With Black Friday and Cyber Monday coming up fast, here are security and privacy tips for online shopping from experts with KnowBe4 and Cequence Security.
With Black Friday and Cyber Monday coming up fast, here are security and privacy tips for online shopping from experts with KnowBe4 and Cequence Security.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
Despite limited understanding on what makes a website secure and a lack of trust in the retail industry when it comes to protecting personal data, UK customers will be blinded by deals today and will flock to websites and physical stores to complete several purchases.
According to a UK consumer survey by nCipher Security, in which 1,008 UK residents aged 18+ were polled, 23% of people in the UK don’t know how to tell if a website is secure and 53% will only feel “somewhat safe” if they see a formal seal of encryption appear on the screen – for instance a green check used on retail sites to indicate secure e-payments. The retail industry has also been revealed as one of the least trusted in the UK when it comes to encryption, with only 15% feeling confident that companies will protect their personal information.
However, none of the above will stop 75% of the UK customers who will be flocking to retail websites from sharing their credit and debit card details today to secure a bargain.
Here are some top tips on how UK consumers can stay safe and make the best purchase decisions today.
● Make sure you’re using trusted websites when it comes to your online shopping: web URLs that start with HTTPS denote a secure protocol. The “S” stands for secure and is the guarantee that all communications between the browser and the website are encrypted. In the UK, only 43% of respondents considered HTTPS to indicate a secure website to make a purchase.
● Use payment gateways for purchases – many sites use payment gateways which are designed to protect your credit card, debit or PayPal payment methods – they never reveal your credit card information to the merchant. PayPal is regarded as one of the most secure payment methods, but it is recommended that for online payments you connect your PayPal account to your credit card, rather than your debit card, for added fraud protection. Similar services like Amazon Pay connect your identity with your credit card information, again ensuring a safe payment environment. Credit card companies are also providing new methods for adding an additional layer of security, such as Visa Secure, that confirms your identity when you make an online purchase.
● Ensure all connected devices are running up-to-date software: whether apps you may use for payments, or in-app purchasing, or the operating systems, making sure that your desktop, laptop or mobile devices are fully updated is a simple but critical step. In the UK, when it comes to keeping connected devices secure, only 29% said they did this by checking for software updates.
● Enable multi-factor authentication: more and more online services and apps require multi-factor authentication. Typically, something you know (such as a password) and something you have (such as code that’s been texted to you). It’s important to opt in whenever a service offers you the added security of multi-factor authentication.
● Make sure you’re not using unsecure public Wi-Fi: public Wi-Fi is often not secure so any data being transmitted is under threat of being intercepted. In the UK, 37% already avoid connecting to public Wi-Fi networks in an effort to keep their devices safe. Be very careful when using shared computers, as they may have malware, skimming devices or vulnerabilities, and, in many cases, they are not updated with the latest security patches.
● Be wary of malware on retailers\\\’ sites. If you see a deal from a company you have never heard of, or worse, make the mistake of going to a site that looks like your favourite ecommerce site (but is not) – check the URL to ensure you are on the right site. Always prioritise using well-known ecommerce companies that have a reputation for strong security. Most established sites have a number of tools to quickly identify or prevent malware.
● Don’t “stand in the checkout line” and simultaneously look at other products. Just like you wouldn’t leave your credit card with the cashier in a shop and then go shopping for other goods, you shouldn’t leave your payment details open online and then surf for other products. Websites have a number of links for advertising or information links which, in rare cases, can be used for malicious purposes.
● Always be careful of emails or sites that ask you for your personal information. When receiving emails that ask you to click on a link or input information, check the URL to ensure it is HTTPS and rollover the link with your mouse to ensure the site you are clicking on matches where you think you are supposed to go. Fraudulent links only have to be one letter or number different to take you to the wrong site that can then steal your information. If in doubt, type in the URL for the main site like Amazon and then go to the relevant section to, for example, track your packages or change your password.
The upcoming period, starting with Black Friday on 29th November and running through to the January sales, presents a window of opportunity for cyber criminals. During this time, there are increased opportunities for threat actors to conduct operations that impact both individuals and corporations. A primary factor contributing to this escalation is the hugely increased volume of payment transactions seen across this period – both online and at physical retailers. This increase in transaction volume presents an opportunity for threat actors because the compromise of associated systems can be more profitable than at other times of year.
During the holiday season threat actors may perceive that some organisations are more likely to give into extortion or ransom demands in order to minimise the impact of disruptive attacks. This perception is likely borne from the fact that the cost of business disruption during the holiday season is higher to many organisations, primarily retailers and those in the hospitality industry.
Additionally, more employees take time off during the holiday season than at other times of year. This means that there is a greater opportunity for threat actors to impersonate people out of the office, and in the event of a successful compromise, a limited number of security personnel could hinder the capability of entities to quickly respond to and mitigate threats.
