As South African shoppers and retailers prepare for Black Friday and the festive season, cyber criminals are casting increasingly wider – and more sophisticated – nets.
Gilchrist Mushwana, director at BDO South Africa and head of cybersecurity service line, discusses phishing and what retailers must do to guard against this threat to ensure that their consumers – and their operations – remain protected.
Considered the original cybercrime from as far back as 1996, many assume that phishing scams are somehow less sophisticated as the world becomes increasingly digitally savvy.
But, “the oldest one in the book” is still one of the most prevalent and according to a recent report, 91% of all cyberattacks start with a phishing email, a new phishing website is launched every 20 seconds and 25% of phishing emails bypass Office365 security.
Frightening stuff at the best of times, but as retailers gear up for the exponential increase of online shopping associated with Black Friday and the festive season, cybercriminals are baiting their hooks with advanced phishing strategies to cash in on the check out.
Phishing has remained the popular choice for cybercriminals for close to two decades because it, quite literally, has no boundaries. It can’t be contained, or confined, in fact it is almost impossible to even define phishing.
The only thing for certain when it comes to phishing is that any time a system is built that enables people to communicate, there’s always an angle that attackers will find to expose, and capitalise on, a vulnerability. From stealing credentials, to downloading malware, installing spyware, forcing fraudulent transactions, phishing is an easy way in for opportunist hackers because it is cheap, easy, and really effective.
To go back to the drawing board, phishing is the act of luring unsuspecting people to provide sensitive information such as usernames, passwords, and credit card data via seemingly trustworthy electronic communications.
In terms of retail, in 2022 the sector experienced an increase of over 400% in phishing attempts — the most out of all tracked industries. Enter eCommerce, and the potential for crippling losses is limitless, not only in revenue but also the loss of consumer confidence and brand reputation.
For retailers looking to capitalise on Black Friday and the ramp up of online shopping through the festive season, one of the most effective ways to catch the attention of excited shoppers is through digital communications channels – emails, SMS and instant messaging, social pages and promotional websites – the waters where phishing scams thrive.
There are three key areas that retailers must urgently act on to protect themselves and their customers from phishing attacks:
Awareness and education
From an enterprise perspective, it is critical that internal staff are educated so that they don’t become the weak link. Cybersecurity training must get carried out from the highest executive to the lowest employee level because just as there are different skill set levels on the business side, cybercriminals also have different levels of sophistication.
Something as simple as password training – a staggering 158 passwords are hacked globally every second – where employees are trained on best practice in terms of the passwords they are using and how to boost their robustness can close the vulnerability loop substantially.
It is also important to train employees about standard data incident reporting procedures so that they know what steps to take if they suspect a breach has occurred. The average time for a business to realise they have had a cyber security incident can be as long as two days. This can be substantially reduced if staff know what to look out for.
Because social media platforms now play a larger role in company marketing strategies, it’s also a good idea to provide employee training in safe social media engagement and the appropriate use of both company-owned and personal mobile devices when conducting business.
Vulnerability management
Vulnerability management is the practice of identifying, prioritising and remediating vulnerabilities across all ecosystems within the business. Many organisations have filters in place, but these are often not enough as increasingly sophisticated attacks can circumvent these filters.
At BDO for instance, we have a software solution that uses artifical intelligence that understands typical staff behaviour and sounds the alert should it detect unusual email activity. Businesses must invest in solutions such as these to ensure a more robust system primed for any potential attack.
Software must be kept up to date as updates generally upgrade security and remove bugs. Hardware must also be kept up to date to support software security upgrades. Wherever possible, multi-factor authentication should be implemented to better protect the business and its assets.
The amount of time from when a vulnerability is exposed to the time of exploitation has dropped from 45 days to 12 days, so this is a key area that requires constant focus.
Process implementation
It may seem logical, but many businesses simply do not follow consistent cybersecurity processes which are key to the implementation of an effective cyber security strategy. These are crucial in defining how an organisation’s activities, roles and documentation are used to mitigate information risks.
Asset management is the process of identifying, on a continuous, real-time basis, the IT assets that the organisation owns and the potential security risks or gaps that affect each one. If the business is always cognisant of what it has and what needs protecting, a comprehensive security strategy that mitigates threats quickly and proactively can be built and tested on a regular basis.
Automation – the implementation of hardware and software to protect the security ecosystem – is also key. This includes network, devices and end-point protection with technologies that look for anomalies and then triggers warnings. The faster a breach can be recognised, the fasted the risk can be mitigated.
Phishing is the top cybercrime for one simple reason – it works. It is not going away any time soon and the more retailers can do to arm themselves against it, the more likely it is that cybercriminals will move on to easier targets.