Criminals will do everything they can to take advantage of the large number of people expected to look for bargains online on Black Friday, cyber and counter-fraud figures are warning.
Amber Burridge, Head of Fraud Intelligence at the fraud prevention trade body Cifas, said: “From fake social media posts to spoofed websites, fraudsters have a wide range of sophisticated ways to make people believe that they are interacting with a trusted, legitimate company or person.
“My advice to consumers is to be vigilant when buying online, and make sure you check the product is being sold by a reputable source. Never feel rushed or pressured into a decision that you may later regret, and always use the secure payment method recommended by reputable online retailers and auction sites.”
Anything with an Internet address can and will be attacked, said Adam Bangle, VP EMEA, BlackBerry. He said: “We’ve certainly witnessed this happening on a large scale with the proliferation of Internet of things (IoT) devices in recent years, and we’re likely to see the magnitude and complexity of these attacks escalate in the years ahead, as the IoT grows to 67 billion new connected devices by 2025.
“The IoT is a misunderstood risk. Securing everything means just that: every ‘thing’ must have secure endpoint protection, or else it can be used as a doorway to entire networks, threatening safety, privacy and data. One concerning case last year saw cyber attackers take over a family’s smart home devices to blast music at loud volumes, talk to the couple through a camera in their kitchen, and crank their thermostat to 90 degrees.
“The onus should first fall upon IoT manufacturers to secure their devices. But this doesn’t mean the consumer and the enterprise shouldn’t exercise their own cyber hygiene: awareness of what is at risk, usage of secure passwords and multi-factor authentication, and finally an attitude of zero-trust.”
As for consumers receiving phishing emails, Tod Beardsley, research director at cyber product company Rapid7 said: “Phishing attacks typically engage the user with a message intended to solicit a specific response, usually a mouse click, via an emotion or desire, such as, ‘You could win a £50 gift card to Restaurant X’, ‘Your purchase order has been approved’ and ‘Your account will be cancelled if you do not log in immediately’.
“It is important to know about phishing emails and what you should look out for. You do not normally know when to expect a phishing email and they often look like perfectly safe normal emails. Approximately 250 billion emails are sent per day, with one in 2,000 being a phishing attack. With roughly 135 million attacks a day, some phishing emails will undoubtedly slip through the net.
“Cybercriminals will invest a considerable amount of time into research and producing convincing messages that target a consumer. They are also opportunists.”
As for ecommerce websites, Juta Gurinaviciute, Chief Technology Officer at NordVPN Teams said that unpatched, open-source software comes with vulnerabilities. He said: “The minute retailers see unusual traffic patterns, they should assume an attack designed to slow the site down, take it offline, or steal data is under way.”
And Rafe Pilling, Senior Threat Researcher at Secureworks said that the the de-centralisation of the employee base (employees working from home), less reliance on centrally managed IT infrastructure by use of cloud services and employees using more of their own devices, has increased resilience to some types of cyber attack. “It’s more difficult to conduct a wide-scale ransomware attack against an organisation whose users aren’t directly connected to the network and that uses multiple cloud service providers to deliver business systems. However these changes come with their own risks that need to be carefully managed. Monitoring becomes more challenging. A greater emphasis is placed on identity and access management, ensuring only the right users can access the right systems. Additionally, as more companies use cloud services, from a relatively small pool of large cloud infrastructure providers, a lot of businesses and consumers notice when that cloud infrastructure has a temporary disruption.
“The situation is far from hopeless though. A few key controls like adopting multi-factor authentication, expedited patching of internet facing devices, securing remote access solutions, effective enterprise monitoring of systems and networks, and threat intelligence informed risk prioritisation put businesses in a strong position to resist a range of common cyber threats including criminal ransomware attacks, business email compromise and targeted intrusions (APT).”
