in which both individuals and organisations are at heightened risk of being targeted by certain types of crime. Understanding what these are, what risks they may pose, and how to mitigate these risks can help protect both individual consumers and retail operators.