The excitement of obtaining a bargain will soon be driving retail fever with holiday deals fueling online sales across the world. India’s e-commerce festive sale season 2020 recorded INR 58,000 crore ($8.3 billion) worth of gross sales for brands and sellers, up 65% from INR 35,000 crore ($5 billion) last year. In all this excitement it is easy to forget the fundamentals of online security, making consumers and retailers easier and more profitable targets for cybercriminals.
By Ali Neil, Director of International Security Solutions, Verizon Business
Data Breach Investigations Report (2021 DBIR) recently highlighted that cybercriminal predominately targets confidential data held within retail outlets including consumer payment details (42%), personal details (41%), and credentials (33%).
If Something Looks Too Good to be True, It Probably is!
The retail industry continues to be a target for financially motivated criminals looking to cash in on the combination of payment cards and personal information which thrives in this sector. Social tactics include Pretexting and Phishing, with the former commonly resulting in fraudulent money transfers. These tactics were used in 77% of the breaches examined within the retail sector in the 2021 DBIR.
Phishing campaigns can be broken down into four distinct groups – a scam, such as an email from a relative who is trapped overseas and needs cash to get home; brand impersonation, the email poses as a bank or a trusted brand name requiring the user to confirm a payment or with a special retail bargain; extortion, designed to frighten the user into compiling and finally Business Email Compromise (BEC), this is a highly targeted attack at a business rather than an individual. All campaigns urge users to click on links, which will navigate them to false pages or send confidential information.
The use of QR codes has also risen during the pandemic, especially amongst smaller retailers and hospitality venues, as an easy ordering and payment solution. However, consumers should beware as these can also direct them to suspicious URLs to make payments, send location details as well as a link to their social media profiles – all without their knowledge, in an attempt to steal personal credential and payment information.
If a company is offering a retail bargain that is simply too good to be true – then it probably is! Don’t click on the link!
Obviously, the main advice to avoid Phishing scams is not to open the emails, however, our human nature and curiosity make this easier said than done.
Education is the best defense here. Regular employee training which highlights the tactics used by phishing campaigns and how to spot them is essential in protecting confidential data within a company as well as helping an employee in their personal e-commerce world.
Maintaining the Security Balance – The Retailer Responsibility
In the cybersecurity world, retailers live in the unenviable position of having to consider their own data security as well as that of their many customers. In an increasingly digital age, it’s important to install as many security measures as a company can, but equally important is the general awareness of what cybercriminals are after and how they’re doing it. Having an open mind to the newest technologies is an invaluable way to always be one step ahead of would-be attackers.
Our data shows us that over the last five years 35% of the 1,354 breaches which stole payment card information resulted from compromised Point of Sale (PoS) systems, as used in brick-and mortar-retail stores; whilst 38% came from compromised web applications, such as online shopping sites.
These web attacks compromise a website’s payment application and then install code into the application that will capture customers’ payment card information as they complete their purchases. These are the everyday attacks that don’t necessarily make headlines but have the same consequences. Today’s cybercriminals look for vulnerable e-commerce applications to provide an avenue for efficient and automated attacks.
Things companies can do to decrease this threat include:
- Keeping data safe: To keep data safe, retailers must take appropriate measures to help combat cyberattacks. While there is no end-all solution, here are a few steps companies can take to mitigate risk.
- Know the importance of integrity software: Cybercriminals who target web applications aren’t targeting data at rest. Rather, they inject code to capture customer data as it’s entered intobri web forms. To combat this method, consider adding file integrity software to your malware defenses on payments sites, in addition to patching OS, and payment application code.
- Embrace what’s new: Continue to embrace new technologies that make it harder for criminals to use POS terminals as low-hanging fruit. Some considerations are EMV and mobile wallets, or any other method that utilizes a one-time transaction code, as opposed to PAN.
While criminals are often after payment card information, it’s not the only data variety that they consider useful. Retailers should also remember that rewards programs that leverage ‘points’ are also potential targets, as these contain valuable customer personal information.
Security is Everyone’s Responsibility
One thing is certain, the security of data no matter where it lies – in a retail organization, on a mobile device, social media account, or on a computer – is everyone’s responsibility. Consumers have a responsibility to ensure that they are diligent and aware of who they share their data with and how they interact online. Equally, retailers have the major responsibility of not only protecting their own preparatory data and brand but also the data of their shoppers who rely on and trust these brands.
For many retail organizations, especially smaller ones, implementing widespread security measures is neither affordable nor feasible. But each security step, no matter how small, can have highly beneficial impacts when it comes to detecting and deterring cybercriminals.
About the Author
Alistair Neil is the Director of International Security Solutions at Verizon Enterprise Solutions. He has been associated with Verizon for over 18 years. In his role, Alistair works for the benefit of his clients to provide them with the confidence they need to grow and transform their businesses. He helps them understand their risk, protect their critical digital assets and intelligence, monitor their environments for threats, and be prepared to respond to incidents or breaches.
Alistair’s responsibility is the leadership of Verizon’s Security Sales organization across Europe, the Middle East, Africa, Asia, and Australia. Alistair is also the leader of the Security Solutions business in Europe, Asia, and Australia.
Alistair holds a bachelor’s degree from the University of Southampton.
Disclaimer
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.
