Black Friday and Cyber Monday are two of the biggest days in the retail calendar when countless items are reduced in the run-up to Christmas. But even though it can be an exciting time for consumers, cyber criminals can also be busy on their devices. With this in mind, a number of industry experts have told us how you can stay safe over the next few days.
Kate Mollett, Regional Manager for Africa at Veeam
Seasonal shopping such as Black Friday provides an opportunity for hackers to take advantage of peak online traffic and consumers’ willingness to part with their data when buying gifts for Christmas.
We have seen high profile retailers experience technical issues during these critical trading periods and it is when there is downtime or unplanned outages that consumers become frustrated and take risks when it comes to the buying experience.
Black Friday heralds the start of the shopping season in South Africa. But in the rush to get that special deal, people can get distracted and even feel compelled to purchase something to save a few Rands. This presents a significant opportunity from a social engineering perspective to target individuals and compromise their personal data.
Getting caught up in the excitement of Black Friday can make a consumer an easy target for a hacker. For example, companies very seldom have the platform to deal with the spike in demand associated with such a once-off shopping onslaught.
In turn, this results in customers not being able to complete a purchase and searching for alternative sites where they can shop. Often, these sites are set up to capture sensitive user information through sophisticated phishing attacks. This data is then used to either steal from the individual themselves or target a financial institution or large corporate.
Irrespective of whether an organisation is using the most advanced cybersecurity solutions available, people will remain the weakest link in protecting data. Social engineering is about manipulating a user group or targeting an individual to share information they would not ordinarily do. The reality is that it is quicker to trick someone into providing a password or credentials than it is to hack a system.
The rapid digitisation of consumer and organisational records have also seen an increase in global data breaches and cybercrime. The more information that is stored online, the more opportunities exist for malicious users to try and access them.
Companies are continually building in checks and balances to protect their data. But the human factor remains a challenge. Such is the sophistication of social engineering that many people do not even realise they are being attacked or have been compromised. Even though organisations are trying to educate staff about cybersecurity, there will always be nuances that social engineers can exploit.
However, this does not mean a company should just give up and expect for the worst to happen. Instead, ongoing education must be conducted around social engineering aspects such as increasingly sophisticated phishing attacks. Hackers use phishing as a gateway to deploy ransomware, so protecting against this from happening should be a significant strategic priority.
Much of this comes down to how people access data. Most companies have embraced the BYOD (bring your own device) mindset and let employees use their own devices for work and accessing the corporate network. However, some are rethinking this approach. For example, employees cannot take their personal devices onto the trading floor.
A shift is starting to happen with more companies providing people with cell phones, tablets and laptops for work. These can be better secured and form part of a more integrated cybersecurity approach. The rise of social engineering and other forms of attack have resulted in businesses becoming more stringent in how data is accessed and shared.
This benefits organisations with operations outside of the country, especially given the importance of being compliant with GDPR (General Data Protection Regulation).
The financial repercussions of failing to comply with GDPR are significant. So, not only will BYOD be less of a priority, but user educated will become more sophisticated. Teaching employees how to identify an attack, the steps needed to take if they have been compromised, and so on will become mission-critical.
This also means that cybersecurity training will need to become top of mind for every individual at the business. Training must happen more frequently, new employees must be onboarded more effectively, and the entire approach towards data protection must be evaluated.
The always-on business environment means attackers will target people irrespective of the time of day. The thinking around data protection must therefore shift into this always-connected environment. Inevitably, cybersecurity budgets will grow, and the security skills shortage will be addressed. But fundamental to this remains ensuring employees have an awareness around social engineering tactics and can respond accordingly.
Anna Collard, Managing Director of Popcorn Training, a KnowBe4 company
The holiday season is a sea of shopping, laughter, gifts and entertainment. It’s also a swamp of security risks and hacks and fraudsters, lurking on the edges of the festive fun.
You want to give the best possible gifts or find the best possible deals, but you need to approach your shopping and gift giving with a measure of common sense and a dollop of security awareness.
