Black Friday and Cyber Monday are notoriously conducive to cyber scams. In this article, CybSafe founder Oz Alashe offers five tips on staying safe during the annual sales.
‘If something seems too good to be true, it probably is.’
That’s the mantra cyber security professionals often turn to when asked for a blanket statement on staying safe online. If something seems too good to be true, it’s probably a scam. We should proceed with caution or, better still, not at all.
‘Black Friday designer deals too good to be true’, meanwhile, is the headline of a recent Marie Claire article promoting legitimate upcoming Black Friday deals.
So is it really any wonder Black Friday (and its sister-sale Cyber Monday) are so conducive to online scams?
Under normal circumstances, people are trained to be sceptical of improbable deals. Over Black Friday weekend, the rules change. For a brief period, consumers become expectant of mega-deals – offering cyber scammers a golden window of opportunity many are unable to resist.
Last year, experts predicted 50 million global cyber attacks over Black Friday and Cyber Monday. This year’s outlook looks much the same.
The threat isn’t solely personal, either. As many as 49% of online shoppers shop from work during sales. A single rogue click can compromise entire office networks. What can both businesses and people do to weather the storm?
1. Vet all emails stringently
On any normal day, promotional emails offering astounding bargains are treated with suspicion. Across Black Friday weekend, they’re actually expected. Knowing this, scammers send unusually high volumes of malware-laced emails to unsuspecting targets all over the world.
Clicking links or opening bogus attachments triggers a malware installation, making it crucial people verify the authenticity of all emails before clicking away. The sender address gives a good indication. Any misspellings? firstname.lastname@example.org? Hovering a cursor over a link usually reveals the link’s true destination, and verifying the destination as legitimate before clicking is essential to avoid infection.
2. Shop direct
Better still is a blanket boycott on clicking links in emails, or even opening promotional emails at all. After all, legitimate deals are publicised online. Navigating directly to e-commerce websites eliminates risk entirely.
Promoting shopping direct isn’t easy for an Information Security Officer to do: aside from being difficult to enforce, it promotes online shopping while at work. Unlike discouraging people to click links, encouraging people to shop direct inherently permits people to shop during working hours. Although that might seem risky, it’s a positive concession that social psychology tells us is highly likely to be repaid. Staff permitted to shop online through work networks (which happens whether we like it or not) are indebted, and those seeking to repay a debt are almost certainly more likely to shop in the manner recommended.
3. Avoid display ads
As well as distributing malicious software in emails, innovative criminals routinely distribute malware through online ads. It’s a simple enough tactic: dream up an irresistible offer, advertise the fraudulent offer online and embed the fraudulent ad with malicious software. Every new victim offers hackers access to a new security network.
Training users to avoid clicking display ads might go some way to dealing with it, but as Research Director Shari Lawrence Pfleeger notes, it’s usually more efficient to ‘implement mechanisms that enable [sic] employees to cope without training’ than it is to train people to avoid pre-existing threats. Company-wide ad-blockers might be a worthwhile investment.
4. Double-check website URLs
Malicious software isn’t the only elevated threat over Black Friday weekend. Direct identity and data theft are also rife.
Criminals use a variety of tactics to steal personal data, one of which is through fraudulent websites. It doesn’t take much to clone the site of a respectable retailer these days, and filling such a site with discounts is a surefire way to trick people into entering personal and financial details into fraudulent checkouts. It’s therefore worth people double-checking a website’s authenticity before submitting personal data. It seems obvious, but the URL deserves more than a cursory glance. It isn’t easy to spot the difference between prettylittlething.com and prettylitttlething.com, yet where one leads to a bargain, the other might mean turmoil.
It’s also important to check websites for encryption, identifiable via URLs beginning https:// as opposed to https://. Encryption passes data between a browser and a server securely, ensuring it isn’t visible to hackers.
5. Beware unfamiliar sites
Last year, Financial Fraud Action UK reported 31% of shoppers put themselves at risk when chasing bargains online. One such risk was via shopping through unfamiliar sites.
Superficially, fraudulent, unfamiliar websites can seem legitimate. They may even employ encryption. But making a purchase via an unfamiliar site is transferring money in the hope goods will be deployed in response – and such goods may never appear.
While the simple theft is unlikely to cause financial ruin, it’s still lining the pockets of criminals at personal expense. Given the elevated threat levels around Black Friday weekend, is shopping via unfamiliar sites really worth the risk?
If something seems too good to be true, it probably is.
Even, it turns out, on Black Friday weekend.