Black Friday kicks off surge in phishing attacks on consumers
Scammers as well as retailers were busy reaching out to customers during Black Friday week.
According to analysis from cybersecurity company Darktrace, during Black Friday week (Nov. 25-29, 2024), Christmas-themed phishing attacks (fraudulent emails impersonating communications from legitimate organizations) grew 327% globally, while Black Friday-themed phishing attacks jumped 692% compared to the week of Nov. 4-9, 2024
In the U.S., phishing attacks mimicking emails from major retailers including Walmart, Target and Best Buy increased by more than 2000% during peak Black Friday week shopping periods.
Darktrace analysis also highlighted the shifting focus of scammers from impersonating business-to-business organizations to impersonating business-to-consumer enterprises during the holiday season, with impersonation of major consumer brands growing 92% globally during the analyzed period while mimicking of business-focused brands declining by 9%.
[READ MORE: Survey: More than half of retailers recognize increased cyberattack risk during holidays]
According to Darktrace, common strategies used in holiday phishing scams include sending consumers a phony email designed to look like it comes from a retailer the frequently shop asking them to click a link for a discount, which then downloads malware to their device.
Phishing emails also link consumers directly to websites that look like those of a legitimate retailer but collect login or payment details to be used by cybercriminals.
"The festive shopping season creates a perfect storm for cyber criminals," says Nathaniel Jones, VP of threat research, Darktrace. "Consumers are primed to expect floods of retail deals, while retailers are processing tremendous transaction volumes at speed. This combination makes spotting suspicious patterns more challenging than at any other part of the year."
Five anti-phishing security measures for retailers
Darktrace offers the following five tips to help retailers protect themselves and their customers from phishing scams:
- Make logins secure: All staff should have strong passwords of 12-16 characters with multi-factor verification set up across all business systems. This extra layer of security means even if passwords are compromised, unauthorized users can't gain access to those accounts.
- Lock down email: Retailers can use Domain-based Message Authentication, Reporting, and Conformance (DMARC) email authentication to help stops scammers from sending fraudulent emails and see who is illegitimately sending messages from their email domain.
- Prepare your team: Regular security training and business-wide communications can help staff identify and report seasonal scams. Training should focus on current threats and emerging patterns.
- Monitor brand impersonation: Retailers can set up Google alerts to track mentions of their brand and warn them of counterfeit websites and fraudulent domains. In addition, retailers can lock down their brand name with official registrations and/or implement brand protection tools.
- Strengthen payment processes: Tiered access policies with stricter controls for finance team members who handle transactions can help retailers apply more rigorous authentication and monitoring requirements compared to non-financial roles, helping ensure sensitive payment operations are limited to authorized personnel.
Holiday shoppers fear online fraud
According to the recent "2024 Norton Cyber Security Insights Report: Holiday" study, 62% of surveyed U.S. consumers are worried about being targeted by online fraudsters during this holiday season, while 53% were specifically concerned about Black Friday and Cyber Monday shopping scams.
Three-in-10 respondents said they have been targeted by a scam while holiday shopping online.
