Don’t help cybercriminals make a dash with your customers’ cash

November 25, 2021 10:25
Image: Reuters

The excitement of obtaining a bargain will soon be driving retail fever with Black Friday deals fueling online sales across the world. In Britain alone consumers plan to spend an estimated £4.8 billion on Black Friday and Cyber Monday purchases this year. In all of this excitement it is easy to forget the fundamentals of online security, making consumers and retailers easier and more profitable targets for cybercriminals.

Our Verizon Business 2021 Data Breach Investigations Report (2021 DBIR) recently highlighted that cybercriminals predominately target confidential data held within retail outlets including consumer payment details (42 percent), personal details (41 percent) and credentials (33 percent).

If something looks too good to be true, it probably is!
The retail industry continues to be a target for financially motivated criminals looking to cash in on the combination of payment card and personal information which thrives in this sector. Social tactics include Pretexting and Phishing, with the former commonly resulting in fraudulent money transfers. These tactics were used in 77 percent of the breaches examined within the retail sector in the 2021 DBIR.

Phishing campaigns can be broken down into four distinct groups – a scam, such as an email from a relative who is trapped overseas and needs cash to get home; brand impersonation, the email poses as a bank or a trusted brand name requiring the user to confirm a payment or with a special retail bargain; extortion, designed to frighten the user into compiling and finally Business Email Compromise (BEC), this is a highly targeted attack at a business rather than an individual. All campaigns urge users to click on links, which will navigate them to false pages or send confidential information.

The use of QR codes has also risen during the pandemic, especially amongst smaller retailers and hospitality venues, as an easy ordering and payment solution. However, consumers should beware as these can also direct them to suspicious URLs to make payments, send location details as well as link to their social media profiles – all without their knowledge, in an attempt to steal personal credential and payment information.

If a company is offering a retail bargain that is simply too good to be true – then it probably is! Don’t click on the link!

Obviously the main advice to avoid Phishing scams is not to open the emails, however our human nature and curiosity makes this easier said than done.

Education is the best defense here. Regular employee training which highlights the tactics used by phishing campaigns and how to spot them are essential in protecting confidential data within a company as well as helping an employee in their personal ecommerce world.

Maintaining the security balance – the retailer responsibility
In the cybersecurity world, retailers live in the unenviable position of having to consider their own data security as well as that of their many customers. In an increasingly digital age, it’s important to install as many security measures as a company can, but equally important is the general awareness of what cybercriminals are after and how they’re doing it. Having an open mind to the newest technologies is an invaluable way to always be one step ahead of would-be attackers.

Our data shows us that over the last five years 35 percent of the 1,354 breaches which stole payment card information resulted from compromised Point of Sale (PoS) systems, as used in brick-and mortar-retail stores; whilst 38 percent came from compromised web applications, such as online shopping sites.

These web attacks compromise a website’s payment application, and then install code into the application that will capture customers’ payment card information as they complete their purchases. These are the everyday attacks that don’t necessarily make headlines but have the same consequences. Today’s cybercriminals look for vulnerable e-commerce applications to provide an avenue for efficient and automated attacks.

Things companies can do to decrease this threat include:

● Keeping data safe: To keep data safe, retailers must take appropriate measures to help combat cyberattacks. While there is no end-all solution, here are a few steps companies can take to mitigate risk.

● Know the importance of integrity software: Cybercriminals who target web applications aren’t targeting data at rest. Rather, they inject code to capture customer data as it’s entered into web forms. To combat this method, consider adding file integrity software to your malware defenses on payments sites, in addition to patching OS, and payment application code.

● Embrace what’s new: Continue to embrace new technologies that make it harder for criminals to use POS terminals as low-hanging fruit. Some considerations are EMV and mobile wallets, or any other method that utilizes a one-time transaction code, as opposed to PAN.

While criminals are often after payment card information, it’s not the only data variety that they consider useful. Retailers should also remember that rewards programs that leverage ‘points’ are also potential targets, as these contain valuable customer personal information.

Security is everyone’s responsibility

One thing is certain, the security of data no matter where it lies – in a retail organisation, on a mobile device, social media account or on a computer – is everyone’s responsibility. Consumers have a responsibility to themselves to ensure that they are diligent and aware of who they share their data with and how they interact online. Equally, retailers have the major responsibility of not only protecting their own preparatory data and brand, but also the data of their shoppers who rely and trust these brands.

For many retail organizations, especially smaller ones, implementing widespread security measures is neither affordable nor feasible. But each security step, no matter how small, can have highly beneficial impacts when it comes to detecting and deterring cybercriminals.

-- Contact us at [email protected]

Director of International Security Solutions, Verizon Business