Deals or Data Breaches? Stop Black Friday Becoming Hack Friday

The Black Friday period has become one of the biggest promotional periods of the year, with brands expanding from a single day of sales to offers that last a week or more. Keen-eyed consumers can grab huge discounts on everything from TVs to toys. However, the intense discounting period offers a significant opportunity for scammers looking to swindle shoppers out of their hard-earned cash. Already, headlines warn that consumers should consider whether some deals really are too good to be true. The Guardian even dubbed the day’ Black Fraud Day’, with Action Fraud data showing that the discount period is a prime time for scammers.  

 For organisations, Black Friday also poses an increased risk of cyberattack. In November 2023, over 32,000 fraud and cybercrime reports were made to Action Fraud. Over 3,500 of those reports were made by businesses, who reported financial losses of £30.4million.   

How can businesses stay secure during a period of heightened risk of cyberattacks?  

What Are the Key Cybersecurity Risks?  

Phishing

Phishing is one of the most common forms of cyber-attack year-round. Still, events such as Black Friday offer a broader opportunity for cybercriminals, particularly with the increase in urgent and time-sensitive bargains offered by legitimate businesses.   

Fraudsters will take advantage of the increased transactions and deals by phishing customers, often by sending sophisticated, promotional emails barely distinguishable from legitimate emails. In doing so, they can capture customer data, payment information and more.  

Consumers aren’t the only ones at risk. During their bargain hunting, your staff may use company or even their own devices with access to company accounts, increasing the risk to your business should they accidentally engage with phishing emails.  

Weak Passwords   

According to NordPass, 123456 is still the most common password people use across their personal and corporate accounts. NordPass’s latest Top 200 Most Common Password research found the password was used over three million times, and the company says it would take a hacker less than a second to crack.   

Black Friday offers the perfect opportunity for threat actors to try large-scale brute-force attacks. In a brute-force attack, cybercriminals attempt millions of potential password combinations until they get the correct result, and the weaker the password, the faster it can be cracked.   

Because weak password hygiene – aka people reusing passwords or variations of their passwords across multiple accounts – is so common, it’s easy for a cybercriminal to access multiple accounts once they’ve cracked a single password. This includes email profiles, corporate networks and business systems, which in turn increases an organisation’s risk profile.  

Supply Chain Vulnerabilities  

Our State of Information Security Report 2024 found that managing vendor and third-party risk is organisations’ biggest information security challenge. 79% of respondents said they’ve been impacted by a cybersecurity or information security incident caused by a third-party vendor or supply chain partner in the last 12 months. In fact, 45% have been impacted by multiple incidents.  

As supply chains become increasingly reliant on IT systems, the opportunity grows for threat actors to target weak links – and your organisation’s supply chain is only as strong as its weakest link. Each entity in your supply chain could inadvertently become a gateway to your own digital infrastructure. 

Social Engineering

Social engineering is another attack vector for businesses to be mindful of. For example, E-commerce businesses will likely see customer service queries dramatically increase during Black Friday, which cybercriminals may attempt to exploit.  

Typically, this attack method aims to acquire customer details or commit refund fraud, but ambitious fraudsters will also use it to avoid blocks.  

Social media scams are also prevalent, with offers and adverts targeting users with fake products and services entirely focused on compromising debit card details or committing online fraud.  

AI-Powered Scams

Artificial intelligence (AI) offers new attack methods for threat actors, and the technology is becoming increasingly popular with fraudsters – our report found that 30% of businesses have been impacted by a deepfake incident in the last 12 months.  

The advanced technology can be used to create fraudulent websites that look exactly like the legitimate websites they mimic, and the technology can even create audio or video deepfakes to undertake business email compromise (BEC)-style attacks. However, there are also possible use cases for information/credential theft, reputational damage, or even to bypass facial and voice recognition authentication.  

Many B2B businesses offer prospective customers Black Friday deals or discounts, which opens another potential avenue of attack for threat actors. AI technology is evolving, and whether it’s used to create fraudulent emails or to trick employees into making corporate fund transfers, it’s clear that AI-driven scams pose a real threat to businesses during Black Friday and beyond.  

Protect Your Business Against Black Friday Cybersecurity Risks  

Employee Cybersecurity Awareness and Education

A good cybersecurity training and awareness programme enables your employees to identify and report potential cyber-attacks. Your training and awareness programme should also outline processes that must be followed, for example, the process staff should follow to report suspected phishing attempts. By empowering your staff, you can further secure your business.  

Good Password Hygiene

All your employees should use complex passwords that:  

• Are not related to personal information  

• Are not used on any other site, including non-work sites  

• Are kept confidential  

• Do not contain your company name or product name.  

You may also set a minimum character requirement – best practice suggests at least 12 characters. Employees should also use multi-factor authentication (MFA) and regularly change passwords. Your organisation should set up a password policy with these requirements and ensure everyone follows it.  

Robust Technology and Information Security Management

Establishing and implementing strong cybersecurity practices enables your business to reduce risk and promote robust security and information management.  

Organisations should consider the following:  

Access Management—Effective management of users’ rights and privileges and the use of controls such as MFA on staff accounts can be critical defences against stolen credentials and unauthorised access. For example, least privilege access ensures users can only access the resources needed to do their role, limiting the impact on your organisation should an account be compromised.  

Data Protection—Appropriate processes and technical controls are essential to identify, classify, and securely handle organisational data in all its forms. Tools such as information management systems or frameworks can help organisations prevent cyber criminals from accessing corporate data through email, misconfigurations, and poor security behaviours.  

Secure Configuration—Focus on secure engineering solutions from the outset instead of adding them later or once an incident has occurred. This approach substantially reduces weak entry points into business networks for cybercriminals to exploit.  

Patching and Software Updates – Attackers often exploit vulnerabilities in outdated software. Ensure regular installation of updates and patches for the software in your organisation and on your employee devices. Consider your bring your own device (BYOD) policies and controls to ensure the most robust level of security.  

By implementing effective and proportional controls to manage organisational data and information, you can ensure your business is one step ahead of the increased cyber risks this Black Friday. Additionally, demonstrating solid information management and risk management credentials will increase customer trust and bolster your reputation and business success.  

Strengthen Your Information Management and Risk Posture Today   

If you’re looking to start your journey to better information security and cybersecurity, we can help.  

Our ISMS solution enables a simple, secure and sustainable approach to information management with ISO 27001, NIST, NIS 2 and other frameworks. Unlock your competitive advantage today – book your demo.