While the holiday shopping season heralds many wonderful indulgences and rituals, it also coincides with a sharp uptick in cyberattacks. This year, as a historic number of shoppers prepare to purchase their holiday gifts online to minimize the risk of contracting COVID-19, cybercriminals have access to a larger base of potential victims than ever before. The National Retail Federation expects that online and other non-store sales will increase 20-30% this year compared to 2019, with each consumer expected to spend $988 on average on holiday-related purchases.
Retailers are enlisting cybersecurity professionals to shore up their defenses against credit card fraud, Distributed Denial-of-Service (DDoS) attacks, and other breaches involving point-of-sale systems. On the consumer side, prospective shoppers need to arm themselves with information on how to protect their own personal data and take necessary precautions against online scams.
Retailers must guard against point-of-sale breaches
Cyberattackers seek to exploit vulnerabilities in an online retailer’s website in order to gain access to shoppers’ personal information. One of the most common ploys is via DDoS attacks, where criminals flood a company’s website with an overwhelming volume of traffic, causing the site to crash. Once the site becomes unresponsive, the attackers demand a ransom to restore site functionality. Many site owners succumb to minimize the financial blow of lost revenue.
The main defense retailers are mounting in preparation for the holiday shopping season is shoring up website availability requirements to guard against a DDoS attack, said Dustin Loeffler, a cybersecurity professional and subject matter expert for Springboard’s soon-to-launch Cybersecurity Career Track.
Website availability refers to the percentage of time a website is accessible by users as expected, minus planned or unplanned downtime. IT professionals attempt to maximize this number by making tradeoffs between nonfunctional requirements such as site capacity, performance, and reliability.
“Just think of the dollar impact if Amazon’s website were to go down from a denial-of-service attack,” said Loeffler. “Within minutes, you’re already in millions of dollars of losses because there’s an opportunity cost to site availability.”
Businesses are also vulnerable to credit card fraud and gift card fraud, which account for 19% of all cyberattacks against online retailers. Hackers can steal credit card information from a retailer’s site using malicious bots that scan for vulnerabilities. When a weak point is found, the hacker breaches the site and seizes customers’ credit card details.
Another strategy involves using bots to enter different gift card number combinations into web applications until a valid one is found. The validated number is then used to purchase goods or sold for cash online. One way retailers can avoid this is by using an Address Verification Service (AVS) to confirm the cardholder’s billing address with the card issuer, and declining the card if the billing address does not match up with what the card issuer has on file.
In a bid to provide a pleasant online shopping experience, retailers often struggle to strike a balance between building a user-friendly website and properly authenticating each purchase.
Credit and debit cards have evolved in recent years to protect financial institutions and consumers from cyber theft. Compared to the magnetic stripe cards of old, EMV chip cards and chip-enabled smart cards are much less prone to criminal attempts to steal an account holder’s data from the card itself, since the chip generates a unique cryptographic code, called a token, for each transaction.
Loeffler advises that it’s generally safer for consumers to shop online using a credit card rather than a debit card in the event their financial details are seized. “The problem is that if a debit card is compromised, it allows the attacker to get your checking or savings account details, and you can be responsible for the full amount of your bank account,” he explained, “whereas credit cards have legal statutory caps on how much you’re responsible for.”
Finally, inventory hoarding can deal a devastating blow to small or mid-sized retailers with limited inventory. This occurs when hackers deploy bots to attack retail sites by adding products to shopping carts and never completing the purchase, making inventory unavailable to legitimate customers. While the attackers typically don’t see any financial gain from inventory hoarding, they may enjoy the satisfaction of compromising a retailer’s reputation and racking up huge revenue losses.
One way for businesses to guard against inventory hacking is by programming their site not to subtract inventory until a purchase is complete, or by instating expiration times for holding items in a shopping cart without buying anything. Etsy, a specialty marketplace for unique, custom-made novelty items, shows users how many other shoppers have a certain item in their cart instead of marking the inventory as unavailable once a user puts the item in their cart.
Despite these lurking dangers, large enterprises are far better poised to fend off cyberattacks than the average online shopper, says Loeffler, because they’re protected by proprietary cybersecurity infrastructure. Consumers, on the other hand, must educate themselves on what constitutes a cyberthreat, how to spot one, and what to do in the event of a cyberattack.
