Don’t discount your Cybersecurity this Black Friday and Cyber Monday

The traditional shopping experience has changed drastically over the last few years due to the Covid-19 Pandemic. Most businesses have been digitizing an increasing number of their processes and are relying on online channels to connect with their customers more than ever before. 

Black Friday used to be just that, a single (Fri)day. Nowadays, for an increasing number of retailers, it has become a week where they present their best deals to customers, and is often seen as the beginning of the festive shopping season.

A recent consumer research report published by PwC revealed that during Black Friday and Cyber Monday, 37% of consumers were interested and may buy (up 2% from 2021), whilst 24% of consumers stated they will definitely buy – matching 2021 levels. Although the cost-of-living crisis will have an impact, demand is still higher than 2020 levels where only 16% of consumers planned to purchase in the Black Friday period.

With most retailers viewing online as a key channel for their Christmas sales ramp-up, we’ve put together a few, easy-to-implement recommendations that will help keep the surge of online shoppers safe from cybercriminals.

1. Enforce Two-Factor Authentication (2FA)

Most software solutions allow you to implement Two-Factor Authentication in their login procedure. They also allow you to implement and enforce it at an administrator level so that all users are protected. This ensures that, in the event that a user’s password is compromised, third parties won’t be able to access a company’s systems and data.

2. Keep your systems up to date

Although a fairly well-known topic, with the pervasive threat of new cyberattacks, it’s vital to keep systems updated. Most systems can either be updated remotely or set so that updates are automatically installed as soon as they become available.

3. Beware of attachments 

Communications with customers and suppliers are at risk of impersonation by third parties, who can include many different types of malware within emails. Make sure you consider if the email is expected and if you know who the sender is. Attachments with unknown extensions should be treated carefully and if in doubt, you should always report it to your IT/Security teams. Anti-phishing solutions like OnINBOX can help empower end users by evaluating inbound emails and giving warnings and additional information about whether they should trust the email or report it.

4. Follow Procedures and implement anti-phishing training

An increased number of emails appearing in customers’ inboxes during the holiday season can make it difficult to spot phishing attempts from cybercriminals who look to take advantage of this surge in transactions. Skipping a critical verification can be the open door that a cybercriminal may be waiting for. Make sure employees know and implement all company procedures.

Training can further help with the practical implementation of your procedures and raise awareness about the risks that attachments can pose. Having a thorough understanding of both company procedures and how to interact with suspicious emails will help lower the risk of cyberattacks. 

5. Monitor your DMARC Reports

DMARC is an email authentication protocol that blocks email impersonation, allowing you to see the volume of illegitimate traffic sent from your domain. It’s recommended that you keep an eye on your DMARC reports on a regular basis. If a cybercriminal is trying to use your domain to send illegitimate emails, DMARC will alert you to this. Additionally, you can see if any of your email-sending services go out of configuration, which will negatively impact your email deliverability.

6. Be careful when processing supplier’s emails

Email authentication protocols like DMARC are well known to a number of companies and are recommended by several organizations such as NCSC. A number of companies have already implemented DMARC to protect their domain and stop email impersonation. However, there are still a vast number of companies that haven’t yet deployed DMARC so every email from your supplier needs to be checked carefully. 

The fact that the email has a “from address” from your supplier doesn’t guarantee that it comes from them.

Anti-phishing solutions can help to spot a number of these emails but be aware that their rules-based approach is subject to change and won’t necessarily capture all possible scenarios. Employees should look out for changes to bank accounts and delivery addresses and if ever in doubt, check with your IT/Security teams about how to follow the company procedures. 

7. Investigate every report from your employees 

In many cases, an email with simply no text or apparently inconspicuous text could be the preamble for a bigger cyberattack. Cybercriminals may be phishing for information in what appears to be an innocent email e.g. trying to get an auto-reply from an employee to find out when they’re on holiday. It’s always better to raise the alarm and be wrong, than not to do anything and put yourselves or the company at risk. 

Technology provides opportunities for businesses to not only improve and automate their operations but also communicate more effectively with their customers. As digital transformation continues to progress, it’s important we keep security top of mind and not an afterthought. If you build a digital “entrance” to your shop, make sure you apply a digital “lock” to keep your company and your customers safe.

Red Sift’s Digital Resilience Platform solves for the greatest vulnerabilities across your complete attack surface, and email is a key part of this. If you’re looking to improve your email security or would like to discuss ways in which we can help improve the cybersecurity of your business, get in touch with our team.

PUBLISHED BY

Red Sift

22 Nov. 2022

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Product Release

Red Sift’s Spring 2024 Quarterly Product Release

Francesca Rünger-Field

This early into 2024, the cybersecurity space is already buzzing with activity. Emerging standards, such as Google and Yahoo’s bulk sender requirements, mark a new era of compliance for businesses reliant on email communication. At the same time, the prevalence of sophisticated cyber threats, such as the SubdoMailing campaign, emphasizes the continual hurdles posed…

Read more
Email

Navigating the “SubdoMailing” attack: How Red Sift proactively identified and remediated a…

Rebecca Warren

In the world of cybersecurity, a new threat has emerged. Known as “SubdoMailing,” this new attack cunningly bypasses some of the safeguards that DMARC sets up to protect email integrity.  In this blog we will focus on how the strategic investments we have made at Red Sift allowed us to discover and protect against…

Read more
Email

Where are we now? One month of Google and Yahoo’s new requirements…

Rebecca Warren

As of March 1, 2024, we are one month into Google and Yahoo’s new requirements for bulk senders. Before these requirements went live, we used Red Sift’s BIMI Radar to understand global readiness, and the picture wasn’t pretty.  At the end of January 2024, one-third of global enterprises were bound to fail the new…

Read more
Cybersecurity

Your guide to the SubdoMailing campaign

Billy McDiarmid

A significant number of well-known organizations have been attacked as part of what’s being called the SubdoMailing (Subdo) campaign that has been going on since at least 2022, research by Guardio Labs has revealed.   The scale of execution of this attack is staggering, and the impact is hugely damaging, but the goal is simple…

Read more