With holiday shopping well underway, cybercriminals are fine-tuning their tactics to take advantage of merchants and consumers across the globe. Since 2013, over 13 billion data records have been lost or stolen in data breach incidents – and that number is only expected to grow.
As consumers spend more time and money shopping online, these criminals are looking to leverage any advantage they can find within existing online shopping systems. This year, the incidents of corrupt websites hosting banking trojans, downloaders, and credential stealers are skyrocketing, making up for 94% of malicious payloads in the third quarter of this year according to a recent report from Proofpoint.
Linking to the Badlands
Cybercriminals are now opting for embedded malicious URLs in emails, according to the Proofpoint researchers, eschewing their long tradition of attaching malicious files in the hopes that a user will open them. In the third quarter of the year, malicious URLs outnumbered attachments by over 370%. Research from NuData Security also supports these findings and has discovered fake antivirus programs and bogus browser plugins to be most popular, doubling their frequency in the second quarter of 2018.
These links are able to snag consumers without raising the traditional alerts that an attachment can cause – now that consumers are more aware of these types of phishing techniques. Businesses and consumers alike should take every precaution when sifting through promotional emails this holiday, as criminals will attempt to disguise phishing attempts as genuine offers. Just one bad click can trigger the download of a malicious program to their device.
While phishing has direct consequences for consumers, it also harms merchants who suffer from brand damage, customer distrust, and customer churn – where consumers move their business to a competitor they believe is more trustworthy. Phishing attacks emulate a trusted brand in potentially negative ways, so even if the victim doesn’t click any links in a phishing email, they are still exposed to fake communications that can change the user’s perception of the business who is impersonated. However, on the bright side, social media platforms have gotten much better at identifying phishing attempts within their platforms, boasting a 90% improvement in effectiveness over 2017.
Holiday Crime and Convenience
As mobile shopping adoption continues its upward trend, we’ll see more mobile purchases today than on a desktop device, and we’ll see more cyber attacks against users of mobile devices as they become a popular target for cybercriminals. Researchers at NuData Security have a found that high-risk mobile purchases were trending up 25.3% of total mobile purchases in the third quarter of 2018.
One of the stumbling blocks to consumer security on mobile devices is that mobile operating systems and browsers lack consistent and clear trust indicators, so the user may not recognize that a link they have followed has taken them to a malicious website set up to look exactly like the real store, instead of the legitimate site they intended to visit.
For consumers, one solution is to permanently dedicate some small portion of the screen to application identity. The operating system would provide an always-present identity bar that displays the name of the current application, and the browser could similarly provide a minimalist, always-present address bar that simply displays the domain in a small font.
Merchants strive to provide an enjoyable shopping experience for their customers, especially during the hustle of the holidays – where they are more likely to switch to a competitor if getting a last-minute gift creates additional friction or inconvenience. Several new approaches are giving online companies the edge in protecting their customers, while locking out cybercriminals who blend in with the online crowd to do some pick-pocketing the digital way.
To build lasting relationships, businesses need to recognize customers the same way as they would in a real store – without asking them for their name – and identify their customers without relying solely on credentials such passwords, usernames, and other information that can be easily faked or stolen.
Many businesses are implementing a multi-layered security approach that includes passive biometrics and behavioral analytics which identifies online customers by their behavior. Such identifiers as how a person holds their device, how hard they type, how fast that move from webpage to webpage are all part of the online mix to authenticate consumers. These key identifiers along with hundreds of other ones, are used to identify the person behind the device. So even if a phone, computer, iPad or other device is stolen, cybercriminals would be blocked as they try to make fraudulent transactions. At the same time, these cutting-edge technologies allow merchants to provide a memorable holiday shopping experience for true customers while offering them surprise rewards as well.
About the author:
Robert Capps is the VP and authentication strategist for NuData Security Inc., a Mastercard company. He is a recognized technologist, thought leader, and an advisor with more than 20 years of experience in the design, management, and protection of complex information systems – leveraging people, process, and technology to counter cyber risks.