While it makes for bleak reading, the frenzy of sales and online shopping activity surrounding Black Friday, means this pre-holiday season is a key period for cybercriminals. And each year we see an increase in cyberattacks during what should be a feel-good time.
The picture is all-the-more worrying in 2022, as this Black Friday (25th November) falls on the same date as the USA vs England World Cup game – a hotly-anticipated day of betting for bookmakers.
With even more consumers therefore expected to be shopping online this year, the opportunity for fraudulent behaviour is rife. But that doesn’t mean we have to surrender to the risks of poor website security. Here, Georgina Grant Muller, marketing manager at RapidSpike, shares five key tips to help website users stay safe this shopping season…
Malvertising (or malicious advertising) is a technique used to gain sensitive information from website users. Often malvertising can spoof popular brands and can even be shown on legitimate advertising platforms. One of the most popular and well-known malvertising campaigns is for Ray-Ban sunglasses, with advertisements on social media, email and text showing imagery of the brand with large discounts. These adverts have malicious code injected into them, and will install malware on the user’s computer or send users to a fake website for them to input sensitive payment information.
While not a bulletproof method, shopping on established websites is advised. If you see an advert on social media and are unsure whether it is legitimate, check by going to the brand’s official social media page and looking for current promotions there. On Facebook this information is found under ‘Page Transparency’, and ‘Go to Ad Library’ – here you can see all the adverts currently running. To avoid spoof websites, enter the website URL directly yourself.
2. SSL and safe-browsing
The first thing consumers should take note of when entering a website is whether the website has an SSL certificate. An SSL certificate ensures any data transferred between website users and websites is encrypted and secure. Users can easily tell if a website currently has a valid certificate, if the website has a locked padlock symbol in the URL bar. If the website does not have a valid certificate, the words “Not secure” will appear next to the URL. No personal information should be shared on such websites as the data could be compromised.
Additionally, Google’s Safe Browsing list monitors sites for malware, social engineering, phishing and more. When searching for a website, Google will show warnings to users when they attempt to navigate to websites with security issues. Users should therefore take note of websites with security warnings and not shop on any website deemed as unsafe.
3. Website discrepancies
The number one risk to consumers this Black Friday is falling victim to a data breach caused by a Magecart (also known as web-skimming) attack on a website.
At RapidSpike, we’ve been tracking, monitoring and fighting Magecart attacks since 2015. In that time, we have seen how Magecart – and other web-skimming groups –have developed tactics to go undetected. Magecart is a particular issue for websites and consumers around Black Friday and the peak holiday shopping period as cybercriminals prepare attacks around this time for maximum return on their efforts.
Being vigilant to websites with discrepancies is recommended. A key indicator that a website has been hacked is if the checkout process has a different language to the main website. This happens when hackers use the same web-skimming form across local websites.
Spoofing payment pages can also be inserted before real payment pages which will scrape payment data and send it to a malicious host. A good rule of thumb is that if you have had to input your credit card information more than once, the website likely has a web-skimming form on it and your data has already been stolen. If you suspect that this has happened, notify your card provider immediately.
4. Payment methods
When it comes to paying, there are some payment options which will better protect you online. Here are our top recommendations:
Using a credit card to check out is a good option during the peak shopping period, because credit cards carry added protection compared to debit cards. If your credit card is compromised, your credit card company will attempt to retrieve fraudulent payments as it is their money at risk. Your personal funds are therefore not affected.
Virtual cards provide unique details so you can shop online without using your card’s real details. You can set up a virtual card for individual online transactions, so if your details are compromised, hackers will be unable to use you’re the information to make further purchases.
There are some affordable options available for virtual cards, including Monzo’s, available with Monzo Plus and Monzo Premium subscriptions. With these, consumers can have up to five active virtual cards at any one time, and create up to 100 new virtual cards every 12 months. These upgrade options start from £5 a month and require a minimum three-month period. Getting started in time for Black Friday and the peak shopping period, could be a good idea.
If virtual and credit card options are not available, Apple Pay or PayPal are good options as some attacks are not complex enough to scrape details from these third-party providers. However, it should be noted that this is not a foolproof plan as third-party payment providers can themselves be compromised.
5. Payment Alerts
Using online banking alerts can help to stop attacks in their tracks. If you are in the unfortunate situation that your card details have been compromised, setting alerts on your transactions via mobile banking, means you remain in the loop about all transactions leaving your bank account. You can therefore cancel your card almost immediately.
Many times when a card has been compromised, payments may be taken in two types of ways. Either a credit card will quickly be used with multiple payments being made seconds or minutes apart. Or, hackers will adopt a slow burn tactic, testing cards with smaller amounts or setting up longer term subscriptions. If you notice a transaction that you do not recognise, freeze your card to investigate the transaction and cancel the card if necessary.
It’s important to remain vigilant after the holiday shopping period too. If you receive phone calls claiming to be from your bank and asking for your details, do not disclose anything, and contact your bank directly.
Millions of users shop online for Black Friday without issue and cyberattacks should not deter consumers from shopping online. Being aware of the various attack tactics can go a long way in preventing consumers falling victim to attacks. If you do have suspicions of a website, report it to the NCSC to investigate, contact your bank to cancel your card and stay vigilant to suspicious calls.
Leeds-headquartered RapidSpike is a renowned website monitoring platform, protecting the three key aspects of website health – performance, reliability and security.