Crime is no longer on the high street, it’s online and its eyeing up your bank account, credit card details and personal information with alacrity. As you approach Black Friday and your holiday shopping, be aware of these five threats – fake Black Friday and Cyber Monday deals, charity tricksters, fake gift cards and vouchers, fake mobile apps, and bogus shipping notices.
Black Friday and Cyber Monday are major shopping events on the South African calendar, and this makes them a breeding ground for fake specials, malicious links and criminal activity.
There’s always an increase in fake special offers designed to lure people into clicking on a malicious link or opening a malicious attachment. People can end up handing out money for something that doesn’t exist.
To protect yourself from this type of scam, avoid clicking on pop-up adverts and special offers. Rather visit the site directly and search for the offer that way. Often, the links will take you to fake sites that look a lot like the real thing and that are designed to phish for your personal information and bank details. Always check the URL and remember, if it looks too good to be true, it probably is.
Charity tricksters are another nasty scam. At the end of the year, most of us feel the need to give back and fraudsters know it. They set up fake charities that use existing events or trends, such as refugees, and get you to donate the money to them. Only give money to reputable charities that are accredited or well known, check their URLs to ensure they’re not bogus, and never give out your personal information unless you’re 100 percent sure.
While fake charities are a new low for the cybercriminal industry, complimentary vouchers and gift cards are next-level clever. These fraudsters take advantage of people who have no idea what to buy for their significant other or who have left their gift shopping for the last minute.
They offer fake online vouchers and cards which have no actual monetary value when they are redeemed. You lose and so does the person you bought the gift for.
Gift card scams are not exclusive to online shoppers. There have been incidents where people have been phoned by fake police or government officials and told to purchase gift cards for a certain amount and to read the numbers out over the phone. The scammer takes your money after terrifying you. Another way they can take your money is by replacing the barcodes on the gift card with ones that belongs to the scammer. When you put money into the card, the funds go directly into their bank account.
Finally, fake mobile apps and bogus shipping notices should be on your watch list. Many stores have their own apps, and these are very useful, especially when you’re planning ahead for the Black Friday sales. However, if you don’t download the app from the Google Play or Apple App store, you run the risk of downloading a fake version of that app. This is completely controlled by the cybercriminals who then nab your money and your bank details while you shop.
Fake shipping notices are a problem in December because so many people expect or send packages that you are less likely to eye an email with an unexpected shipping notice with suspicion.
You end up clicking on the attachment or filling out the form and next thing you know, you’ve been phished or hacked. Always check with the person who supposedly sent the package before you do anything, that way you can be absolutely sure it isn’t a scam.
Doros Hadjizenonos, Regional Sales Director, Fortinet
Big events like Black Friday are a perfect opportunity for cyber criminals to flood inboxes with ‘special offers’ that don’t exist, leading shoppers to fake websites where they part with their banking details to fraudsters.
Shoppers who fall for these phishing attacks will not receive the goods they ordered – they could also become victims of identity theft and have their bank accounts cleaned out by criminals.
South Africa is not immune from phishing attacks: recently, Fortinet researchers studying phishing domains found that South Africa was among the top 20 countries targeted in a large influx of phishing attacks; 59% of all successful ransomware infections are also transported via phishing scams.
Last year, payment card fraud cost South Africans over R873 million, according to the SA Banking Risk Information Centre (Sabric), and many of the losses occurred in transactions where the card was not present – such as in online shopping.
Shoppers are particularly vulnerable to phishing attacks when they’re sifting through masses of special offer emails, or sitting up at midnight hoping to grab the best bargains.
