The Black Friday-to-Cyber Monday long weekend may have become a lead indicator for the Christmas holiday shopping season, but security firms are warning shoppers to be careful online as cybercriminals increase their activity in the runup to what is expected to be a $52.7b retail season.
Black Friday has become Australia’s third biggest sales period and Cyber Monday its sixth, according to recent figures from PayPal, and retailers from eBay and Amazon to Kmart and Westfield shopping centres jumping onboard.
With ever-better offers flying thick and fast via email, security firm Proofpoint has warned shoppers need to be particularly wary of online scams and malware propagated through emails spoofing legitimate retailers.
Despite efforts by the Australian Signals Directorate to promote the use of next-generation DMARC email anti-fraud tools, Proofpoint research suggests that just 45 percent of Australia’s biggest online retailers have actually begun implementing DMARC – and just 10 percent have adopted the strictest level of security.
“Online retailers may be unknowingly exposing themselves and their customers to cybercriminals on the hunt for personal and financial data,” Proofpoint Australia country manager Crispin Kerr warned.
“We anticipate cybercriminals will work to exploit the urgency associated with flash sales by using subject lines prompting users to click in haste and will likely try to use stolen branding and spoofed domains to convince shoppers that an email is legitimate.”
The Australian Competition & Consumer Commission (ACCC) took the opportunity to remind Black Friday shoppers about the risk of scams – which are likely to surge as cybercriminals leverage the names of online and offline retailers.
Common items such as shoes, smartphones, and tickets to concerts or other events are among the products most frequently associated with scam activity, ACCC deputy chair Delia Rickard said, warning shoppers to be alert for “extremely low” prices and requests for payment using direct transfers or cryptocurrency.
“Many people enjoy the convenience of online shopping but it is important to remember that there can be risks involved,” Rickard said. “We encourage everyone to do their research before making an online purchase.”
Cybercriminals are actively creating fake mobile apps and landing pages that imitate well-known and trusted brands, security firm RiskIQ warned on the back of new research a 20 percent increase in the number of blacklisted mobile apps.
Growing use of mobile phones made fast-shopping consumers even more susceptible to cybercriminal fraud, the firm noted, with a third of e-commerce sales last year – worth more than $US2 billion ($A2.9b) – conducted via mobile devices.
Fully 72 percent of 1000 surveyed consumers said they would download a shopping-related app if it offered a discount, RiskIQ reports, noting that 6353 blacklisted apps contain “branded terms” relating to specific retail brands – including 24 blacklisted apps that have incorporated the branding of the UK’s top five retailers.
Despite these ongoing attempts at mobile fraud, more than 58 percent of consumers said they don’t check the developer of an app they download and 38 percent don’t check the permissions an app requires before downloading it.
The findings highlight an attack vector that would potentially be highly successful in a climate of high-energy holiday shopping, RiskIQ threat researcher Jordan Herman warned.
"This year's bad holiday actors will capitalize by using the brand names of leading e-tailers, as well as the poor security habits of consumers," he said. "They'll fool shoppers looking for Black Friday deals, sales, and coupons by creating fake mobile apps and landing pages."