by Rick Grinnell

Consumer-targeted phishing and fraud are rising in time for a COVID holiday season

Nov 17, 2020
CybercrimeE-commerce ServicesFraud Protection and Detection Software

A most unusual e-commerce season puts pressure on retail CISOs to protect customers from cyberattacks

Phishing attack   >   A fish hook hover above binary code with a caution triangle.
Credit: Andreus / Getty Images

Black Friday and the holiday shopping season are on the horizon, and the spammers are already at work. Customers receive an email “advertising” a special limited offer, encouraging them to click links leading to websites pretending to be well-known retail chains or e-commerce brands. 

The tactic isn’t exactly earth-shattering. We’ve seen this type of scam during past holiday shopping seasons. What makes it different this year is COVID-19. The majority of people will be doing most of their holiday shopping online this year. Many of those folks are still working from home, effectively doing everything online. Folks are more distracted than usual, and therefore more vulnerable. They need help, and they need it from the retail chains and commerce brands themselves.

If you’re the CISO of a consumer brand, you can’t force your customers to take security awareness training classes to be more aware of the threat. You can’t stop attackers from sending phishing emails and you can’t stop your customers from receiving them – and clicking on whatever links are inside. But you can – and ought to – step up efforts on the business side to protect your customers from becoming the victims of fraud. 

Fraudsters taking advantage of COVID-19 already

When people began staying home in March due to the pandemic, e-commerce traffic increased by 23 percent in that first week of the lockdowns. So it isn’t surprising that nearly a quarter of Americans – 22 percent – revealed they’ve been targeted by digital fraud related to COVID-19, according to a TransUnion survey

E-commerce fraud had already been skyrocketing, as the TransUnion study also found that between 2018 and 2019, there was a 347 percent increase in account takeover and 391 percent rise in shipping fraud attempts globally against its online retail customers.

None of these numbers bode well for cybersecurity during what promises to be a very unusual holiday season. While there will always be die-hard shoppers who will head out to brick-and-mortar stores, we should expect that the current pace of COVID-19 infections will produce a record number of online sales. Since cybercriminals always flock to where internet users are, Black Friday, Cyber Monday, and other holiday shopping deals are going to be next threat vector. 

Different form of phishing

These attacks aren’t your normal phishing attacks. Usually, phishing goes after employees, but increasingly hackers are targeting customers. Most companies have security plans in place to defend from phishing attacks against employees, but they don’t have an action plan for the consumer side. The tried-and-true anti-phishing solutions or phishing behavioral modification tools are designed to protect employees from unknowingly initiating a data breach and exposing critical corporate and customer data.

But this different type of phishing attack bypasses the employees and the anti-phishing tools and goes right after the customer and their personal information directly, most often to commit account takeover fraud and steal their money. These attacks impersonate your brand, and while they target your customers, most of the damages are incurred by the brands being spoofed.

That’s because, even though the emails and the sales offers are fake, consumers don’t automatically realize that until after they’ve been defrauded. They have only one entity to blame – the brand that let this happen to them. The more often an online brand is spoofed in this way, the more customers will get frustrated and just take their business elsewhere. Or, if a customer spends $300, thinking they are buying a new TV, that money is gone. There’s no money left to buy the TV elsewhere. The company ends up taking two hits: the financial hit from the lost TV sale and the reputation damage that makes it unlikely the shopper will ever come back. 

Offering security to your customers

CISOs have to ask themselves, what can you do to protect your company’s customers from these types of exploits? The challenge is how you figure out what the fraudsters are planning, and disrupt it. Before they victimize your valuable clientele.

There are different actions CISOs can take. First, you can alert your customers about the fraudulent emails and fake sites. The easiest thing is to correspond with the user base with a warning of the scams out there and offer tips how to avoid becoming a victim. However, with more and more of these scam notices floating around, there is a sense of noise, and folks are beginning to ignore them.

Another option is for CISOs to order the takedown of the fake sites. If the attacks are hosted in the U.S. or by a credible domain host that will cooperate, this goes relatively quickly. However, if the sites are traced to countries that don’t enforce laws against fake domains or copyrights – or if the attacks are hosted by so-called bulletproof hosters who won’t take anything down – this isn’t a great option. In fact, while takedown is generally necessary, it’s more of a cleanup activity than a preventative one.

Hope is not lost. Even though your security team can’t reach out to each customer and treat them like an employee by providing them with a blanket of cybersecurity protections, CISOs can be proactive to protect their customers from fraud.  In fact, there have been recent advances in fraudulent website detection that go beyond simple domain monitoring, looking instead at a number of signals that  can indicate fraud, including automated visual and code inspection, looking for signs of impersonation that would be used to trick a human. It’s important to note that for some time there have been tools available to monitor domain registrations, looking for phony sites by detecting names that may be mistaken for a brand’s real URL. While these services do offer some value, the vast majority of attackers have gotten smarter and now build all of their attacks in a manner that avoids DNS-based detection.

With the upcoming holiday season, expect to see a lot more cloning of well-known retail brand websites, and a corresponding uptick in customer-targeted phishing emails with advertisements of money-saving special offers. Consumers want to take advantage of e-commerce offerings to avoid COVID-19. It is up to CISOs to make sure that hackers don’t use COVID-19 to take advantage of consumers.