Don’t Trade Good Cybersecurity for Good Deals on Cyber Monday (or Black Friday)

Published 11/23/2021, 9:00am

For US-based readers, Thanksgiving is just around the corner. Once all the turkey is eaten (or more realistically, safely sealed away in plastic containers to be eaten for the next two weeks) and the tables are cleared, many people will turn their attention to the informal “holidays” that grip the news cycle every year: Black Friday and its younger sibling Cyber Monday. The days when retailers–taking advantage of the pressure holiday shopping brings–offer steep discounts on their goods and in response, US shoppers have a tendency to collectively lose their minds. Taking advantage of the sense of urgency and FOMO that these deep, “one day only” price cuts bring is an excellent strategy by retailers, which is probably why–much like many other consumer-oriented holidays–Black “Friday” has slowly morphed into “Black several-weeks-before-Thanksgiving” over the last few years.

But big retailers and small sellers aren’t the only ones who have taken notice of shoppers’ keen desire to get brand-new goods at last-year’s-goods prices. The onslaught of holiday offers stuffing our inboxes and crowding our consciousness provides prime opportunity for cybercriminals to turn unsuspecting victims into unfettered backdoor access to their desired targets. And the field of available scams has only expanded this year, as high demand items and new tech are increasingly hard to find while manufacturers contend with the lingering effects that Covid-19 had on the worldwide supply chain. As anxiety increases, shoppers who might otherwise be skeptical of too-good-to-be-true offers and wary of strange sources become more likely to rush through the process rather than take precautions. Cybercriminals know that desperation is fertile soil for easy marks, and even if their ultimate goal is finding access to a corporate network, they’re willing to settle for personal information and payment details.

By the FBI’s tracking, phishing was the most common type of cybercrime in 2020, with incidents doubling in frequency to over 240,000 by the end of the year. According to Victor Wieczorek, Vice President of Threat and Attack Simulation and Application Security at GuidePoint Security, phishing remains one of the most consistently effective ways to gain access to a corporate network, and using events like Black Friday and Cyber Monday is particularly productive. “Leveraging high-profile happenings that most people are aware of is a tried-and-true method for penetration testers, and we use it because our work requires us to think like real-life cybercriminals. Especially digital events like Cyber Monday or Black Friday, when promises of special discounts can entice victims to click links they otherwise wouldn’t. Those links can be used to drop malware directly, but it can be just as effective to ask for credentials in exchange for corporate discounts that don’t actually exist.”

At its core, using large societal touchstones as fodder for phishing is just mass social engineering. Whether it’s the Olympics, highly anticipated movie releases, or overnight streaming phenomenons, there’s nothing extremely unique about the kinds of social engineering being utilized. What does set this season apart, however, is the tendency to shop online during work hours and on work computers. There’s nothing inherently wrong about doing that; we all need to take a few minutes to separate from work from time to time, and using a work computer keeps secret present orders away from prying eyes on home devices. But because of this tendency, now is a prime time for cybercriminals–whose end goal is gaining a foothold in your company’s network–to slip into the ad and inbox traffic and snare unsuspecting victims. And with the cost of breaches reaching an all-time-high in the last year, becoming a victim of a holiday scheme can be an extremely costly mistake.

So what can you do to avoid falling victim to a scam and putting your place of work at risk? If you are going to buy holiday gifts through your work assets, Mark Lance, Senior Director of Cyber Defense at GuidePoint Security, and his team–Tony Cook, Head of Threat Intelligence, and Drew Schmitt, Principal Threat Intelligence Analyst–have a few recommendations for users to follow.

When I asked them for their best advice for end users, Mark says, “First, be conscious of the sites you visit and the origin of any communication directing you to them. Make sure they’re trusted, check to be sure the “from” name matches the email, and double-check any URLs to be absolutely sure they’re valid. If it’s a store or site you’ve never heard of offering a crazy deal on a hard-to-find item, remember that “too good to be true” rarely is.”

Tony adds, “Even if the ad or email you’re seeing does seem to point to a well-known, valid source, it’s always safer to go to the site on your own and try to find the deal than it is to click a link. And if you’ve never heard of the store offering it, it takes no time at all to search for it and verify things on your own.”

And if you do find a great deal and everything seems to check out, Drew says, “It’s still important to exercise caution and take steps to protect yourself. One of the most basic things you can keep in mind is to never give out more personal information than is absolutely necessary. Don’t use your corporate email, never reuse your passwords (and use a password manager, always), and be conscious of how much information a site is asking for to make your purchase.”

But the best thing you can do to avoid unwittingly giving attackers access to your organization’s assets? Don’t introduce that risk in the first place. “Ideally, just don’t expose corporate resources to the risk at all,” says Bryan Orme, Principal and Partner, GuidePoint Security. “The temptation to use your work computer to hide purchases is strong, but unless you’re being extremely vigilant and taking time to validate every link you click and form you fill out, the risk is higher than necessary.”