Holiday shopping cyber risks: Tips to share with clients and SMEs
“The holiday season always provides cybercriminals with ample opportunities to impersonate online vendors’ emails and websites to steal information, infect computers, and commit fraud,” said Matthieu Chan Tsin, director of threat intelligence at Cowbell, a leading provider of cyber insurance for SMEs. “We all are distracted, even stressed, leading to the holiday preparation, but this is a time to double down on cyber vigilance.”
For brokers, this means issuing important reminds to clients to safeguard their personal and financial information amid the rush to score online deals. “Online shoppers should remain vigilant, avoid clicking on links from vendors, including QR codes, check URLs and website addresses for accuracy, and use secured methods of payment,” Tsin added.
Phishing attacks are among the most common tactics used by cybercriminals, mainly because they are simple and take advantage of the fact that shoppers are rushing. Phishing links lead to fake pages that look like a victim’s chosen retailer, prompting the victim to enter their log-in details or other personal information.
“We do tend to see an uptick in successful phishing attacks around holidays and long weekends,” said Jonathan Weekes, senior vice president and cyber practice leader at Hub International, a leading North American insurance brokerage. “People are often keen to seek out great deals and hastily click on links that appear to be for sales or coupons for products they love, not realizing they are downloading malicious software or being taken to a site intended to harvest their credentials.”
Many cyber breaches occur due to human error or negligence, which is why it’s important for shoppers to slow down. “Taking a couple of extra seconds to verify the links embedded in emails can go a long way in preventing an unfortunate situation,” Weekes added.
Read more: More awareness of personal cyber risks, but poor behaviours remain – Chubb
“Phishing attacks are more sophisticated than ever. Clients must avoid clicking on shipping notification emails from brands or stores they don’t recognize,” said Dianne Delaney, executive director of the Private Risk Management Association, a US non-profit geared towards educating financial advisors who serve high-net-worth individuals.
“We find many of our older [high-net-worth] clients also receive scam calls. We remind them to never give credit card information over the phone,” Delaney noted.
Brokers should remind their clients to use complex passwords and two-factor authentication, keep software updated, and use anti-virus software or a virtual private network to avoid cyberattacks. Frequently monitoring credit or debit card accounts and bank balances will also help holiday shoppers spot fraudulent purchases and notify their providers as soon as possible.
“Do not store credentials or credit card information on your computer,” Weekes advised. “Bad actors can often be in your computer or network for quite some time, exploring and gathering information to steal or leverage against you in a ransomware attack.”
Additionally, not all homeowners’ insurance policies cover cybercrime, so brokers should help their clients ensure they have enough coverage, Delaney said.
Small businesses are vulnerable
Small business owners also need to be vigilant during the holiday shopping season. According to Accenture, 43% of online attacks are aimed at SMEs, but only 14% are prepared to defend themselves.
Though cyberattacks have also hit many major retailers in recent years, SMEs stand to lose more and are likely never to recover from such an incident. For very small businesses (10 employees or less), the results could be devastating. The US National Cybersecurity Alliance estimates round 60% of small businesses shut down within six months of suffering a cyberattack.
Read more: Non-profits can’t afford to ignore cyber risk
Verizon’s 2022 data breach investigations report cited ransomware, phishing, and the use stolen credentials are the most common threats facing very small businesses. But compromises on e-commerce platforms are a significant threat to SMEs during the busy shopping season. Card skimming malware often strikes when businesses don’t update or patch their websites and leads to criminals scraping credit card data from checkout pages. This data can then be sold or distributed on the Dark Web.
To avoid falling victim to cyber threats, SMEs must ensure they install the latest patches and updates of their e-commerce platforms, business software and devices, and invest in cybersecurity training for their employees. Enabling multi-factor authentication where available is also a great practice.
“The use of MFA can help prevent bad actors gaining access to [shoppers’] devices. Some online retailers and service providers make MFA available to their users. Google and Microsoft often have MFA built right into their most used products,” Weekes noted.