Kurhan - stock.adobe.com

NCSC issues retail security alert ahead of Black Friday sales

National Cyber Security Centre issues refreshed guidance as cyber criminals turn their eyes to the holiday shopping season

The UK’s National Cyber Security Centre (NCSC) has issued refreshed security guidance for online shoppers ahead of the incoming, annual Black Friday and Cyber Monday retail events.

Black Friday, a holiday originally made up by US retailers to entice bargain-hungry shoppers to its malls over the late-November long Thanksgiving weekend, went global in the 2000s alongside the spread of the internet, and it is now also accompanied by the Cyber Monday sales event.

Naturally, as with any high-profile event, cyber criminals will be waiting to cash in, anticipating that consumers will lower their guard during the rush to grab the best deals, said the NCSC. Its new guidance aims to help consumers before, during and after the online sales process, and includes advice covering secure payments, and steps to take if something goes wrong.

Its guidance accompanies a wider Action Fraud campaign, #FraudFreeXmas, which has just launched following a surge in online fraud reports. Action Fraud’s Pauline Smith said that last year, during festive pre-Christmas sales events, UK consumers lost more than £3m to criminals, with most retail scams involving mobile phones and other electronics.

“At this time of year, our inboxes are filling up with promotional emails promising incredible deals, making it hard to tell real bargains from scams,” said Sarah Lyons, NCSC deputy director for economy and society.

“We want online shoppers to feel confident that they’re making the right choices, and following our tips will reduce the risk of giving an early gift to cyber criminals. If you spot a suspicious email, report it to us, or if you think you’ve fallen victim to a scam, report the details to Action Fraud and contact your bank as soon as you can.”

Helen Dickinson, chief executive of the British Retail Consortium (BRC), added: “With more and more of us browsing and shopping online, retailers have invested in cutting-edge systems and expertise to protect their customers from cyber threats, and the BRC recently published a Cyber Resilience Toolkit for extra support to help to make the industry more secure.

“However, we as customers also have a part to play and should follow the NCSC’s helpful tips for staying safe online.”

The NCSC’s advice, which can be accessed online at its website, includes a number of tips, including being selective about where you shop, only providing necessary information, using secure and protected payments, securing online accounts, identifying potential phishing attempts, and how to deal with any problems.

Carl Wearn, head of e-crime at Mimecast, commented: “Some of the main things to look out for include phishing emails and brand spoofing, as we are likely to see an increase in both. Consumers should also beware of any messaging pressuring them into making quick purchasing decisions, such as flash sales or prize offers by clicking on a link, for example, as these are quite often scams.

“Sales and offers are usually well advertised, and it is always worth navigating to a retailer’s main website via your browser to check that an offer is legitimate. Please be aware that a bewildering array of frauds can be undertaken at this time, and please consider the security of any devices if you’re purchasing any connectable devices this season.”

Wearn added: “When buying online, ensure you use a credit card if at all possible, as you’re likely to find it easier to replace and gain a refund if it is subsequently misused. Many also offer purchase protection insurance for extra peace of mind. As always, but particularly at this time of year when we are after the must-have items for family and friends, if something seems to good to be true, then it often is.”

Read more about retail IT

Matt Cooke, cyber security strategist for EMEA at Proofpoint, said: “Our research has shown that UK retailers may be exposing themselves and their customers to cyber criminals on the hunt for personal and financial data, by not implementing simple, yet effective email authentication best practices. Email continues to be the vector of choice for cyber criminals and the retail industry remains a key target.

“Organisations in all sectors should look to deploy authentication protocols, such as Dmarc, to shore up their email fraud defences. Cyber criminals will always leverage key events to drive targeted attacks using social engineering techniques such as impersonation, and retailers are no exception to this.

“Ahead of Black Friday, consumers must be vigilant in checking the validity of all emails, especially on a day when guards are down, and attentions are focused on grabbing seasonal bargains.”

Ilia Kolochenko, founder and CEO of ImmuniWeb, said the risks of online shopping were heightened this year because of the Covid-19 pandemic.

“During the pandemic, many small local shops moved online, without any precautions in terms of security or privacy, let alone compliance,” he said.

“On the dark web, we are observing a growing number of diversified proposals offering access to hundreds of breached and backdoored small e-commerce websites, which may be sold as cheaply as several dollars per website.

“The website owners are obviously unaware of this. Moreover, many cyber gangs patch the vulnerabilities that they exploited to get in, thereby precluding their criminal competitors from taking over the unwitting victim.

“Thus, online shoppers unfortunately cannot do much to secure themselves when the online shop is already compromised.”

One of the most widespread and well-known post-compromised exploitation vectors is Magecart, a credit card skimmer injected into websites that leeches the credit card details of unwitting victims to sell on in underground cyber crime forums.

Unfortunately, said Kolochenko, online shoppers should therefore avoid unknown or small sellers unless they can convincingly demonstrate their security, and perform all online transactions with a dedicated credit card with as small a credit limit as you can stand.

Read more on Hackers and cybercrime prevention

Data Center
Data Management