Consumers should prepare for more sophisticated cyberattacks this holiday season
Phishing attacks remain one of the most popular cyber threats because they enable hackers to scale a single attack on a multitude of victims. These scams consist of emails or text messages designed to trick the recipient into surrendering their personal information such as their password, bank account details, or social security number. The message usually urges the recipient to sign into their account because the company has noticed suspicious activity or log-in attempts or there’s a problem with their payment information. The email or text message contains a link or an attachment that redirects the user to a fake website or downloads malware onto their computer. Since the email is designed to look like it comes from a legitimate company, many recipients fall for it.
“What typically happens is people click on that link thinking it’s that site and they don’t inspect it to see if it’s from @amazon.com,” said Loeffler. He notes that users of Gmail and Outlook benefit from robust junk filters that keep most phishing scams out of user’s inboxes, but spam can still infiltrate. “I equate it to a game of whack-a-mole,” he continued. “Some [phishing scams] are going to get through, and you have to educate your users on how to spot them.”
Just as fake news finds fertile ground on social media networks, so do fake ads. These ads redirect users to fake websites designed as a copycat of a legitimate company’s site. The most sophisticated scammers build duplicate sites so believable that the only way users can tell they’re fake is by inspecting the web address. “Make sure that when you enter the web address into the search bar, it says ‘https’ instead of ‘http’,” Loeffler advises. “The ‘s’ stands for secure and it shows that encryption is at play.”
Be wary of QR codes—some redirect users to fake websites that steal personal data or install malware on the user’s device. While these “high-tech” scams tend to get the most press, phone, and voicemail-based scams continue to be pervasive, says Loeffler—and no, the elderly are not the only victims. “Recent data models I’ve seen show that a Millennial is just as likely to fall for a phishing scam as someone in their 50s or 60s.”
The most mainstream phone scam involves attackers using call spoofing to disguise their phone number as the number of someone you know, or a business in your local area. Criminals pretending to represent a company might inform you that you’ve won a cruise or prize money, and that to receive your reward you simply need to confirm your identity by verifying personal information such as your credit card number and date of birth.
These phone-based tactics are continually evolving. In China, authorities warned of a “fake refund” phone scam where a criminal masquerades as a customer service rep from an online retailer where you recently purchased an item. The scammer informs you that the item you bought is actually out of stock and offers to process a refund — if you could kindly confirm your credit card details.
“Phone-based scams are much harder to pull off because it’s a one-to-one relationship,” said Loeffler. “But they tend to be effective because there’s an opportunity for social engineering by building a rapport with that person.”
Social engineering is the art of manipulating people so they give up confidential information, which is easier to do in a high-touch situation like a phone call versus sending a mass email. However, scalability is an important consideration for cyberattacks, who rely on a strategy of spreading their attacks far and wide in the hopes that a small minority of people will fall victim.
The onset of the COVID-19 pandemic has accelerated online shopping, and with it, the threat of cyberattacks on businesses and consumers. “The cool thing about retail [cybersecurity] is it’s a growing area as more companies take their businesses online,” said Loeffler.
Cybersecurity job roles are expected to grow 31% between 2019-29, according to the U.S. Bureau of Labor Statistics. While certain roles require domain expertise, cybersecurity analysts have ample freedom to move between industries without requiring industry-specific credentials.
While cybersecurity infrastructure goes a long way toward preventing cyberattacks, your best tool is still common sense, says Loeffler. “Beware the sense of urgency and an insanely amazing deal. If something really seems too good to be true, it likely is.”
Is cybersecurity the right career for you?
According to Cybersecurity Ventures, the cybersecurity industry is expected to have 3.5 million high-paying, unfilled jobs this year. With Springboard’s comprehensive Cyber Security Career Track, you’ll work 1:1 with an industry-mentor to learn key aspects of information technology, security software, security auditing, and finding and fixing malicious code. Learning units include subject-expert approved resources, application-based mini-projects, hands-on labs, and career-search related coursework.
The course will culminate in a multi-part capstone project that you can highlight on your resume for prospective employers or use to demonstrate your technical knowledge in your job interview. The learning materials will also help prepare you to pass the globally recognized CompTIA Security+ certification so you stand out when applying for cybersecurity roles.
Learn more about Springboard’s Cyber Security Career Track here.