As Black Friday sales kick-starts the run-up to Christmas-New Year business, retailers are wary of possible online scams and cyber-attacks. However, research reports say the security posture of the retailers -- from loyalty programmes to email security -- leaves a lot to be desired.
Deloitte’s retail and distribution practice has predicted that festiveal sales in the November-to-January period will exceed US$1.1 trillion (£860 billion). Black Friday is a week away, and over half of UK consumers are set to shop on the day, according to a PerformanceIN report. Predictably, a majority of the shopping will be done online.
As the online retail markets gear up for the holiday season sales, cyber-criminals are looking to capitalise on the customer loyalty retailers have built and maximise their potential returns. Failure of retailers to secure these loyalty programmes will have the opposite effect on their customers, who may lose trust in the brand if it becomes a focus for scams.
"Business leaders are well aware that customers no longer base their loyalty on just products or services, or even price. Customer experience is now the name of the game, and if you cannot meet customer demands and expectations, they will simply move on to your nearest competitor," said Roger Magoulas, vice president - Radar at O'Reilly Media.
"According to HubSpot, it costs a business about 5 to 25 times more to acquire a new customer than to sell to an existing one, and existing customers spend 67 percent more than new customers."
Retailers go all-out to retain this consumer loyalty by offering festival deals, consumer loyalty programmes and easy-to-use apps with further offers. While the offers become fodder for phishing campaigns, app security compromised for convenience is exploited by hackers.
The latest edition of the annual fraud attack index by Forter shows that after-sales deals such as loyalty programs and return policies are being exploited by criminals. Loyalty fraud increased by 89 percent year over year, while the total dollar amount in online fraud increased by 12 percent year over year, said the Fraud Attack Index report.
"A clear trend in online fraud is emerging," said Forter CEO Michael Reitblat. "The industry as a whole has done a tremendous job detecting and preventing payment fraud at the point of transaction. This eliminates the amateurs. We’re seeing fraudsters now shift their efforts earlier in the customer journey, gaining access to consumers’ accounts."
Only 15 percent of the top 20 European-wide online retailers are proactively blocking fraudulent emails from reaching customers, meaning 85 percent of Europe's top online retailers are leaving customers open to email fraud, said Proofpoint’s quarterly analysis of highly targeted cyber-attacks.
In the UK, only four of the top 10 online retailers have implemented the strictest level of protection by email authentication protocol DMARC. The situation was even worse in countries such as Germany and Sweden, where 95 percent of top online retailers may be exposing themselves and their customers to cyber-criminals on the hunt for personal and financial data by not implementing email authentication best practices, said the Proofpoint report.
"Through malicious domains, counterfeit goods, coupon/gift card scams and impersonations on social media, bad actors engage directly with unwary consumers in a way that they previously could not," reads the retail industry threat report by ZeroFOX.
What lies ahead
The ZeroFOX reported listed five categories of potential risks.
Domain-based attacks: Malicious, spoofed and impersonating domains represented the largest attack tactic targeting the retail industry.
Customer Scams: Scams offering "something for nothing" frequently target retail consumers, including gift card, coupon and giveaway scams.
Counterfeit Goods: Fake versions of legitimate products, posted to marketplaces and malicious domains, represent risks to brand reputation and customer trust.
Impersonations: Bad actors pretend to be retailers and their high-profile executives on social media to gain direct access to employees and consumers.
Information Exposure: Data breaches can be detrimental to a retailer’s brand, targeting executives and consumers.
"It is essential for retailers to start making crisis management more of a reflexive process. Imagine getting a hack-in-progress on Black Friday and prepare for that," commented Sam Curry, chief security officer at Cybereason.
"Increasing vigilance means monitor more in the IT freeze that comes between Halloween and New Year. This is when IT is frozen, and hackers know it. That means they also know patching will be slow, changes to infrastructure won't happen and responses will be conservative."