Security experts warn consumers ahead of seasonal fraud boom

Heather McIlvaine

22nd Nov 2018

Just days before the start of its massive Black Friday sale, Amazon on Wednesday revealed that a ‘glitch’ had inadvertently exposed customers’ names and email addresses on its website.

The e-commerce giant did not say how many people were affected or how their information was exposed – customers were told they do not need to change their passwords – but it is unlikely to be the last data breach as scammers take advantage of the increase in spending around major sales events and the lead-up to Christmas.

US software company Symantec has blocked almost 700,000 attempts to steal customers’ card details through a process called ‘formjacking’ in the three months from mid-September to mid-November alone. This involves capturing customers’ card details when they make an online purchase and sending them to attackers, as well as the merchant, via malicious scripts. Even bricks-and-mortar point-of-sale systems are not necessarily immune to formjacking, Symantec said.

Garrett O’Hara, principal technical consultant at Mimecast, said consumers are also vulnerable to phishing scams at this time of year, since they are actively looking for bargains and expecting confirmation emails from shipping companies and therefore more likely to click on a link in an unsolicited email.

“Seasonal sale periods like Black Friday, Cyber Monday, and Click Frenzy create the perfect storm for cybercriminals, with ‘click happy’ consumers far more likely to fall prey to social engineering and brandjacking-style cyber attacks,” he said.

O’Hara believes that retailers need to advise current and prospective customers to be on high alert for such scams.

“Highlighting the correct email address to expect notifications from is a simple and effective way to help customers avoid falling victim to cyberattacks,” he said.

Markets most at risk

Worryingly, scammers who didn’t traditionally target online shoppers have started to turn their attention to retail transactions. Global security firm Kaspersky Lab recorded 9.2 million attempts by banking Trojans to steal customers’ online credentials in the first three quarters of 2018, compared to 11.2 million for the whole of 2017.

Banking Trojans traditionally target users of online financial services, but several have enhanced their functionality and reach to target the data and credentials of online shoppers, and obtain root access to their devices, the security firm said.

Half of all online shops attacked were well-known consumer apparel brands, including fashion, footwear, gifts, toys and department stores, while consumers in Italy, Germany, the US, Russia and emerging markets appear to be particularly at risk.