Immersed in the spirit of the holiday season, British shoppers are planning a bumper online Christmas spend this year. PwC has reported that one in four UK consumers are planning to spend more this year – a total of £21 billion, up 4% on pre-pandemic levels, accelerated by the ongoing effects of the pandemic and the latest restrictions imposed by the UK government.
As retailers announce early deals and slash prices ahead of the Boxing Day sales, consumers are being warned of the growing cybersecurity risks that the Festive season brings to shoppers seeking a bargain.
Busy online sales periods present a tempting opportunity for cyber criminals, looking to take advantage of unsuspecting customers as they shop. The UK’s National Cyber Security Centre (NCSC) has already warned over 4,000 small online retailers that their sites were compromised by hackers before the Black Friday and Cyber Monday sales, and last year saw online crime defraud British buyers by £2.5 million, with this figure only likely to increase.
Ex-GCHQ and MOD cyber specialist, David Woodfine, Co-Founder and Managing Director at Cyber Security Associates shares his top four tips on how shoppers can remain vigilant over the holidays, outlining popular scams to be aware of, whether shopping online or instore, to help them remain secure while snapping up a seasonal bargain.
1. If it sounds too good to be true, it probably is
Our inboxes are usually inundated with special buy offers in the weeks leading up to Boxing Day sales, but consumers should remember to think twice before clicking on links, no matter how genuine or reputable an email may seem. Criminals use sophisticated phishing attacks to send out thousands of malicious emails, extracted through stolen data – but they only need one unsuspecting consumer to click these links to ‘win’.
Just last month IKEA was victim to an ongoing cyberattack where threat actors were targeting employees in this case through internal phishing attacks using stolen reply-chain emails. Criminals gained access to legitimate corporate email addresses and then replied to them with malicious documents to install malware on people’s devices. The emails were also sent from other compromised IKEA organisations and business partners, highlighting the need for vigilance in the supply chain and extra caution before clicking links in emails – including where you’ve had previous communication.
Watch out for that ‘unsubscribe’ button – it’s a common malicious scam to encourage consumers to click the link, before directing them to a fake website or installing malware onto their device.
Always remember to double check the sender’s email address to confirm its legitimacy, which you can do by visiting their website (using your search engine) or their verified social media accounts. Also remember to double check the spelling in email addresses, keeping an eye out for letters than have been replaced with numbers to imitate the company name, for example, using the number zero in place of the letter ‘O’.
If you are wary of the email contents but would still like to unsubscribe from the company’s products or services, then begin by visiting the company website organically, and contact the customer service department, or FAQs page directly. Finally report all spam emails as junk and add the sender to your blocked user list to avoid falling foul to phishing scams in the future.
2. Think before you click
As well as verifying the festive sales emails sitting in your inbox, be vigilant about the websites that you are visiting and buying from . One way to do this is by double checking that the company URL is what it is expected to be. For example, if you are shopping Amazon UK, the URL should be expected to read as https://www.amazon.co.uk and not something like “http://www.aamaz0n.gg”. Ensure that the ‘s’ in ‘https’ is visible at the beginning of the URL, as it’s an indication that the page you are visiting is encrypted and much harder for cyber criminals to acquire your data.
3. Consider using third party payment systems – it’s safer
A good way to mitigate any potential issues, especially when shopping online and buying from SME businesses is to ensure that a third-party payment processing vendor is used for the transaction. PayPal and Amazon-Pay are just a couple of examples of these third-party payment options which are less likely to be compromised in an attack and therefore offer a greater level of security to shoppers.
Another alternative option to consider is using a disposable virtual card from a challenger bank like Revolut. Disposable virtual cards can be created instantly and are suitable for one-time, online transactions. Your card details will automatically regenerate after every transaction made using a disposable virtual card, thus adding an extra layer of security for online transactions and protecting you against online card fraud.
4. A quick inspection can protect you from card skimming attacks
In November 2021, Costco announced it was hit by a card skimming attack where hackers had the ability to capture information on the magnetic stripe of a payment card, including names, card number, expiration date and CVV. Having gained access to this sensitive information, the criminals were then able to clone payment cards of consumers using duplicate magnetic strip data.
Card skimming happens when a criminal installs a device illegally to a point-of-sale terminal, like a cash point, card machine or fuel pump. These carefully planned attacks sometimes also include the placement of nearby recording devices to try and obtain pin numbers of cloned cards. It’s estimated that card skimming scams now costs financial institutions and consumers more than $1 billion each year.
You can help avoid such attacks by doing a quick physical inspection before inserting your card to make payment, no matter where they are using it. Giving a good tug on the stripe reader or card slot is often enough to dislodge a skimmer and will do no damage to a terminal if it hasn’t already been compromised.
Spending a little time to think and carefully consider before hitting the buy now button will help ensure that you are a harder target for cyber criminals this festive period.