The beginning of the festive shopping period is well and truly upon us with ‘Black Friday’ and ‘Cyber Monday’ both just around the corner.
On Friday 24 and Monday 27 November, millions of consumers will delve into their pockets to make the most of widespread deals and offers and, as they do, cyber-criminals will try to reap the benefits of what a plethora of research and numerous warnings suggest could be the riskiest ever time to shop online.
I spoke to John Shier, senior security expert at Sophos, to find out what he has seen in the recent days building up to Black Friday/Cyber Monday; whether phishing risks have evolved from last year (or stayed the same), what consumers should be on the lookout for and ultimately what they need to be doing to keep themselves safe.
“It’s another Black Friday/Cyber Monday, and for the most part we’ve been seeing the same things [as previous years],” he said. “What’s been ‘interesting’ (in a non-interesting way) is that I’ve seen scams that I’ve been seeing for the last 10 years, and I consider there to be three different categories of content that users receive at this time of year: spam, scams and malicious stuff.”
“I’ve seen scams that I’ve been seeing for the last 10 years”
Shier explained the consistent thing you see with Black Friday/Cyber Monday threats is that they take advantage of anticipated product releases (this year the iPhone X seems popular) and go after what people want, which is a ‘too good to be true’, buy now bargain.
So, whilst there hasn’t been any real specific movement this year in terms of the tactics that cyber-criminals appear to be using in their Black Friday/Cyber Monday cons, Shier warned that a notable phishing theme of 2017 could cause users problems as their inboxes become inundated with shopping-related emails – both legitimate and malicious.
“When we look at email phishing and the types of scams you get through that medium, what we have noticed is a lot more DocuSign-related phishing,” he said. “The key thing about DocuSign as a lure is that it’s got the promise of a document at the end, so not only is there the credential piece where you can lose your credentials to the criminals, but you also expect the delivery of a document at the end of the transaction, which makes it more dangerous because the user can be presented with whatever the attacker wants.”
There’s been a spike in the DocuSign scams, Shier added, and whilst it may not be directly Black Friday/Cyber Monday-related, it is related in the fact that users are likely to be sent it in amongst all the ‘easily-recognizable’ scams of this time of the year and, due to its more legitimate appearance, more could actually fall for it.
If that’s what he has been seeing so far, I asked Shier if there was anything he expected to see that he hasn’t come across yet.
“What would be interesting is if we started to see a crossover of ransomware and a Black Friday/Cyber Monday branded campaign, and if that does happen I wouldn’t be surprised”
“One of the things I expected to see that I haven’t is a tie-in with ransomware,” he explained. “With ransomware-as-a-service it’s never been easier for anyone to create a ransomware campaign. This past year has been all about ransomware and because it’s everywhere, I don’t think it’s a stretch to think that the threat is greater at the moment due to the amount of emails arriving in your inbox. What would be interesting is if we started to see a crossover of ransomware and a Black Friday/Cyber Monday branded campaign, and if that does happen I wouldn’t be surprised.”
To conclude, I asked Shier what users should be doing over the coming weeks to avoid falling victim to scams, and his key advice was to “slow down and think” and question the legitimacy of the ‘too good to be true’ offers that flood inboxes.
What’s more, consumers need to be made more aware that the Green Padlock that appears in the browser does not mean a site is safe, “it only means that communications between you and the site are encrypted.”
Finally, shoppers should avoid using networks that aren’t trusted or secure, and also be prepared to 'decouple' the act of buying an item from the email side to the web side by opening a separate browser page to visit a website rather than following a link, “that way you’re far less likely to fall for things like typo-squatting where it looks like you’re going to the legitimate site but really you’re going to an imposter site.”