The excitement of landing a Black Friday bargain will soon fuel online sales across the world. In the US alone, consumers are expected to drop a total of $148.5 billion on Black Friday and Cyber Monday, according to the latest survey data from Finder. In the rush, it's easy to forget the fundamentals of online security, making consumers and retailers easier and more profitable targets for cybercriminals.
Our Verizon Business "2021 Data Breach Investigations Report" (2021 DBIR) recently pointed out that cybercriminals predominantly target confidential data, including consumer payment details (42%), personal details (41%), and credentials (33%), that retail outlets hold.
If Something Looks Too Good to Be True, It Probably Is
The retail industry continues to be a target for financially motivated criminals looking to cash in on the combination of payment card and personal information in this sector. Social tactics include pretexting — which commonly results in fraudulent money transfers — and phishing. These tactics were used in 77% of the breaches the 2021 DBIR examined within the retail sector.
Phishing campaigns can be broken down into four distinct groups:
- Scam, such as an email from a purported relative who is trapped overseas and needs cash to get home
- Brand impersonation, where the email poses as a bank or a trusted brand asking the user to confirm a payment or offering a special bargain
- Extortion, designed to frighten the user into complying
- Business email compromise (BEC), a highly targeted attack on a business rather than an individual.
All such campaigns urge users to click on links, which will navigate them to false pages or send confidential information.
The use of QR codes has also risen during the pandemic, especially among smaller retailers and hospitality venues, as an easy way to place orders and make payments. However, consumers should beware, as QR codes can also direct them to malicious URLs that withdraw funds, capture location details, or link to their social media profiles — all without their knowledge — to steal personal credentials and payment information.
Education is the best defense for companies and individuals. Regular employee training that highlights the tactics used by phishing campaigns and how to spot them are essential in protecting confidential data within a company as well as helping people in their personal ecommerce world.
Maintaining the Security Balance — the Retailer Responsibility
In the cybersecurity world, retailers have to consider their own data security as well as that of their customers. It's important to install as many security measures as you can, but equally important is for a company to remain aware of what cybercriminals are trying to do and how they're doing it. Staying abreast of the newest technologies is an invaluable way to keep one step ahead of would-be attackers.
Our data shows us that over the last five years, 35% of the 1,354 breaches in which payment card information was stolen could be traced to point-of-sale (PoS) systems, as used in brick-and mortar-retail stores; 38% came through Web applications, such as online shopping sites.
These attacks compromise a website's payment application, installing code that will capture customers' payment card information as they complete their purchases. Such attacks don't make headlines, but they have real consequences for customers and retailers alike.
Things companies can do to decrease this threat include:
- Keeping data safe: Retailers must take appropriate measures to help combat cyberattacks. While there is no guaranteed solution, companies can mitigate risk.
- Know the importance of integrity software: Cybercriminals who target Web applications aren't targeting data at rest. Rather, they inject code to capture customer data as it's entered into Web forms. To combat this method, add file integrity software to your malware defenses on payments sites, in addition to patching OS and payment application code.
- Embrace what's new: Continue to embrace new technologies that make it harder for criminals to use PoS terminals as low-hanging fruit. Solutions include EMV smart cards and mobile wallets — or any method that utilizes a one-time transaction code instead of primary account numbers.
While criminals are often after payment card information, it's not the only data they consider useful. Retailers should also remember that rewards programs that leverage "points" are also potential targets, since these contain valuable customer personal information.
Security Is Everyone's Responsibility
The security of data no matter where it lies — in a retail organization, on a mobile device, in a social media account, or on a computer — is everyone's responsibility. Consumers have a responsibility to themselves to stay cautious about who they share their data with and how they conduct themselves online. Equally, retailers have a major responsibility to not only protect their own data and brand, but also the data of the shoppers who rely on and trust these brands.
For many retail organizations, especially smaller ones, implementing widespread security measures is neither affordable nor feasible. But each security step, no matter how small, can have highly beneficial impacts when it comes to detecting and deterring cybercriminals.