Cyber Monday is coming. Last year, the online shopping event generated $6.6 billion, according to Forbes, and marked “the largest online shopping day in U.S. history.” According to CNBC, consumer spending is up strongly this year, suggesting that Cyber Monday 2018 could be another record-breaker.
Given the sheer number of customers, websites and companies that drive Cyber Monday success, consumers and businesses need to make sure security doesn’t get lost in the hustle and bustle. Cybercriminals are hoping that in all the commotion they can compromise user accounts, infect corporate websites and crack business networks.
With customers expecting both great sales and solid security, organizations must improve their data protection practices and implement effective defense strategies ahead of the online onslaught.
Why Retailers Must Adapt to the Evolving Landscape
Although Cyber Monday only started in 2005, the online sales frenzy has almost caught up to Black Friday in sheer sales numbers. Increasing familiarity with e-commerce stores and trust in digital transactions are paving the way. Fortune reported that more than 174 million Americans shoppers participated both online and in-store over the last Black Friday/Cyber Monday weekend — meaning that opportunities abound for attackers across platforms.
It’s up to retailers to justify and preserve the comfort levels that are driving their success. If cybercriminals are able to infiltrate smartphones and desktops with malware and phishing emails, consumers may unwittingly hand over account credentials and financial information. If companies can’t secure e-commerce portals, fraudsters could gain visibility into all transactions or place fraudulent orders and charge them to unsuspecting customers.
For retail companies, the trend is clear: Cyber Monday interest is on the rise among both consumers and criminals, meaning it’s no longer an option to post great deals without great security to back them up. Now, the holiday season calls for greater cybersecurity vigilance than ever, supported by evolving information security best practices for retailers.
Watch for This Year’s Most Common Scams
According to ACI Worldwide, fraud attempts are projected to increase 14 percent between Thanksgiving and Cyber Monday, with the average cost of fraudulent transactions rising 3 percent to $243. Meanwhile, the firm forecast the volume of purchases to increase by 18 percent as values rise by 19 percent.
Since more is at stake than ever for shoppers and retailers this season, cybercriminals are also varying their approaches, opting for omnichannel attacks across e-commerce sites, call centers, email accounts and in-store pickup programs, according to ACI Worldwide.
TechRadar reported that phishing attacks still account for half of all online fraud. That’s simply because they work: Well-crafted emails that convey a sense of urgency and create an emotional response can fool even experienced cybershoppers.
Meanwhile, Security Boulevard reported that threat actors also like to eavesdrop on insecure Hypertext Transfer Protocol (HTTP) sites and Wi-Fi to steal credentials and account information, leverage compromised devices to install keyloggers, and typosquat to create domain names that are very similar to popular Cyber Monday sites to collect and monetize consumer information.
5 Steps to Optimize Cyber Monday 2018 Protection
All the usual advice for consumer protection on Cyber Monday applies: Don’t save financial information on websites, watch out for email scams and avoid deals that are too good to be true. But retailers must hold up their end of the security deal as well.
Here are some security best practices for retailers to implement to keep consumers safe and protect corporate networks during the post-Thanksgiving shopping rush.
1. Account for Time
As noted by Forbes, cyberattackers don’t keep regular business hours. As a result, fraud rates may rise during off-peak traffic hours when there are fewer consumers shopping, but also fewer security personnel on duty.
Retailers should consider adding extra information security staff for the holiday season or implementing additional fraud checks for purchases made from different countries or after usual business hours.
2. Limit Purchase Velocity
Speed is another way malicious actors attempt to defraud Cyber Monday retailers. Instead of making high-value transactions that may be flagged as suspicious, attackers often make high-volume transactions — up to 10 times more quickly than legitimate users — to generate greater revenue.
Here, machine learning tools are invaluable assets to help identify and eliminate rapid-fire transactions.
3. Authenticate Users
Authentication is critical to Cyber Monday security. With many users still using weak passwords across websites — many of which are stolen in phishing scams — retail companies should implement two-factor authentication (2FA) wherever possible. Even low-friction options such as email or mobile codes can significantly reduce fraud and boost consumer confidence.
4. Separate Infrastructure
With many retail merchants now deploying both online and in-store sales to capture customer attention across Thanksgiving weekend, there’s an emerging need to separate point-of-sale (POS) and corporate infrastructure. This ensures that in-store device breaches don’t compromise e-commerce sites, and vice versa.
5. Manage Permissions
Who has access to what, when and why? Threat actors often exploit the chaos associated with Cyber Monday to infiltrate networks, install keyloggers and wait. It’s time for retailers to implement effective identity and access management (IAM) solutions that permit granular, permissions-based assignments of roles and responsibilities to foil criminal attempts to breach corporate systems.
Attackers are gearing up for one of the most lucrative days of their year on Cyber Monday. For retailers, the combination of increased consumer spending and security expectations demands stringent security practices that account for common threat vectors, prioritize user authentication, separate infrastructure and effectively manage permissions inside and outside the enterprise.