Vigilance Is Key to Mitigating Retail Cybersecurity Risk on Black Friday

November 25, 2019
| |
4 min read

Retail cybersecurity is always crucial, but it’s officially time for both retailers and customers to prepare for Black Friday. This year, analysts predict global retail sales on Black Friday and Cyber Monday will hit $7.5 billion, a 20 percent increase over 2018.

Cybercriminals are known to follow the money. The retail industry is a top target for financially motivated attacks year-round, and threat actors view holiday sales as an opportunity to strike it rich. The rate of cyberattacks against retailers spikes every November in the days after Thanksgiving.

Consumers and retailers should prepare for Black Friday security risks with awareness and vigilance. This year’s holiday shopping season is likely to include a mixture of attacks, including familiar threats and emerging techniques.

How to Protect Against 2019 Retail Cybersecurity Threats

There are clear risks associated with a retail cybersecurity incident. Customer trust is a major form of competitive currency for retailers, and a Black Friday security breach with data loss can cost retailers an average of $3.92 million and have long-term effects on sales and customer loyalty.

One-fifth of consumers will permanently take their retail business to a different company after a data breach, per KPMG. Thirty-three percent would take a break from shopping with a breached retailer for an extended period of time.

The possible risks of being victimized range in size and impact. A web application attack could cost millions, while a smaller-scale attack on gift cards or loyalty programs could cost thousands in stolen products. However, any loss of customer data may result in damaged trust.

Here are four risks to keep an eye out for this shopping season.

1. Web Application Attacks

Web application attacks represented 63 percent of data breaches in the retail industry over the past year, according to the 2019 Verizon Data Breach Investigations Report (DBIR). That’s a 58 percent increase since 2014. Some of the most common methods involved in retail web app attacks included malware to capture app data, spyware and keyloggers.

Across all industries, attacks against web applications are on the rise. Retailers are experiencing significantly less physical tampering and POS attacks than in years past, per Verizon. Web app attacks are part of a growing trend away from physical card theft, or “card-present” fraud, and toward card-not-present attacks.

The best defenses against spyware, keyloggers and other targeted malware include detection and mitigation capabilities that can identify malicious activity during the surge of Black Friday e-commerce activity.

2. Gift Card Theft

Consumers have become savvy about the risks and signals of credit card fraud. Most people check financial accounts regularly for signs of suspicious activity. As a result, thieves are now exploiting a different angle for financial gain that’s likely to go unnoticed.

“Who checks their gift card balances on a daily basis?” security principal Rick McElroy said in an interview with CNBC Make It. “Thieves get a lot longer to hide.”

Threat actors are stealing gift card data in multiple ways, including tampering with cards in brick-and-mortar stores to capture card numbers before a purchase. Krebs on Security reported that thieves scratch the backs of gift cards on retail racks to steal pin numbers, and cover their tracks with a widely available tape product.

There’s also been a surge of gift card attacks that use evolving digital methods, including bots that test millions of possible gift card numbers and PINs on retailer websites.

Retailers with physical locations should monitor for suspicious activity near card racks or consider putting gift cards behind the counter. Offering customers the opportunity to register cards online and choose a new PIN upon registration can help protect against theft as well. Finally, be sure to stay vigilant for signs of bot activity.

As a customer, avoid maintaining high balances on gift cards for long lengths of time whenever possible. Register retail gift cards online using a unique username and password, and change your PIN whenever possible. Finally, take a moment to inspect gift cards visually in-store for any signs of physical tampering or purchase cards online to mitigate risks.

3. Loyalty Program Exploits

Thirty-six percent of retail data breaches in the past year targeted customers’ personal information or user credentials. Loyalty programs are an increasingly common angle for cybercriminals, and the retail and hospitality industries are key targets. Gaining access to a customer’s retail loyalty account can offer multiple forms of payoff. Once inside, thieves can access loads of personal info, steal loyalty reward points or, if they’re really lucky, access stored credit card data.

As a retailer, it’s important to monitor year-round for signs of loyalty program exploits by staying vigilant for unusual sign-in behaviors or surges of loyalty point redemption. Adopting stronger password requirements can minimize the risk of customer accounts being compromised due to recycled or easily guessed passwords.

It’s risky business for customers to recycle passwords across multiple loyalty accounts, especially if you store your credit card on file. If you’re guilty of lazy password habits, consider updating your password for online retail accounts.

4. Social Engineering Attacks

The majority of retail cybersecurity events involve external threat actors. Just 19 percent of attacks last year involved inadvertent insider errors. However, studies show that retail is uniquely vulnerable to social engineering threats, including phishing and vishing attacks.

Cybercriminals are likely to exploit distracted workers during the surge of retail sales in the weeks ahead. Retailers should double-down on training and awareness activity, including efforts to educate seasonal hires.

Similarly, consumers should keep watch for social engineering attacks. The Cybersecurity and Infrastructure Security Agency (CISA) has issued an official warning to consumers about emails that contain malicious attachments or links during the upcoming holiday shopping season. SMS phishing, or smishing, is another form of social engineering attack that will likely be used in the weeks to come.

Remember, cybercriminals exploit distractions and emotions like panic. Remain watchful for emails or text messages that alert you to suspicious account activity or fake shipping invoices from major retailers. It’s wise to avoid clicking links or opening attachments, especially in text messages. Call a retailer’s customer service department if you receive suspicious account alerts.

Retail Cybersecurity Risks Will Spike on Black Friday and Cyber Monday

Retailers and customers can comfortably predict that they’ll be targeted on Black Friday and Cyber Monday. The single most important means of protection is vigilance. Don’t allow yourself to get so mixed up in the rush of rock-bottom prices that you forget to exercise secure behaviors or monitor for suspicious activity. Black Friday security threats tend to exploit distracted retail employees especially.

Consumers need to watch out for copycat emails and text messages to avoid being hooked by social engineering attacks. While it’s not possible or practical to monitor all of your gift card balances and loyalty accounts, be aware that maintaining high balances on gift cards can put you in the crosshairs. Fortunately, strong password practices can mitigate many of the risks tied to account compromise and loyalty point theft.

Jasmine Henry

Jasmine Henry (formerly Jasmine W. Gordon) is a Seattle-based emerging commentator and freelance journalist specializing in analytics, information security, ...
read more