As the end-of-year holiday season approaches with retailers offering major sales and digital events, we’ll start to see a higher frequency of security threats. It’s the time of year when the highest amount of money changes hands, whether in the digital or physical realm.
According to the Entering through the Gift Shop: Attacks on Commerce report, globally, retail remains the most targeted subvertical within commerce, accounting for 62 percent of attacks on the sector. Web attacks in retail, hotel and travel sectors in the Asia Pacific and Japan region are largely driven by Australia, China and India and ranked second highest globally.
Payment and financial information are heavily used across many different platforms and application programming interfaces (APIs) to facilitate transactions. This sudden spike in data that’s moving from place to place, across the internet and across the wire, makes it a very rich target for cybercriminals to profit from.
According to Monash Business School’s Australian Consumer and Retail Studies (ACRS), two thirds (65 percent) of Australian shoppers this year are planning to make a purchase at an upcoming year end sales event such as Black Friday, Cyber Monday, and Boxing Day, up from 61 percent in 2022 and 49 percent in 2021.
With consumers looking to make more online purchases, tempted by special deals, here are some of the key threats that businesses and consumers need to be aware of:
- Web application and API attacks: e-commerce and payment platforms face a significant risk from hackers trying to exploit vulnerabilities in the software that powers these platforms, especially during major sales campaigns.
- DDoS attacks: as customers rush to make purchases, there’s a heightened risk of denial-of-service attacks (DDoS). If a DDoS makes your website inaccessible, there’s a direct revenue impact at the exact time when sales should be highest.
- Malicious bots: these bots are designed to carry out large-scale attacks, such as taking over consumer accounts during peak shopping times, leading to fraudulent activities.
- Web skimming attacks: attacks like Magecart have become more prevalent during the holiday seasons. These are akin to ATM skimming but are executed digitally, stealing sensitive credit card and payment information. This captured data is then used to commit financial fraud.
It’s not just retailers who are at risk
Making a digital purchase is not just about logging in and paying. Behind e-commerce platforms are multiple different processes involving many different parties. Cyber criminals don’t need to attack the end merchant but can go after other parts of the supply chain.
These include:
- Product suppliers: as orders increase, suppliers become part of a larger supply chain, making them vulnerable. Orders are sent and payments are processed, all of which are potential points for cyber-attacks.
- Financial service providers: Fintechs, payment processors, e-wallet providers and banks are all involved in transaction processes. Whenever financial data is transferred from one point to another, it’s susceptible to data breaches and exposure.
- Logistics providers: they possess customer data essential for delivery, such as names, addresses and phone numbers, making them attractive targets for cybercriminals aiming to harvest data for further attacks like phishing.
Businesses must be prepared for a cyber-crime spike
Businesses should anticipate a surge in attacks during the festive season. It’s vital to evaluate whether they have adequate protection against these threats. Do they have the right tools that can scale to defend against a large volume of attacks? The four risks outlined above are all specialised attacks which general security tools such as antivirus and firewalls, won’t offer adequate protection against these specialised threats.
Retailers need to continuously assess and reassess their security posture, and what specialised tools they have to protect themselves and their customers from malicious bots, web skimming attacks or data scraping. It’s important to be aware of risk exposure and what exact services are being provided. Is it just a website or is there also an app or APIs?
With the increasing sophistication of phishing attempts, businesses and retailers also need to enhance consumer awareness campaigns and provide mechanisms for customers to verify the authenticity of communications and transactions.
Consumers need to understand that if they see a deal on email or social media that’s too good to be true, it very often is. The problem is that attackers capitalise on end-of-year sales when many retailers are offering discounts and sending many more marketing emails and SMS messages as part of their sales promotions. Cyber criminals can easily impersonate these brands, with Generative AI making phishing and social engineering attempts appear more authentic than ever before. How can consumers be certain which of these interactions are legitimate?
Although currently rare, it’s likely that deep fake videos will increasingly be used to influence consumers to download malware or make fraudulent transactions. These emergent threats are at the nascent stage, but we need to build defences and raise awareness now before they become pervasive.
The festive season should be a time of celebration and shopping. But the ever increasing sophistication of cyber criminals means it’s also a time when we need to be extra vigilant and prioritise online safety. Both businesses and consumers need to be proactive in understanding the risks and implement measures to safeguard their interests.
Reuben Koh is director of security technology & strategy Asia Pacific & Japan at Akamai.