For ecommerce retailers, Cyber Monday is one of the most wonderful times of the year—or at least it should be. Consumers are primed to make holiday purchases, and ready to spend money. But consumers aren’t the only ones ready to take advantage of the season—cybercriminals see all that increased online activity as an opportunity.
The Link Between Cyber Monday and Cyber Crime
In 2019, SonicWall reported a 63% spike in the amount of cybercrime that occurs from Black Friday to Cyber Monday. Cybercriminals know that more people will be shopping during this period and more of them will be seeking out deals. And because of how busy people tend to be during the holiday season, many of those people will be less discerning than they might be during other times of year. When you’re overwhelmed, it’s easier to let little things slip, like noticing that the email address in that From field isn’t spelled the right way.
On top of that, cybercriminals are well aware that Cyber Monday is an important day for e-commerce stores. A ransomware attack timed precisely for when it hurts most makes a business that much more desperate to get things up and working again ASAP—which usually means a willingness to pay more money faster.
All of that adds up to trouble for businesses and consumers alike.
How Businesses Can Stay (and Keep Consumers) Safer
You can’t keep scammers from doing their thing. But you can try to make sure your business and customers aren’t easy targets.
1. Review the protections you have in place.
Prevention is always better than reaction. Before Cyber Monday rolls around, spend some time revisiting the protections you have in place to ensure they’re as strong as possible. As part of the process, review your third-party risk management (TPRM) plan.
When was the last time you evaluated the level of risk of all the third parties you work with? You can work to secure your own website from hackers, but often cyber criminals find a way in through third parties, like the open source software so many ecommerce websites use. The average ecommerce site uses 40 to 60 third-party tools—that’s a lot of potential vulnerabilities.
Don’t take for granted that your vendors are doing everything possible to keep their products secure. Check with them directly, and institute requirements for the companies you work with that keep your online store from becoming dependent on any business that makes you vulnerable.
2. Make sure employees are trained to recognize phishing emails.
Humans are sometimes the weak link in a company’s security measures. That’s true all year round, but can become a particular issue around the holidays. “At this time of year our inboxes are filling up with promotional emails with promises of incredible deals,” says Nasser Fattah, Senior Advisor of Shared Assessments. “It is difficult to distinguish real bargains from scams.”
If an employee falls prey to a phishing scam—especially if they do so on the same device they use for work—it can put your whole organization at risk. Give your employees a reminder of some main best practices for recognizing scam emails. Urge them to always:
- Check who an email is from and, in particular, verify that the domain name it comes from matches the organization’s actual website.
- Avoid clicking links in any email that’s not from someone in their contacts, and instead go directly to the website to confirm any offer the email provides.
- Never open attachments coming from sources they don’t know.
- Be skeptical of any offers that sound too good to be true.
These few simple rules can help prevent a lot of human error and make your organization safer.
3. Require strong passwords—both for your website, and any products employees use.
When left to their own devices, people prioritize convenience over security. The most common passwords are still those that are easiest to guess: 123456, 123456789, qwerty, password. You can help your customers help themselves by requiring a strong password when they create an account on your website, reducing the chances of their data being accessed by criminals.
And to reduce third-party risk within your own institution, require at least the same level of strength for employee passwords for any products they regularly log into. When employees use obvious passwords, someone can easily guess the login information of an individual at your organization and gain access to their accounts—and your organization’s data by extension. For the products used internally that hold the most sensitive information, consider also setting up two-factor authentication to add an extra level of security.
4. Communicate with customers.
The last thing you want is to be held responsible for the actions of scammers claiming to be you. If you get wind of scammers emulating your brand, proactively let customers know what to avoid.
“Many email scams look very legitimate from well-known shopping websites with exciting offers and delivery companies informing you that a package is on its way,” says Fattah. So give people a head’s up on how to recognize when an email is actually from you. And if you work with a third-party that sends consumers shipping updates, let customers know how to recognize those emails as well, so they’re less likely to confuse a scam email with a legitimate one.
5. Have a response plan ready.
Even if you do everything right in preparation, cyber criminals are savvy and constantly finding new, creative ways to wreak havoc. Don’t assume your prevention will be good enough, also make sure you have a clear plan in place for what you’ll do if something does happen on Cyber Monday.
Set up a cyberattack simulation to test out your plan, so you can find any weaknesses within it in advance. Practice will also ensure that everyone has next steps fresh in their minds if they need to take them, which is helpful under pressure.
Stay Safe this Cyber Monday
Don’t let criminals thwart one of the most important days of the year for your business. Expect them to try—never get complacent. But do everything in your power to guarantee that you and your customers are a target so difficult that it’s not even worth trying.
