10 tips to avoid cyber-attacks on Black Friday

Cyber-attacks on Black Friday can damage a company’s sales, cause data loss and lead to scams and frauds against consumers and businesses

Consumers will spend hundreds of euros during Black Friday, an increasingly important event for thousands of companies and millions of consumers. To be able to sell and buy without incident, it is essential that businesses and citizens manage to avoid cyber-attacks on Black Friday that result in the theft of private data, economic losses or financial fraud.

Cyber-attacks against e-commerce during Black Friday, Cyber Monday and the Christmas campaign have become a priority for malicious actors who, knowing that consumers will carry out more online transactions than usual and, therefore, will receive messages related to them, are more likely to confuse them by impersonating them. In addition, they know that this is a time when they can cause more damage to companies.

In this regard, it is important to note that many consumers are now aware of phishing campaigns at this time of year. However, given the large number of emails and SMSs received, it is likely to be misled, even if they are aware of these scams.

Phishing, malvertising, DDoS… Cyber attacks on Black Friday are very diverse

What can cyber-attacks on Black Friday consist of? Criminals use a wide range of techniques:

• Phishing or smishing campaigns that use Black Friday to impersonate legitimate companies, with messages regarding shipping or payment errors, or special discount offers to consumers. The aim is to steal credentials relating to the impersonated companies or to get them to provide data of a mainly financial or personal nature.
• Malvertising, SEO poisoning and other malicious techniques targeting consumers.
• Spear phishing to trick e-commerce professionals, infiltrate business systems and obtain valuable customer information.
• Ransomware attacks against businesses.
• Denial-of-service campaigns to undermine e-commerce operations and extort money from companies.

This list is evidence that the Black Friday and Christmas cyberattack landscape is very complex and that both businesses and consumers are in the crosshairs of malicious actors.

In this guide on Black Friday cyber-attacks, we will share some essential recommendations for companies running commercial campaigns on these dates. In addition, we will also list some tips that consumers may find useful for shopping safely during Black Friday and Christmas.

Recommendations to help companies avoid serious security incidents on Black Friday

The best advice for companies with an e-commerce or online booking system is that they should put cybersecurity at the center of their strategies and implement cybersecurity services throughout the year, not just during Black Friday.

1. Undergo ongoing security audits

First of all, it is essential that companies perform continuous security audits to analyze all their digital assets: web, e-commerce, APIs, mobile applications… Why?

This way, you can look for vulnerabilities in the technological infrastructure, prioritize their remediation and prevent them from being successfully exploited by malicious actors.

A vulnerability in a company’s e-commerce can lead to cyber-attacks on Black Friday that can have a major economic impact. This is especially true for businesses where a large part of their sales for the year take place between November and December.

2. Conduct continuous vulnerability management and respond effectively to emerging vulnerabilities

Along the same lines, it is critical for companies to conduct ongoing vulnerability management that takes into account all of the organization’s digital assets. Only in this way can attacks against the software supply chain be prevented. It also establishes an effective strategy to mitigate the weaknesses found, considering the level of criticality of the same and the possibility of being exploited.

With regard to Black Friday, it is essential to solve the weaknesses that affect the purchasing processes and the management of customers and their information.

It is also vital for companies to have emerging vulnerability detection services in place to assess how new vulnerabilities affect their technology infrastructure and anticipate criminals.

Cyber-attacks on Black Friday are used to their advantage, and some companies are focused on business and do not pay attention to discovering new vulnerabilities that could be present in their assets.

With zero-day vulnerability exploitation on the rise, it is even more important to be constantly vigilant in mitigating new weaknesses, especially if there are already public proofs of concept for successfully exploiting them.

3. Perform denial-of-service testing

Distributed denial of service (DDoS) attacks against e-commerce are a classic. Using this technique, malicious actors resort to a botnet to launch requests and saturate e-commerce resources. As a result, online stores cannot respond to requests from customers wishing to buy from them.

Given the characteristics of this technique, we should not be surprised that it has a special role in cyberattacks on Black Friday, Christmas and critical commercial moments. Since they directly affect the sales process.

