Unless you’ve been living under a rock for the last few years, you’re probably well aware that in internet-land, Black Friday and Cyber Monday are a big deal and they’re happening over the next few days! What does this mean for you as a consumer? Well, put simply it means you’re able to land some massive discounts on products you might not otherwise buy and you’re quite likely to overspend even if the discounts are huge! If you’re an online retailer and you’ve gone all-in on marketing for Black Friday and Cyber Monday specials, you’re expecting a huge windfall in sales and activity on your site.
All of this seems like a wonderful activity to plan for once a year – how could it possibly go wrong? Like online retailers, fraudsters spend their time planning for days like Black Friday and Cyber Monday too. Why? Because there’s a massive windfall for them if they get it right. The campaigns are highly planned and the overarching intent is often driven by organised crime syndicates as well. The campaigns can include one or many of the following things:
- Social Media Impersonation: Creating a bunch of fake or impersonating social media pages, profiles or videos to hijack legitimate traffic from online retailers by impersonating their brand. Once they get this right, the intent is to then divert that traffic to fake target sites to fleece the clients of their money or personal details.
- Phishing attacks using fake sites: The fraudsters take a bit of time to get this right. They can put up parts or decent sized copies of legitimate sites to hijack credit card and personal information by getting real customers to place orders on these fakes sites. Of course, the customer will never get their order and will be left out of pocket a significant amount of money.
- Brand impersonation with a fake site: Even if an online retailer doesn’t get impersonated, their brand or the brands they sell can be used to hijack consumer traffic (from fake emails, fake social media sites and even fake mobile apps) in order to send the consumer to a place that looks enticing enough to buy from.
- Fake mobile apps: As online retail has made huge headways into delivering a mobile app outlet for consumers, the fraudsters are well aware of this and setting up and making fake mobile apps available is a very lucrative way for them to get access to customer funds and data. Fake mobile apps are a particular problem with sales events like this because these events attract first-time-buyers who would typically run and grab a mobile app to make the experience easier. From a malicious perspective, apps are particularly insidious because it’s difficult for the consumer to spot the tell-tale signs of a fake whilst inside the app.
Things to look out for and why:
- Fake Emails: Fake emails are a time-tested method of delivering fake information to unsuspecting people. Whilst spam and malware filters with the big providers do a great job of getting some of this, fraudsters know that email reach has a high conversion rate and do their best to get these under the radar of the filters. They are usually very convincing and in a frenzied buying-state, people are ready and happy to click just about anything that looks like a good deal. On mobile devices in particular, the fakes are hard to spot purely because of the way mobile email client apps present the emails. As a rule, if you’re not expecting the email or you just want to be careful, try and preview the link and look out for the link it’s sending you to. For example, if the email purports to come from BRAND X and you preview or open the link and it looks like https://fakesite5212.com/onlineshop then there is a good chance that it’s not related and is probably a fake.
- Fake Reviews: Fake reviews quite simply build credibility to encourage buyers to believe that the site they are on is real. Fake reviews on social media and search are not that hard to produce and for an unsuspecting buyer who may not have their complete focus on security, this can often tip them over to make a huge mistake. Generally speaking, a fake site won’t have been online for long nor would a fake social media profile. For a consumer it’s a little hard to determine the age of a site but as a rule, if the social media page is new or the review dates are clustered close together, this is generally not a great sign.
- Paid Ads: Fraudsters and criminal syndicates by their nature usually have access to a variety of fake payment sources. They indiscriminately use these to pay for fake ads to send you to their fake assets. For consumers, this is hard to spot as the writing and the ads themselves are usually quite well prepared. The protection for the consumer comes with awareness and the hope that they would actually look at the website they land on when sent somewhere from a paid ad.
- Malicious or Typo Domains: These are very sneaky ways fraudster use to trip up a consumer but if you are paying attention, these can be easy to spot. For example, if a legitimate website is thisismybrand.com a typo version of that domain could be th1sismybrand.com – all that’s changed is that the letter i was substituted for the number 1 and it wasn’t done everywhere, just in one place which is enough to do the damage. In the case of malicious domains, these may not even closely resemble the original domain but would generally be related to the industry. So if the industry in question is online retail then a sample of a malicious domain could be retailoutlet1.xyz. The name really doesn’t matter but it’s more about how the fraudster got you to it and what they did to you when you arrived there.
- Unsolicited SMS: Whilst this might seem like an old technique it still has a very high success rate. Older or less technically savvy consumers generally have a smart phone. Whilst many of them would struggle to do most things on that smart device, they would generally know how to open an sms and read it and this makes them susceptible to attacks via SMS campaigns.
- Fake Surveys: Fake Surveys are a subtle way of getting under the radar with consumers. They are tagged as a survey and often provide some form of inducement for completing the survey as a way of getting information out of you. Whether you encountered the survey in an email, on the web or in social media, it’s probably a good idea to check the voracity of the brand asking you for the information in the survey and making a qualified judgement about whether you should give your information up to them.
As an online retailer it’s important to remember that things like “Click Frenzy” didn’t get their names by accident. The massive marketing and hysteria around Black Friday and Cyber Monday sends consumers into a frenzied state and might not be as careful as they usually are when shopping online. This of course impacts the customer themselves and is a gift that keeps on giving with days, weeks and months of unpicking fraudulent transactions with their bank. However a retailer’s brand can easily get burnt in this process if they were not perceived to do a good enough job at protecting and informing their customers. In a social media centric world, perception is everything and having to defend yourself becomes expensive and takes a long time to rebuild customer sentiment.
Most media outlets and cyber security firms are advising consumers to stick to brands they know but that doesn’t help them if the brand is being impersonated and they don’t even know they’re in the wrong place. In short, it can happen to any brand, big or small. The likelihood that a smaller brand will be targeted by a fraudster or a criminal syndicate is minimised because of the effort required for the likely reward they’d achieve.
Our advice to consumers is to keep your wits about you and head into these big online campaigns with your eyes wide open and protect yourself from the variety of scams going around. For the retailers, it’s important that you stay vigilant and remember that protecting your online brand is your responsibility even when the attacks are happening on assets you don’t control or manage. If you think this is an area you need help with, we’d love to chat with you further.