It's that time of the year for shopping, celebrations, and buying holiday gifts for friends and family. It's also the time of the year when the cybercriminals ramp up their phishing scams to get people to click on links to allow the cybercriminals into their electronic devices for data and identity theft.
I started by querying Google, searching for "Black Friday Cyber Monday security tips." The results returned were over 32 million, which is not quite surprising. Looking at the articles on the first few pages, I reviewed those from last year so that the tips could be somewhat current. I found various articles from top security vendors, security advocates and retailers. They presented their views and tips on what people should be doing to protect themselves when shopping for deals in stores and online. I went through and copied the information and created a spreadsheet to track the data. I then categorized and created actionable tips for the categories. What resulted was an interesting breakdown of data from phishing to MFA to reading reviews. Based on the results, let’s review the security reasons behind these tips.
Figure 1 - Collected Review of Security Tips
Watch out for phishing emails
After reviewing the data, I was not surprised to see that the most common recommendation was to be aware of Black Friday and Cyber Monday phishing attacks. We all know about phishing attacks. Cybercriminals send a general email or targeted email with a social engineering lure of greed, curiosity or fear to get the victim to click a link or open an attachment, ultimately leading us into taking an action against our better interests.
Due to the lure of the emotion stemming from the email, the user clicks the link or opens an attachment. Either action will result in a cybercriminal downloading malware to one's computer or device with the plan to steal finances or identity.
Considering that phishing is one of the top ways cybercriminals get into organizations, it is essentially used to get people to click on a link. Such scams can be emails for advertisements or opportunities to buy the latest hot toy, or a notice their recent credit card transaction was declined and/or their purchase order was canceled. This last method is especially effective if that order was for a family member, and the user panics and clicks on the link.
Consider the concept of “trust but verify.” Users will want to ensure that they are checking the purchase location by visiting the website and directly reviewing the purchase, or checking the support contact number on the actual website, to reach out and verify if the transaction was canceled.
Below is an example of a phishing email that gives 80% off expensive handbags. Someone not paying attention or who is more focused on getting one of these bags may forgo the possibility that this could be a cyber attack and click on the link and go through the process of providing their credit card information.
Figure 2 - Phishing scam for 80% off at a popular clothing store
Use strong and unique passwords
Another topic discussed is using strong and unique passwords for online accounts, especially for the retailers. Along with using strong and unique passwords, but less highly recommended, was the use of Multi-factor Authentications (MFA). With the large number of data breaches occurring containing usernames, passwords and other sensitive information, there have been collections of this information amassed. Cybercriminals strive to use these accounts on websites using credential stuffing, where people who use the same passwords across multiple sites increase the risk of their account being compromised on a targeted website.
Not surprisingly, people often use the same passwords because they are easier to remember. However, you may be surprised how much easier it is to use a password vault to store your strong and unique passwords, and those security questions too. A wide variety of password vault applications are available, and a quick Google search will provide a list of successful and secure products and services.
Use digital wallets
One of the less recommended, but worth-mentioning tips I researched is using a digital wallet to make your purchases. This is not always possible, depending on the Point of Sale system being used. Since the impact of COVID-19, many stores have started using a contactless payment system to reduce the spread of the transmission of the disease vs. handing over a credit card to a store clerk. This feature allows payment using software, encryption and NFC (near field communication) to transmit the payment system's necessary information. Digital wallets can be a credit card, a bank’s mobile app, or a platform like Apple Pay or Google Pay. Using the digital wallet can reduce credit card theft because the card is never shown to the store, and it's all transferred via the payment system without a swipe or the credit card number being exposed.
It is interesting to note from reviewing the security professionals' recommendations that the most common tips are practices security professionals proclaim throughout the year. Avoid phishing, use strong passwords, use VPNs and keep your software and devices updated and patched. People find convenience over security and may prefer to risk exposure and take the chance that the email about 80% off the expensive clothing store is real.
Upon examining the recommended tips and information from various articles about protecting yourself online for Black Friday and Cyber Monday, Most importantly, out of all of the advice, the one that stays true is the idea of "If it's too good to be true," which is what everyone should be paying attention to and not just around the holidays.
For more information and tips, I highly recommend checking out the KnowBe4's 10 Holiday Season Cybersecurity Tips found here:
The document is easy to print and display at home, in the office or at the home office.