At the end-of-year holiday season, with major sales events and digital events, we’ll start to see a higher frequency of security threats. It’s the time of year when the highest amount of money changes hands, whether in the digital or physical realm.
According to the Entering through the Gift Shop: Attacks on Commerce report, globally, retail remains the most targeted sub-vertical within commerce, accounting for 62% of attacks on the sector. Meanwhile, the latest Singapore Cyber Landscape report by the Cyber Security Agency of Singapore (CSA) revealed that the number of ransomware cases remained high at 132 in 2022, primarily affecting SMEs in manufacturing and retail. To help local retail firms strengthen their defences against cyberattacks, a refreshed retail industry digital plan will provide about 23,000 retail enterprises measures to identify appropriate tools and practices, and to safeguard their customers’ data.
Payment and financial information are heavily used across many different platforms and application programming interfaces (APIs) to facilitate transactions. According to CSA, 99% of Singapore’s government services transactions are conducted digitally, facilitated by Singpass, which enables over 5 million Singapore residents to transact with more than 2,700 services. This sudden spike in data that's moving from place to place, across the internet and the wire, makes it a very rich target for cybercriminals to profit from.
With consumers looking to make more online purchases, tempted by mega sales days like 11.11 and 12.12, holiday campaigns and special deals before Singapore increases the Goods and Services Tax in 2024, here are some of the key threats that businesses and individuals need to be aware of:
- Web application and API attacks: e-commerce and payment platforms face a significant risk from hackers trying to exploit vulnerabilities in the software that powers these platforms, especially during major sales campaigns.
- DDoS attacks: as customers rush to make purchases, there's a heightened risk of denial-of-service attacks (DDoS). If a DDoS makes your website inaccessible, there’s a direct revenue impact at the exact time when sales should be highest.
- Malicious bots: these bots are designed to carry out large-scale attacks, such as taking over consumer accounts during peak shopping times, leading to fraudulent activities.
- Web skimming attacks: attacks like Magecart have become more prevalent during the holiday seasons. These are akin to ATM skimming but are executed digitally, stealing sensitive credit card and payment information. This captured data is then used to commit financial fraud.
It’s not just retailers who are at risk
Making a digital purchase is not just about logging in and paying. Behind e-commerce platforms are multiple different processes involving many different parties. Cybercriminals don’t need to attack the end merchant but can go after other parts of the supply chain.
Product suppliers: as orders increase, suppliers become part of a larger supply chain, making them vulnerable. Orders are sent and payments are processed, all of which are potential points for cyber-attacks.
Financial service providers: FinTechs, payment processors, e-wallet providers and banks are all involved in transaction processes. Whenever financial data is transferred from one point to another, it’s susceptible to data breaches and exposure.
Logistics providers: they possess customer data essential for delivery, such as names, addresses and phone numbers, making them attractive targets for cybercriminals aiming to harvest data for further attacks like phishing.
Businesses must be prepared for a cyber-crime spike
Businesses should anticipate a surge in attacks during the festive season. It's vital to evaluate whether they have adequate protection against these threats. Do they have the right tools that can scale to defend against a large volume of attacks?
The four risks outlined above are all specialised attacks which general security tools, such as antivirus and firewalls, won’t protect against.
Retailers need to continuously assess and reassess their security posture, and what specialised tools they have to protect themselves and their customers from malicious bots, web skimming attacks or data scraping. It’s important to be aware of risk exposure and what exact services are being provided. Is it just a website or is there also an app or APIs?
With the increasing sophistication of phishing attempts, businesses and retailers also need to enhance consumer awareness campaigns and provide mechanisms for customers to verify the authenticity of communications and transactions.
Consumers need to understand that if they see a deal on email or social media that’s too good to be true, it very often is. The problem is that attackers capitalise on end-of-year sales when many retailers are offering discounts and sending many more marketing emails and SMS messages.
Cybercriminals can easily impersonate these brands, with Generative AI making phishing and social engineering attempts appear more authentic. How can consumers be certain which interactions are legitimate? Although currently rare, likely, deep fake videos will increasingly be used to influence consumers to download malware or make fraudulent transactions. These emergent threats are at the nascent stage, but we need to build defences and raise awareness