The holiday season is, unfortunately, a favourite season for cyber attackers too.
“It is no surprise that attackers are looking to take advantage of the flurry of peak retail activity online during the extended shopping festival season since there’s much to gain financially, especially in Asia that accounts for approximately 60% of global ecommerce sales. It’s essential that shoppers and retailers work together to learn how to watch out for scams and protect themselves,” says Dean Houari, director of Security Technology and Strategy for APJ at Akamai.
Here are five common shopper profiles observed during the year-end shopping period and the cyber scams they should watch out for, according to Akamai.
1. The planner, who makes and plans purchases ahead of time. They often save their credit card information, logins and other personal information on shopping sites.
Most likely to fall for: Credential stuffing
During such attacks, attackers use lists of compromised user credentials to breach a system via malicious bots, based on the assumption that many users reuse usernames and passwords across multiple services.
See also: Majority of companies in Singapore are not cyber resilient
Planners can protect themselves against credential stuffing by being wary of saving payment details on merchant websites. While this may be convenient, it can leave data vulnerable if the merchant is breached.
They should also practise good password hygiene by setting up different passwords for different sites. Alternatively, they can use a password manager to set up unique, difficult-to-guess passwords.
2. The last-minute scrambler, who snags deals at the very last moment
See also: Employees in Singapore prioritise digital skills over green skills
Most likely to fall for: Phishing
In their rush, the last-minute shopper is likely to accidentally click on untrustworthy links and fall prey to phishing scams. What appears to be an email from a reputable retailer with a coveted discount may be fraudulent, but the last-minute shopper does not have time to check.
Earlier this year, Singapore's most popular peer-to-peer sales platform was affected when attackers posing as legitimate buyers directed victims to a fake bank website where they would be asked to give their banking details to receive payment. This resulted in at least 72 people losing over $109,000
Last-minute shoppers should always verify the validity of sites before clicking on them or providing any personal information. They should also be alert to any potential errors in unsolicited emails. They must not proceed if it includes wrong information, or requests to enable macros, adjust security settings or install applications.
3. The bargain hunter, who would sift through various sites to get a substantial deal.
Most likely to fall for: Social engineering attacks
Attackers prey on buyers’ eagerness for a good deal by sending them fake offers that request for their personal data on a page, even impersonating legitimate tools like Google Analytics or Google Tag Manager to compromise code and steal valuable information, impacting shopping sites.
To stay ahead of the latest tech trends, click here for DigitalEdge Section
To protect themselves against social engineering attacks, bargain hunters should always verify the offer's validity and the sender's legitimacy. Using a good spam filter for emails, as the first barrier of defence against suspicious files and links, is also good practice.
4. The impulse Buyer, who often responds to time pressure to access a coveted item on a limited-time offer, at a price too good to refuse
Most likely to fall for: Brand impersonation attacks
Via fraudulent links, cybercriminals impersonate popular brands, tricking victims into sharing personal information, buying contraband products, visiting a fake website, downloading malware, and more. Exacerbating these trends is social media, where attackers can easily impersonate brands, engage with customers seeking to purchase items, and request for their personal details.
Impulse buyers should scrutinise links provided in emails and be on high alert if they are not pointing to the correct location or direct to a third-party site not affiliated with the brand. If in doubt, they should reach out to the brand on their official channels to verify offers before clicking on any links to make payments.
5. The researcher, who often has various browser extensions installed on their browsers to make quick comparisons before purchasing.
Most likely to fall for: Extension malware attacks
Cybercriminals hide viruses behind add-ons, which can then install advertisements, gather users' browsing history, and seek login credentials by impersonating famous apps and extensions. Malicious extensions could go undetected, especially if security software programs treat known extensions as trusted applications.
Most recently, attackers have been using information-stealing malware like FB Stealer, which mimics the harmless and standard-looking Chrome extension Google Translate, to prey on users. After effectively locking a user out of their Facebook account, attackers abuse access to ask the victim's friends for money.
To defend against extension malware attacks, buyers should only install extensions from official Web stores.
Retailers are responsible for providing a safe shopping experience too. “To ensure long-term loyalty, retailers must make every effort to keep shopper data safe. This could include deploying a bot solution to stop credential stuffing attempts early and using password managers and multi-factor authentication to secure users,” says Houari.