Black Friday and Cyber Monday: the perfect phishing storm
Every year at the end of November, we celebrate imported consumer holidays. While Black Friday and Cyber Monday see their popularity grow, hackers are rapidly becoming fans as well. And this year it’s worse than ever.
Over the last ten years, something remarkable came to pass: while very few Europeans actually celebrate Thanksgiving, its sales-related sideshows managed to gain quite a following in our region. With the ever-expanding attention for Black Friday and Cyber Monday, hackers have intensified their efforts as well. The reason is simple: these days of bargains create lots of confusion that can easily be exploited. This year, with COVID-19 still raging, the danger is more serious than ever before.
What is 'Black Friday' and why do we celebrate it?
Thanksgiving is the feast where Americans and Canadians commemorate how their ancestors celebrated the harvest after they were aided by the Native Americans. The day after, traditionally a Friday, many Americans have the day off – the perfect moment to start their Christmas shopping. For large chains it’s the perfect excuse to juggle discounts, attracting enormous masses to their stores and websites. Hence the name: Black Friday.
These consumer holidays have no history whatsoever in Europe. Yet, every year the season’s offerings are launched even earlier. Somewhere in our recent history, merchants decided they could use an extra period of price reductions between their summer and winter sales. Many consumers don’t actually know where these came from or why we would celebrate them.
Recognising authentic domains becomes a sheer impossible task.
When even a legitimate message seems phishy
If Black Friday and Cyber Monday have been growing in our region for over ten years, then what so is so special or different this year? Easy: hackers love confusion in their would-be victims. COVID-19 has provided them with plenty of confusion to capitalise upon.
A hacker’s standard operating procedure is to put pressure on their victims. ‘Click if you want to win’, ‘log in now or lose your account’, or ‘can you check this error you made?’ People panic and click: they hand over their login details or even their financial credentials.
At-home delivery is a major chaos creator as well. We often forget what we ordered online, or sometimes even that we ordered anything at all. On top of that, nearly every delivery service uses its own way of working. Because of the lack of a unifying process, users receive confirmation emails from one service, text messages from another while still others only use app notifications. When a consumer receives a message from one, they’ll often think ‘what was this one about again?’
To make matters worse, legitimate confirmation text messages – containing, for example, a tracking link – nearly always look suspicious. The links in such a message seldom resemble a domain you would visit yourself. Recognising authentic domains becomes a sheer impossible task.
We're not even close to reaching the peak
If a legitimate request gives you pause, things are not looking good. If confusion strikes already, before the storm, it only promises to get a lot worse in the period between Black Friday and Christmas. Research suggests that the amount of phishing emails has doubled in the run-up to Black Friday, compared to last year. The writing is on the wall.
It is a direct effect of the COVID-19 pandemic. Several European regions are still in a (semi-)lockdown, meaning that a lot more people are putting pressure on the distribution network for online orders. In Belgium, there was a news item last week stating that the national postal services would be unable to deliver up to 5% of all packages; consumers would be asked to pick them up in selected pick-up stores.
Confusion leads to (grave) mistakes
A lot of merchants have, in addition, launched an appeal to consumers to start buying their Christmas presents now, to avoid the Christmas peak. They are expecting the distribution network to significantly slow down in December, leading to delays of several days, maybe even weeks. Since COVID prevents a different shopping strategy, pressure is rising.
Delivery services are having a hard time coping with demand, and this puts the consumer at risk as well. ‘Where is package ‘x’?’ ‘When will package ‘y’ arrive?’ ‘Where do I go to track package ‘z’?’ ‘Informative text messages’ to help you keep tabs on your deliveries quickly become a trap. People love to click. ‘Which parcel was this one again? I’ll just quickly check.’ That is all it takes to make a mistake.
When confusion reigns supreme, people will click more often than not.
Curiosity killed the cat...
Confusion and curiosity: they are a hacker’s most powerful tools. People always want to know what’s what and preferably as soon as possible. Our personal experience teaches that phishing mails containing relevant news always score. For example: over the past year, people always clicked on coronavirus related simulations.
The news items of the past weeks, concerning both the pandemic and Black Friday/Cyber Monday will undoubtedly help hackers over the coming weeks. Governments’ inability to communicate transparently and cohesively will hamper consumers’ security, simply because they don’t know what to believe anymore. When confusion reigns, people click more often than not.
What can you do?
Better safe than sorry is a beautiful mantra, but only if you practice what you preach. Employees are still being offered too little training on cybersecurity topics. It is only by coming into contact with, for example, phishing (within a controlled environment) that people will actually learn how to respond to the threat.
It is comparable to a vaccine: when a person is injected with a virus particle that was made harmless, their immune system will learn to recognise the threat and be prepared for when the real thing comes along. The automated Phished platform does exactly the same: based on a person’s personal knowledge and susceptibility to phishing, they receive tailor-made training to prepare them for the real deal.
Never forget that everyone is vulnerable to phishing and that training is beneficial for every profile. Black Friday and Cyber Monday are kicking off the most dangerous season of the year and you’ll want to be prepared. Stay safe!