Cyber attacks on Black Friday and Cyber Monday are becoming
increasingly common; it’s the one time of the year where cyber criminals really
do follow the money. With the increased focus on grabbing an amazing deal, it’s
easy to get caught up in the bargain hunting without realising the risks.
Shoppers in the UK spent £1.4 billion on Black Friday last
year and this is only expected to increase in 2019; with such a large influx of
online transactions comes an increased attack surface, and cyber criminals will
be banking on weaknesses in our online security. However, this article discusses
the top 3 things you can do protect yourself and shop safely online.
1) Gone Phishing
Phishing remains a highly effective way for a cyber criminal
to target both companies and consumers, with credential stealing and malware
delivery being the most common objectives.
During Black Friday, however, what might look suspicious on
any other day may get lost amongst the legitimate deals - it is always tempting
in the spirit of bargain hunting to go for that one offer that seems too good
to be true – and it’s that split-second decision that could lead to a
compromise of your machine or an attacker gaining access to your credentials
and other sensitive information.
Phishing In Practice: A Real Life Example
Cyber criminals will use social engineering techniques which
rely on distraction, fear, and urgency, and during this time it is vital that
we all be mindful of failed package delivery emails, offers too good to be
true, fake shipping invoices, and the like. Avoid clicking links and opening
attachments unless you are explicitly expecting them. The reality is that
phishing increases dramatically before and during Black Friday and Cyber Monday,
so be extra vigilant.
Top tip: create login bookmarks of all the shopping sites
you may use over Black Friday and Cyber Monday, and use these instead of
gambling by clicking links in emails, or use a password manager such as
1Password, Keeper, etc.
2) Reusing Passwords Online
Cyber criminals are constantly exploiting weaknesses in
passwords for online accounts - in a lot of cases, passwords which we think are
secret, are not. There are over 11 billion leaked or stolen credentials
available to attackers for a small fee, or in most cases, free.
These are all from hacks (and leaks), from third party
social media, ecommerce, dating, business applications, etc. The usernames and passwords
are collected and usually dumped online at some point after a breach. And,
given that the average person has over 24 online accounts, it’s very taxing
trying to create a unique password for each one, meaning that most people reuse
a variant of a password they like. You can check your own exposure of where
your passwords might be exposed by using https://haveibeenpwned.com.
Combine this with the amount of passwords that are harvested
by attackers, it’s highly likely the password you are currently using for your
email, Amazon, or social media is in one of these dumps.
The best way to combat this is to use a password manager
which will help you generate a strong, random and unique password for each of
your online accounts, only requiring you to remember one password - the master
password for the password manager. There are plenty of good password managers;
offline is the most secure but also least user friendly, online is the least
secure option, but more secure than reusing the same password across sites.
It is also vital that you protect online accounts further by
using multi factor authentication (MFA). This is usually a random code that
either gets generated through a mobile app (Google Authenticator or Microsoft
Authenticator), or via a code sent to your mobile, which is required on top of
a username and password combination.
This will prevent attackers from logging into your accounts
even if they know your password, as they need the token generated by MFA. This
is another layer of security and will make it harder - not impossible - for a
determined attacker. There is an increased trend of attackers phishing for MFA
tokens, especially for email accounts, so be mindful and refer to point one
about clicking links.
3) Safe Browsing Habits
There will be plenty of adverts and offers on the sites you
visit over the next few days; most of these will be legitimate, however, the
risks of visiting a bogus site are heightened, so being mindful of this is key.
Attackers will push out malicious adverts over legitimate channels in the hope
of landing unsuspecting bargain hunters, either to steal credentials or to
deliver malware to steal sensitive information or credit card details.
The safest way to prevent this is to use the legitimate
mobile apps for online retailers, rather than running the risk of hitting a
phishing site. If this is not an option, then avoid the temptation of clicking
on adverts over this period or, better yet, block them altogether. For Black
Friday and Cyber Monday use the Brave browser for your online shopping, which
focuses on protecting your privacy by blocking cookie trackers and adverts, and
potential unwanted content.
Finally, check the site you are on; a website can still be a
fake website if it has a padlock and/or ‘https’ in the address bar. These
simply mean data is encrypted when transferred over the internet, not that the
website itself is trustworthy. Check the address, keep your eye out for anything
unusual and, if in doubt, don’t enter any information and leave the site.
Summary
In summary, if you rely on the principles of Verify First
then Trust, then many social engineering attacks can be prevented. Like
the old saying - if it’s too good to be true then it probably is, but with a
sting in the tail.