As users prepare for the long Thanksgiving weekend, internet fraudsters are already looking forward to Monday – the unofficial start of the holiday cybercrime season.
Cyber Monday, the digital equivalent of the brick-and-mortar world's Black Friday, is one of the busiest online shopping days of the year, and typically marks the beginning of a monthlong period of increased online threats, Andres Kohn, vice president of technology at security firm Proofpoint, said on Tuesday.
Attack volume usually peaks during the two weeks before Christmas, when last-minute shoppers are online in full force, he said.
Safe online shopping tips
DO monitor your credit card and bank activity.
DON'T shop unless the website uses SSL.
DO use your credit card, as opposed to your debit card, when making a purchase online.
DON'T buy from irreputable or unfamiliar vendors.
DO ensure your computer and anti-virus are up to date.
DON'T trust every deal.
Phishing attacks, survey scams and poisoned search engine results are all expected to ramp up on Cyber Monday, the day most employees return to work for the first time since the Thanksgiving break, Steven Cobb, security evangelist at anti-virus firm ESET, said. Cybercriminals are also expected to rely heavily on social media to distribute scams throughout the season.
“I'd imagine that people planning to commit fraud against retail customers this year are ready to go,” Cobb said. “During the holiday season, people are keen for bargains and short on money, making people more likely to fool themselves into thinking the scams are real.”
Preying on consumers' desire for a good deal, cybercriminals this season may spoof social coupon sites, like Groupon or LivingSocial, in attempts to trick unsuspecting users into installing malware, Kohn said. Attackers may also, ironically, leverage users' knowledge that online threats increase during the holidays with targeted attack emails stating that recipients must change their corporate account credentials due to a Cyber Monday-related breach.
Over the past year, adversaries have increasingly scrapped widespread malicious email campaigns in favor of more targeted attacks aimed at harvesting corporate account credentials, which can be used to steal intellectual property or large databases of customer and employee information. Consequently, businesses are more concerned now than they have been in years past about the risks employees may introduce when using work computers to shop online or hunt for deals, Kohn said.
When providing cybersecurity awareness training this holiday season, enterprises should explicitly state what types of requests – if any – users should respond to when asked to provide their login details or personal information.
“It could be as easy as saying, ‘We will never ask you for credentials in an email. Do not even respond to requests for credentials,'” Kohn said.