Arming Users Against Holiday Shopping Scams

October 23, 2019
Aaron Jentzen

With the holiday season coming up, we can expect more and more people will be doing their holiday shopping online. We can also expect that cyber criminals will increase their efforts to intercept this river of cash.

While consumers may be the most obvious targets of online shopping fraud, infosec teams should also be alert to this risk. In the BYOD era, end-users’ poor mobile cybersecurity behaviors could significantly impact an organization’s security posture.

Santa’s Got a Smartphone

In the United States alone, online retailers took in $2 billion per day during November and December last year, according to Adobe Digital Insights (ADI). During that period, online sales revenue in the U.S. reached $126 billion—a dramatic increase from $108.2 billion in 2017 and $94.4 billion in 2016.

A large chunk of that holiday shopping was done via smartphone, according to ADI. Smartphones were used for more than half (51.4%) of all online visits during the period, and 31% of online sales (up 24% YoY).

“The season saw overall strong growth in online sales, which are growing faster than overall retail sales,” said Taylor Schreiner, director at ADI. “This is an indication that people are getting more comfortable shopping online and with their smartphones.”

But users shouldn’t get too comfortable. Let’s consider the cybersecurity risks that come with online shopping.

Online Shopping and Domain Fraud

One concern with increased online shopping is the prevalence of domain fraud that targets retail brands. Attackers create “lookalike” sites that imitate familiar brands. People who visit fraudulent sites may be sold counterfeit (or non-existent) goods, infected with malware, or have their money or credentials stolen. These sites often use legitimate brand logos and photos—as well as very similar domain names.

Proofpoint researchers continually analyze more than 350 million domains—virtually all domains on the web—to identify regional and global trends. The 2019 Domain Fraud Report revealed the following troubling discoveries among Proofpoint Digital Risk Protection customers:

  • 96% found exact matches of their brand-owned domain with a different top-level domain (TLD)—for example, “.net” vs. “.com”
  • 85% of retail brands found domains selling counterfeit goods
  • 76% found lookalike domains posing as their brand

Attackers attempt to draw victims to lookalike sites by spreading links in phishing emails, social media posts, and online ads. A well-designed lookalike site can be very convincing—even if you know what to look for. And shopping on a small smartphone screen can make it even harder for users to spot subtle warning signs.

Timely Alerts and Advice

The holiday season is just another reminder that end-users must be able to identify and avoid phishing attacks, fraudulent sites and other threats. It also reinforces the value of broad-based security awareness training that users can apply both in the workplace and in their personal lives. In addition to a strong training foundation, users benefit from timely advice—such as receiving mobile shopping security tips when they’re likely to be researching and buying products online.

While watching for broad seasonal trends is useful, scams and phishing tactics are constantly evolving. Our Attack Spotlight content provides timely alerts about specific, current threats in a way that’s easy to share with your end-users. Our latest Attack Spotlight, available now, is particularly relevant to online shopping: It helps users avoid the growing lookalike website trend.

We encourage you to use our free security awareness resources to alert your employees to this threat. Let’s help everyone enjoy a safer holiday season.