In the U.S. many organizations offer the day after Thanksgiving, which falls on a Thursday, to their workers as a holiday. Brick and mortar American retailers have capitalized on this reality for years. To such an extent, in fact, that the day has become known as Black Friday, an unofficial holiday marking the beginning of the winter holiday shopping season, celebrated by the grossest displays of unbridled consumerism and shameless salesmanship.
Even more recently, Black Friday’s shadow has expanded into the following week, and Cyber Monday has emerged as its online equivalent. For the first time ever, according to information from American Express, consumers will spend more money on Cyber Monday than they will on Black Friday, and perhaps smartly so, considering the fist fights and tramplings that have become yearly occurrences on Black Friday.
To discuss this subject, we invited a special guest, Angel Grant, a security expert from RSA, and she is going to teach us about the most prevalent threats we are likely to face shopping online this week and throughout the holiday season.
Angel, what impact will the unique enormity of this Cyber Monday – as it’s going to be bigger than any that has preceded it – have on consumer security and the pocket books of criminals?
The enormity is significant as Cyber Monday is about a 55% increase in daily online retail revenues. This year we are anticipating that more people will shop online on cyber Monday than will physically go to brick and mortar stores on black Friday.
So from a consumer and merchant perspective both need to be incredibly vigilant about security as cybercriminals will follow the money, and particularly for consumers they should be aware that we are expecting to see about 64 percent increase in cyber crime activities during peak shopping.
To put things in perspective based on a recent report RSA conducted with Ponemon, if a merchant’s website on cyber Monday has a DDOS attack, just being down for one hour can cost them over $500,000 – or $8,000 per minute just in lost traffic revenue.
DDoS – or distributed denial of service attacks that knock retailer’s websites offline – are a thing that the retailers are going to have to worry about. Generally speaking, consumers are going to have to deal mostly with phishing attacks. So, what kinds of phishing attacks are you seeing this year and how successful are they?
Yeah, so, we are definitely seeing the amount and types of phishing attacks increase this year. For example, in October, RSA’s AFCC (anti-fraud command center) saw an 84 percent hike in attacks year over year, which really shows that cybercriminals are already gearing up for Holiday season.
Also, it is important to remember that online shopping season is no longer just about shopping from your PC. And this year we are expecting to see about 20 percent of all e-commerce shopping conducted from a mobile device. This is coupled with over 50 percent of all emails opened this year were also on a mobile device. This really sets the stage from a growing attack surface as fraudsters know that retailers are investing heavily into building mobile apps, creating web exclusives, and increasing their digital advertising spending this time of the year.
Based on this fact the fastest growing phishing trends we are seeing are targeted toward mobile usage such as SMSishing – which is basically a text message with a link that brings users to a phishing page. So for example, one popular scam is a consumer may get a text saying their won a gift card and when you click on the link in the text, the consumer will be taken to a website to enter personal or account information with the intent for the fraudster to use it at a later time. So, from a consumer perspective, in order to avoid this, users just shouldn’t click a link from unsolicited texts, emails, or social media posts.
The move seems to be that the phishing is moving from traditional PCs into mobile phishing, but besides phishing, what other prominent threats are consumers facing when they shop online on Cyber Monday?
There are four primary threats consumers should be aware of this season:
First is rogue mobile applications, which are essentially apps pretending to be from legitimate merchants but that are really designed to phish account credentials, cashing in on rebates, or card reward programs. So when consumers download a mobile app they should get it directly from their service provider— most banks, eWallet providers, retailers, and social networks all have links to their original applications on their websites. And consumers using Android devices should actually be extra cautious, as they tend to be the most targeted.
Now, the second threat is that users should expect social networking sites like Facebook or Twitter to be prime targets this year for scams because fraudsters know we tend to let our guard down when in these sites. Fraudsters will try and trick you to downloadable malware infected coupons or promotions posted on social media or they may make it appear as it was sent to you by one of your “Friends.” Or you might be asked to “like” a page or complete a survey and you will get a gift card after you provide your personal information.
The third threat users should be aware of is credit card testing: because of the high volume of e-commerce transactions during the holidays, cybercriminals use this time to test stolen cards they have purchased in bulk from the underground. So in the hustle of the holidays it is even more important to monitor the purchases on your credit card to ensure they are legitimate.
The fourth threat we need to be aware of is spear phishing attacks targeting the companies we work at as many of us will be shopping this year with the same devices we use for work. If you plan to do this, you need to be especially careful and remember that if you click on a malware infected link this will not just impact you but also potentially could harm the company you work for.
Let’s stick with phishing for a second. In a number of cases, phishing attackers will disguise themselves as legitimate businesses. Whether via email or like you said malicious coupons on social networks – what if any responsibilities do the retailers have toward customers when a criminal is masquerading as that business?
To start both consumers and retailers have responsibilities. However, retailers have a regulatory responsibility to secure and protect customers’ card and personal data and will potentially be subject to fines if they don’t.
It is also critical that retailers understand whether it is a customer or a criminal transacting and interacting on their site. Because gaining visibility and detecting attacks prior to an incident occurring not only helps them minimize the possible consequence of fraud chargebacks in January, but it also helps them sustain their brand and customer relationships. This is incredibly important because the costs from customer abandonment from brand and reputation damages can drive monetary losses well over $3.4 million just from a single hour of disruption.
On the other side of that, getting back to the credit card side: what is the retailer’s responsibility toward guaranteeing that the payments that they are accepting for goods or services are actually coming from legitimate card-holders and not – as you said before – from people who have bought credit card information more or less wholesale on the Internet?
Right. From a payments perspective, one of the things that merchants always struggle with is that delicate balance of risk, cost, and convenience to ensure users have fast checkout times with a low abandonment rate. However, there are commercially available products and best practices that merchants should take into consideration. They should do things like take precautions to ensure that the consumer shopping on their site is legitimate and to ensure the payment mechanism is legitimate. They can that by supporting things like Verify By Visa and Mastercard’s SecureCode, which helps ensure the payments they are accepting are coming from legitimate cardholders.
Sticking with this, what other things are people like you and companies like the ones we work for doing to curb these sorts of online shopping scams?
One thing to remember is that fraudsters are going to continue to follow the money so the amounts of attacks are going to continue to increase. They aren’t going to go away. Consumers are aware of online security products, but most are not aware that they are being protected by merchants, because it is going on behind the scenes. And that is what RSA does. A lot of the solutions we provide are behind the scenes. We protect billions of consumer online transactions behind the scenes.
For example: anti-phishing and Trojan service in which the world’s largest online retailers are protected by organizations identifying and shutting down sites and resources hosting phishing and Trojan attacks, and conducting forensic work to recover compromised credentials – like stolen credit cards.
I was going to ask you if these scams are every going to go away, but you already answered that with a resounding no. So, considering that the total number of attacks is up and the number of security solutions and general awareness is up as well, are we seeing more or less victims of online shopping scams?
We are sensing more victims of these scams each year. And it’s unfortunate, consumers and retailers do need to be more vigilant, but the types of attacks are becoming so sophisticated because of the sophistication of the fraudster underground. So we need to think a bit differently as an industry to better help consumers while they are shopping online. In order to do that we need to have better collaboration to gain better visibility into these threats so we can protect consumers more and more.
The fraudster community is getting very creative, so the solutions to protect the consumers will have to be creative as well.