Over the 2019 holiday season, consumers can expect email-based attacks using seasonally themed lures such as holiday greetings and promotions for major shopping events such as Black Friday. Emotet, which was arguably the most prolific botnet of 2019, highlights this trend – over the previous holiday season the botnet distributed malicious emails using themes including Thanksgiving, Black Friday, Cyber Monday, and Christmas lures, a trend we expect to continue throughout the 2019 holiday season. The use of holiday themed email lures is a common and highly effective social engineering strategy used by many threat actors to improve the effectiveness of their campaigns.
In addition to holiday-themed lures, cyber criminals will likely attempt to exploit individuals\’ desire to seek out sales over the holiday shopping season by crafting email lures advertising sales or pretending to have been sent by popular brands. More other common lures used by malicious email campaigns throughout the year, such as delivery notifications, are also more likely to be successful due to the increased volume of online shopping.
The thing to remember is: if the deal looks too good to be true, then it probably is. There will be some amazing deals around, but there will also be some amazing scams. There will be ghost websites which look exactly like ‘the real thing’, but which have been set up and run by cybercriminals. Be vigilant, is it Amazon.co.uk, or Amozon.co.uk? Look out for web addresses which are nearly the same as the one that you know to be right – cybersquatting is always a challenge.
So, when buying something from the internet, look closely at the address of the website. Look for the padlock to see that it is secure. Have you bought from that website before? How do you know they are reputable?
When looking at an email (or a social media post), even if it comes from a supposed friend, double check that what they are asking for you to click on is real: does the address you see on the screen match with what is ‘underneath’ and where you end up. Is it asking you to download something in order to see the ‘great deal’? If so, then it may well be a scam.
Users need to be vigilant. Okay, so there is a rush to get some of the deals, but think of the consequences of getting it wrong. Double check, it will keep you safe.
\”Any time there is a reference for an event, we see an increase in fraudulent activity. With the holidays just around the corner we can expect a step up in the pace of financially motivated attackers. Is that email real? Black Friday Sales, Cyber-Monday Deals, Huge Holiday Savings, etc…. These are all great phishing campaigns. If you see an advertisement for a sale, make sure that you can find that same deal going directly to that site, rather than clicking a link in an email. Make sure when you check-out that you are being charged the correct amount and that you are still dealing with the company you intend to purchase from.
Speaking of email, links in emails are easy to fake. It is simple to create a website and email a huge number of people. Banking Trojans/Malware are spread this way and since you are going to have a higher than normal amount of transactions, they are counting on you not noticing the bot army that is slowly draining your bank account.
All this banking activity is going to mean that it will be hard to keep up with purchases but it is a good idea to set thresholds, if your bank allows you to, for spending activity. If you can turn purchasing on and off with an app, you can deter offline purchases should your card number get compromised. Make sure you are looking at your banking app every day, keeping tabs on what is purchased usually helps as an indicator of purchases that aren’t authorized. Watch out for the bank calling you to tell you about fraudulent activity, or an email with similar messaging. If you think there is fraud on your account, hang up and call the number on the card. Your bank will never call you and ask you for account information, typically they notify you to call them and legitimate notifications only tell you to call and rarely give you a number to call back. The idea is that if it is legitimate, you need to correct it through your action rather than through a directed action.\”
\”Bad actors celebrate the holidays too – they go into scam-overdrive mode. Black Friday and Cyber Monday are the busiest on-line shopping days for you and them. With that in mind, ten Fraud Alert Tips: and the bad guys are planning to get rich with your money. So, here are the Top 10 Fraud Alert Tips:
1. Never click on links in emails. If you want to shop at a site, enter that site address in your browser. There are thousands of fake sites that look almost identical to the real thing. Don\’t fall for evil-twin shopping sites.
2. Don\’t open attachments with special offers. It\’s a classic scam. The offer should be in the email and you should be able to see it right away.
3. Watch for malicious ads and popups. Do not click on ads that sound too good to be true, and ignore popups that might propose the \”best deal ever\”.
4. Beware of e-skimmers. This is a new one. Do you know that bad guys sometimes skim your credit card at gas stations or ATMs? Well, there is a new flavor of that, the shopping website you order from might be infected with a \”e-skimmer\” and they steal your card data when you check out. You can prevent that by using PayPal or Amazon.
5. Use a credit card to buy stuff online if possible. NEVER use a debit card to make online purchases but use that debit card to take out cash only.
6. Do not shop over a public Wi-Fi. You simply do not know if it\’s secure and who is listening. Only shop using a secure, trusted network. If you have no other way to shop, use a VPN which encrypts your traffic.
7. Be very careful when you see a free offer during the holidays. There is an explosion of all kinds of survey fraud and gift card scams.
8. Do not re-use any of your passwords. Instead, use a password manager to create hard-to-break passwords. 9. Re-using any password is literally an invitation to get hacked.
9. Keep a close eye on your credit card and bank accounts. During this season, unexpected and strange charges might appear which could very well be the first sign your card or even your whole identity has been stolen. If you think you might have been scammed, stay calm and call your credit card company, nix that card and get a new one.
10. Be especially suspicious of gift card scams. They can be a perfect holiday gift, but gift card scams are skyrocketing. Only buy gift cards from trusted sources.\”