3 cybercrime threats your employees should avoid this Black Friday

Customers have grown accustomed to buying online in the wake of the pandemic more than ever before, and the trend continues to proliferate. This isn’t only the case in the retail sector, but across all supply chains and their numerous dependencies. But while both consumers and business customers alike might be hoping to score a bargain as the holiday season begins, so too are cybercriminals working overtime to step up their attacks.

Attacks on retailers and their supply chains tend to increase in the leadup to Black Friday and Cyber Monday. E-commerce platforms and digital payment systems are among the top targets during the period, but they’re by no means the only ones. Social engineering attacks carried out over business collaboration and communication platforms also increase as threat actors target distracted employees and customers alike.

Perhaps unsurprisingly, the online retail sector is a favourite target for cybercriminals during the holiday season. One of the most popular attack methods is so-called e-skimming, whereby attackers linger around online shopping carts to steal payment information. E-skimming is the digital analogue to compromising ATMs to steal payment card data.

Hackers often carry out these attacks using tools developed by the infamous Magecart dark-web crime syndicate. Attacks typically involve injecting malicious code into poorly protected online stores, including those powered by popular open-source platforms. This is why it is vital that every website or platform that handles sensitive data be protected by multiple layers of protection, including end-to-end security and multifactor authentication (MFA). In other words, attempts to access sensitive data should never be trusted and should always be verified, per the concept of zero trust security.

Some business leaders make the mistake of assuming that Black Friday cybersecurity risks only target the retail sector. However, as Black Friday and Cyber Monday promotions grow more popular in the B2B sector too, entire supply chains are at risk. Moreover, there is typically far more money to be made from compromising supply chains than individual consumer-facing businesses like small online retailers. Intercepting supply chain communications, for example, can compromise every organisation that depends on them.

Often, the weakest link in an organisation’s security lies somewhere down the supply chain. The average business now uses 110 software-as-a-service (SaaS) products, all of which need protecting. Communication and collaboration tools like Microsoft Teams are among the most commonly targeted platforms. This is not because they are inherently unsecure, but because attackers can use them to carry out highly targeted social engineering scams, which can then in turn grant them access to highly sensitive systems and data. This is why all such platforms must be bolstered by zero trust security and full auditability.

While it is easy to point the finger of blame at technology itself, many Black Friday attacks are entirely human in nature. The sheer popularity of communication and collaboration platforms means that that is where most social engineering attackers are focusing their efforts on. 

One of the most common tactics attackers use during the holiday season is the coupon scam and its various forms and derivatives. This method sees phishing fraudsters masquerade as colleagues or superiors in an effort to dupe unsuspecting employees into purchasing coupons and sending them to the fraudster. Of course, they then cash the coupons, which are normally untraceable, and are never heard from again.

To counter these threats, employees must be trained to be especially vigilant during periods of increased online transaction volume. That said, while common threats can be characterised by their sense of urgency and anything that seems too good to be true, there are plenty of exceptions. For example, an attacker who is clever and patient enough to find their way into your business communications platforms in order to masquerade as a fellow team member will likely come across as very convincing.

Fortunately, that is far less likely to happen if your collaboration and communication platforms are protected by multiple layers of security. The zero trust model, for example, makes it almost impossible for hackers to break into your systems and conduct potentially devastating social engineering attacks from the inside.