Online shopping is never without its risks—identity theft, data breaches and phishing to name a few.
It’s always worth protecting yourself from threat actors looking to exploit your financial or personal details while you’re browsing the web or making a purchase, whatever the time of year. However, the threat of a cyber attack against a consumer is rarely more apparent than during the winter holiday period.
Data published by the National Fraud Intelligence Bureau reveals that British people lost £10.6 million to digital fraud between November 2022 and January 2023, encompassing the popular retail events Black Friday, Christmas, and post-Christmas sales.
As online spending spikes throughout the winter, going back to the cyber security basics while keeping abreast of emerging threats can go a long way towards mitigating the risk of cyber attacks and security breaches.
Here are seven tips to help you to stay safe online this festive period:
1. Don’t Rely on Unverified Links in Your Inbox
As annual promotional events roll around, consumers know to anticipate an uptick in their incoming marketing emails. When your inbox is flooded with the latest sales, it’s hard to separate those you’re interested in from unwanted spam. And when the messaging’s urgent—BUY NOW, DON’T MISS OUT, LIMITED TIME SALE—it’s even more difficult to avoid potentially malicious content.
Take the time to assess marketing communications before following links. If an email’s content is unfamiliar, or you’re making your first purchase somewhere new, don’t rely on an email’s links to securely take you where you want to go. Wherever possible, navigate to your chosen online retailer directly via a new web search or the URL to be sure you’re accessing the vendor’s legitimate website.
Occasionally, retailers will utilise specially created links to enable customers on their mailing lists to access products or offers not visible to all site visitors. If an email from a retailer you recognise promises a promotion that’s only accessible via a link (and all other signs seem authentic), copying the link address and pasting it into your navigation bar will offer you the chance to check the URL before proceeding. While not a sure-fire way of validating a link, if the retailer is one you’ve transacted with before, you’re more likely to know what to look for.
2. Watch Out for Courier Phishing Scams
When multiple parcels are on their way to your door, it’s likely you’ll be receiving several tracking updates via text message. Over recent years, we’ve become accustomed to receiving these texts, and pay little attention to their contents beyond the expected date and time of our parcel’s arrival.
Threat actors are aware of this and have begun to exploit courier messaging to commit cyber crime. Common tactics include infecting devices with malware and requesting fraudulent payments to gain access to financial information.
Courier text scams can be particularly hard to identify. Phone numbers appearing to be from a particular vendor or contact can be faked by threat actors, information within the message is sparse making a sense-check difficult, and the money requested is often a nominal sum required to “complete the delivery”.
Best practice to remain armed against these scams is to:
- Avoid clicking links in text messages wherever possible.
- Navigate to the courier or retailer’s website independently to check your order’s progress.
- Provide no personal information via text.
- Limit the amount of data you provide with your order. Often, the less, the better.
3. Ensure Your Device Software is Up to Date
Endpoints (devices) are maintained and brought in line with the latest security developments via updates, or patches. If your endpoint is managed by your employer, it’s likely that updates will be largely taken care of for you, requiring you to simply click a button and restart your device for them to apply. However, on your personal devices, it’s all too easy to dismiss or put off an update to your mobile phone or laptop.
If the update in question provides protection against recent cyber attacks or plugs gaps in your existing defences, you’re leaving yourself vulnerable by not applying it. Before you do any online shopping this festive period, ensure that the device you’ll be using is up to date, with the latest available security settings applied.
4. Check Senders Offline to Avoid Socially Engineered Phishing
Where business email attacks might once have been considered easily identifiable (think flashing banners, urgent calls to action and unexpected content), contemporary cyber criminals are increasingly utilising much more subtle techniques.
Understanding that obvious “spam” content will be flagged by corporate security solutions, malicious communications are now able to proxy legitimate sender credentials and often mimic the tone and style of internal or supplier emails. This, in turn, heightens the risk of human error, with even the most tech-savvy users falling foul to threat actors’ requests for fraudulent invoice payment or the download of harmful documents.
In the lead up to the festive period, when more business payments are being made than usual (gifts, party expenses, last-minute invoices) and potential seasonal shutdowns emphasise time pressures, there’s increased opportunity for sophisticated threat actors to exploit the circumstances and lodge an attack. During this time, take extra care to double check that requests for payment and interaction with documents or passwords are legitimate, confirming offline where possible.
5. Use Only Secure Wi-Fi Connections
A well-known, often-repeated tip worth remembering. If your internet connection is public (including coffee shops, shopping centres and hotels), and not private and secure, you’ve no way of verifying its security parameters, and should exercise caution.
Because public Wi-Fi can be unsecured (often without your knowing) threat actors have access to your online movements, including those behind passwords or on private accounts such as banking. And the risk is significant. According to Forbes, as of February 2023 43 per cent of its respondents have had their security compromised while using public Wi-Fi.
Without a secure, ideally encrypted internet connection, it’s just not worth the risk. Leave banking, online shopping and any transfer of personal data until you’re connected to a private, secure Wi-Fi network.
6. Make the Most of MFA
Wherever possible, opt to enable multi-factor authentication (MFA) on your online shopping accounts. This is particularly important if you opt to save any of your personal or financial data within an account for a speedier checkout.
When applying MFA security to your online accounts, it’s crucial to understand what does, and does not, constitute true MFA. The “factors” referred to are separate levels of security that, when combined, provide more rigorous protection than defences within a single level. The factors are: Something You Know (a password or a memorable phrase), Something You Have (a code sent to your phone or email address), and Something You Are (a biometric characteristic such as your facial ID or your fingerprint).
In order for security authentication to be multi-factor it must comprise at least two separate factors. This is commonly a password and a code sent to your device, but is increasingly a password and a biometric characteristic via your smartphone.
Note, a memorable phrase, the answer to a secret question, or certain characters from within a secondary password, in combination with your standard password, does not constitute MFA, and should not be considered sufficient protection of your personal or financial data.
7. Be Careful Who You Trust with Your Data
M-commerce (commercial transactions made via a mobile device such as a smartphone or tablet) has boomed in recent years—in 2022, 41.5 per cent of all ecommerce sales in the US were made on a mobile device. Unsurprisingly, retailers have responded to this, whether by prioritising the user experience of their mobile site, developing mobile applications to work in tandem with their desktop site to facilitate shopping-on-the-go, or even offering the opportunity to make purchases through social media apps (Instagram and TikTok both have their own built-in retail capabilities).
While the retailer focus on m-commerce has produced a greater array of choices for those doing their festive shopping online, consumers must consider the level of personal and financial data stored within their mobile devices when they do their shopping in this way, particularly in the case of social media apps—over half (51 per cent) of those falling victim to online fraud between November 2022 and January 2023 cited at least one social media account in their report.
Be cautious of the level of access your device grants to any retail apps you utilise, minimise the data you provide to retail apps wherever possible, and consider whether your security protection is of the same calibre as that on a device with appropriate defence software.
While cyber risks are emphasised during the festive period, it’s still possible to do your Black Friday and Christmas shopping online safely. Keep security front of mind, follow best practice, and if in doubt, don’t take the risk.
Threatscape offers a wide variety of professional services purpose-built to address businesses evolving cyber security needs. Whether that’s upskilling your internal team, deploying a new solution, ongoing technical support, or an industry-specific security challenge, we have the capability to support your business.
Talk to us today and an account manager will be in touch to advise how we can best support your cyber security journey.