To avoid being fleeced this Black Friday, Fortinet recommends:
- Don’t click through to websites from emails. Before clicking on a link, hover the mouse over it to check the URL. If it replaces letters with numbers, such as amaz0n.com don’t click on it. If you see a tempting deal, rather type in the known site URL and look for the deal yourself
- Be sceptical. Unusually low prices and high availability of hard to find items are red flags for scam sites. There are some good deals out there, but be very cautious if a deal looks too good to be true
- Phishing attacks can also be carried out through rogue mobile apps, which can also be used to mine for data or install ransomware. Be wary of unexpected invitations to install new apps on your mobile device
- Stick to reputable online retailers. If a site looks unprofessional, has lot of popups, bad grammar, unclear descriptions and misspelled words, it may not be legitimate
- Make sure your connection is secure. When you are about to make a purchase, look at the address bar of your browser and make sure that it starts with https:// rather than http://, or look for a small lock icon on your browser. These mean that your transaction is protected
- Before shopping, check the payment mode. Avoid sites that require direct payments from your bank, wire transfers, or untraceable forms of payment
- Use your credit card and not your debit card to make a purchase, as most credit cards have built-in fraud protection and are not directly connected to your savings account. Even better – use a credit card that has limited credit available: that way, there are limited funds available to be potentially stolen
- Don’t fall for emails or phone calls apparently from your bank, asking you for personal information or card PIN numbers. If the communication sounds legitimate, call your bank back yourself
- Subscribe to your bank’s SMS notification service to be alerted to every transaction
- Make sure all your devices are updated and patched. Providers issue regular security updates designed to protect you from known threats
Selina Bieber, Regional Director for Turkey and MENA at GoDaddy EMEA
South African shoppers are expected to open their wallets for Black Friday, perhaps even outspending the R3 billion in card transactions they racked up on Black Friday last year.
Despite the marketing noise from the big retail brands, small businesses can also ride the wave of Black Friday by showcasing their brand, products and promotions online.
Here are some ways to get ready:
Ensure your website is ship-shape: If you will be doing some or all of your Black Friday marketing and sales through your website, you’ll want it to look its best. Some things to consider:
- Will it be easy for people to find your key offers on your website?
- Is it optimised for mobile devices?
- Do you have SSL security certificates to further protect your website and for customer peace of mind?
- Can customers easily find your contact details?
Learn from last year: If you ran Black Friday promotions last year, evaluate which items sold well, which didn’t, which were profitable for you and which weren’t. If you did not do Black Friday last year, do some Internet research to find out what customers in your industry did to get a feel for the market.
Monitor the customer pulse on social media: Social media monitoring can be a great way to find out what customers are interested in and what they’re looking forward to for this coming Black Friday and Christmas shopping seasons.
Plan your specials: You can use your market research and your evaluation of your performance last year to plan the specials and promotions you plan to offer this year. This takes careful thought and planning, as there is stiff competition in the market.
Crank up the hype machine: The customer journey for Black Friday begins weeks in advance of the big day – many consumers have, for example, saved for months for a big-ticket purchase like a television. You can start teasing your offers a couple of weeks in advance to help capture the interest of consumers who are starting to research the items they want to buy.
Prepare your campaigns: If you haven’t already done so, start putting together the creative and copy for your email promotions for engagement with your customers, your social media posts, your search ads and your website Black Friday splashes. You can try experimenting with different messages and creative to see which get the best responses.
Get the team ready: Make sure that you have the sales and fulfilment staff on hand ready to service demand, especially if you expect to be far busier on Black Friday than on the average day. Will you need to hire some temps? Have you ensured that enough workers will be on hand to process orders or answer phones?
What’s your plan B? On a busy day like Black Friday, you’ll want to have contingency plans in case something unexpected happens. Do you have a plan if the stock of your star product doesn’t arrive on time? And is there an alternative provider to fall back on if your usual courier can’t meet demand?
Carry the momentum through to Christmas and beyond: While it’s great to ship a lot of product and rack up some revenue on a big day like Black Friday, you could also use it as an opportunity to build momentum for the months to come. Think about using promoting discount vouchers or free delivery offers for future orders to help get people to return to your website. And if appropriate, follow up via email to find out how they’re enjoying their Black Friday purchase.