What can be done against DDoS attacks? Carry out DoS Test to simulate denial of service attacks in environments controlled by cybersecurity professionals. These simulations serve to obtain valuable information on the capacity of e-commerce to respond successfully to this kind of attack.

DoS tests can be used to check the response time or to evaluate the behavior of backend systems and their ability to auto-scald if necessary.

It is advisable for all e-commerce companies to carry out DoS tests regularly, especially before launching large-scale commercial campaigns. The information obtained allows online stores to optimize and improve their resilience to cyber-attacks during Black Friday or Christmas.

4. Conduct social engineering tests and promote cybersecurity training and awareness among employees and customers

Social engineering tests are another very important security test that companies can carry out to prepare for Black Friday. Why?

As we pointed out at the beginning of this guide on cyber-attacks on Black Friday, phishing and other social engineering techniques are not only directed against consumers, but business professionals are a priority target. They have credentials to access corporate systems and have access to commercially relevant information such as a company’s customer list, as well as financial information on both customers and suppliers.

In addition, we must consider that a relevant part of the companies’ workforce is poorly aware of cybersecurity risks and does not carry out good practices in this area. As a result, they can become the weak link in an organization’s security and provide an entry vector for criminals.

Thanks to social engineering tests, companies can carry out realistic simulations of phishing campaigns, test how their staff react to them, train employees to avoid being deceived by malicious actors and raise their awareness of good cybersecurity practices in their daily work.

4.1. Continuous training programs for workers

In addition to the simulations mentioned above, it is essential to complement these with ongoing cybersecurity training programs. In such a way that employees and users:

• Know good practices in cybersecurity, such as the use of secure passwords and verification of suspicious links.
• Identify fraudulent emails and messages.
• Be aware of the risks of sharing confidential or personal information.

A staff with knowledge and awareness of cybersecurity significantly reduces the risk of cyber-attacks based on social engineering.

4.2. Customer Awareness Campaigns

On the other hand, by being aware of the dates when the most frequent phishing incidents can occur, companies can help their customers to avoid becoming victims.

To this end, it is advisable to carry out a communication campaign reminding them of the means of communication used by the company and the type of messages that can be expected from the company, thus offering its customers additional weapons to protect themselves against cyber-attacks.

5. Use cyber intelligence services to investigate fraud proactively

Some Black Friday or Christmas cyberattacks do not directly target companies; they damage them indirectly. We are referring to all online frauds in which an organization’s identity is impersonated to deceive its customers or potential consumers.

Cybercriminals can even design fake online stores, set up fake login pages for customers to enter their credentials to access retail companies’ websites or hack into social network accounts to impersonate the corporate identity… What can companies do in the face of this fraudulent activity?

Cyber intelligence services protect brands and commercial products, combat online piracy, and investigate fraudulent campaigns.

Thanks to them, companies can protect their brand image and prevent their reputation from being damaged by a wave of frauds that impersonate their identity.

Tips for safe shopping on Black Friday

Beyond the recommendations that companies should take into account to avoid cyber-attacks on Black Friday, some tips can help citizens shop during these weeks without becoming victims of online fraud.

6. Review commercial offers to detect warning signs

In the coming weeks, many consumers will receive numerous commercial offers by email and find ads on search engines such as Google or social networks such as Instagram.

How should you act to avoid cyber-attacks on Black Friday? The most important thing is to use caution and common sense.

So, before clicking on a link or a button, you should:

• Check the email from which the message is sent or the social network account from which the ad was created.
• Analyze the ad’s content for inconsistencies or check whether it is written correctly or contains misspellings or strange language.
• Ensure that the message’s appearance is in line with the commercial communications of the company that is supposedly sending it.
• Be wary of offers that are so attractive that they are outside the logic of the market. Incredible bargains do not exist, not even during Black Friday.

If you choose to click on a commercial communication, it is important:

• Read the link carefully to find details that do not match the company’s links.
• Check that the website has security certificates and uses an https protocol.
• Study the web page to which you have been redirected to be as sure as possible that it is real and not fake.
• Be wary of requests to perform actions such as downloading a file or providing personal or financial information.

7. Go to trusted websites and apps

One way to prevent fraud during Black Friday and Christmas is to go directly to trusted websites and use only reliable mobile apps. Why?

This avoids ending up on fake websites or downloading malicious applications to the cell phone.

Thus, if a consumer sees an ad on a social network that he does not trust 100%, the best thing to do is to go directly to the company’s e-commerce to enjoy the advertised offer.

Another basic recommendation against cyber-attacks on Black Friday is to go to the e-commerce login pages that are usually used and not to enter the access credentials on a page accessed through a commercial email or SMS. The same applies to the use of mobile applications. It is important to download them from the Play Store or Apple Store, not from commercial promotions or unreliable sites.

Along the same lines, if e-commerce has a double authentication system, it is advisable to implement it to prevent the theft of passwords from gaining access, which could lead to financial fraud or the theft of personal information.

8. Write e-commerce addresses correctly to avoid falling victim to typosquatting

Cybercriminals not only have extensive technical knowledge but also need to know the psyche of their victims. This allows them to tailor Black Friday cyberattacks to consumer behavior. For example, many citizens type into their web browser the address of an online store they wish to access. What may seem like a good practice at first glance can trigger fraud if a mistake is made when typing the address. Why?

Malicious actors can resort to typosquatting. This technique consists of creating fake websites that appear real and present addresses practically identical to legitimate websites but changing some characters. For example, instead of “elcorteingles.es” a consumer may end up at “elcortingles.es”.

So, if a citizen makes a small mistake, he will enter a fake website but not be suspicious.

Inside the fake e-commerce, the consumer will enter his login credentials or financial data to make a purchase. With this information, criminals can carry out all kinds of fraud.

9. Be wary of messages that warn about problems with payment or try to generate a sense of urgency

Social engineering techniques usually resort to manipulating the emotions of their victims. In the case of Black Friday cyber-attacks, it is very likely that malicious actors will send messages informing about problems when making a payment or will try to generate a sense of urgency in potential victims.

For this reason, it is important to act with caution in the event of any communication from an e-commerce company reporting a problem with a transaction, especially if bank details are requested, or the consumer is asked to make a new payment.

In the same vein, when faced with messages that emphasize the urgency for a consumer to carry out a certain action, it is essential to be suspicious and not to carry out the requested action without being 100% sure it is not a possible scam.

It is better to pass up an offer than to regret later being the victim of an online fraud.

10. Be careful with communications from banks, retail multinationals and parcel companies

Some of the cyberattacks on Black Friday are far from sophisticated. During November and December, some cybercriminals launch massive phishing or smishing campaigns that impersonate banks, large retail companies and parcel delivery companies.

What is the purpose? To inform a citizen about an incident with an order or a payment. A malicious link is included in the email or SMS that can cause the download of malware on the device or redirect the customer to a fake website to enter their credentials.

These massive campaigns benefit from the fact that these days, a large part of the population makes a purchase, so these kinds of communications are credible.

To avoid these cyber-attacks on Black Friday, it is essential to use common sense and go to trusted sources before clicking on a link or downloading a document.

What do we mean by trusted sources? You can call the customer service phone number of the banks or companies where you have made purchases to verify the information provided in the email or SMS you received. It is possible to access the customer area of e-commerce to check the status of the order or use the tracking number of a purchase to check its status on the website of the parcel delivery company that is to deliver the package.

Common advice for businesses and citizens: no one is safe from cyber-attacks on Black Friday

Even though there are daily security incidents affecting a wide range of companies, many companies believe that they are not a target for cybercriminals.

This mistaken belief is more widespread among companies whose business model is not directly linked to the digital realm. Still, it also inhabits small companies that use e-commerce to market their products and services. Hence, some businesses do not have an adequate cybersecurity strategy, lack cybersecurity services tailored to their needs and do not take measures to deal with the most important time of the year.

Similarly, many consumers know that there is a wave of digital fraud on citizens but believe that they are immune to it and are not in danger of seeing thousands of euros disappear from their bank accounts.

Therefore, the best way to prevent cyber-attacks on Black Friday is to take their threat seriously and act cautiously when taking advantage of this sales season, either by increasing sales or benefiting from succulent discounts.