Make no mistake, cyber criminals across the globe are gearing up for a bumper Christmas, and UK retailers are firmly in their sights. Just as retailers generate up to half of their annual revenues over the festive period, hackers also make most of their ill-gotten gains from retailers and their customers during Christmas as well.
Web monitoring firm ThreatMetrix estimates that cyberattacks accounted for over 10% of all network traffic last Christmas with a disproportionately high level of this activity originating from Russia.
Last year online Christmas sales increased a massive 51% year-on-year in the final week before December 25. During that period there was also a sharp peak in cyber fraud targeting retailers, with refund scams, fake vouchers and coupons and carding cons growing six-fold in the month leading up to last Christmas.
I don’t think anyone believes cybercriminals hibernate during the summer. Quite the opposite, you can guarantee they have been busily honing their skills and eagerly preparing for this year’s peak trading. This activity includes creating aliases and test accounts which they will use under the cover of high transaction volumes and larger basket sizes, hoping their behaviour is less likely to be flagged as high risk.
With a third of US consumers estimated to have had their personal data stolen last year, criminals are too easily able to use these stolen credentials to open fake accounts, hijack existing accounts, make illegal purchases or fraudulently obtain credit.
Retailers face this huge security problem on one hand while on the other they face the growing demand for fast, frictionless online shopping. Just consider the Harvard Business Review’s claim that 50% of all consumers will bail on a transaction after just 10 seconds of added friction.
Here are the three identity-based cyber threats I predict will be causing retailers a big headache this Christmas:
Consumer accounts will be hijacked en masse
Account takeovers (ATOs) are expected to rank among the top fraud threats this year, after spiking 31% in 2017. The difference this year is that criminals are expected to automatically hijack consumers’ accounts en masse, using a technique called credential-stuffing bot attacks.
Last year, over the five peak shopping days around Black Friday and Cyber Monday, ThreatMetrix data showed a huge spike in such bot attacks. An eye-watering two million attacks were launched from Russia alone over these days, primarily targeting US retailers. UK retailers can expect an even more intense digital onslaught this season.
There’s nothing new about payment fraud, but this year it’s expected to be particularly bad thanks to a significant spike in the amount of consumer data that has been stolen. To be successful, the criminal simply needs the victim’s credit card number. ThreatMetrix predicts that merchants selling digital goods will once again be the hardest hit. But the largest increases in attacks are likely to be seen by retailers selling electronics and jewellery. The risks are more than direct loss of merchandise. Undermined confidence in the payments system means that jittery merchants are likely to block perfectly legitimate transactions for fear that they’re fraudulent. ThreatMetrix predicts this could add up to $118 billion in preventable losses.
Click-and-collect continues to be a huge hit with both consumers and retailers, but as its popularity has risen in recent years, so have the opportunities for scammers. The result is a 250% rise in this type of fraud reported. Click-and-collect scammers buy goods online with stolen credit card details and then get an accomplice to pick up in store. Click-and-collect scams are popular because criminals don’t need to give an incriminating delivery address and retailers find the scam difficult to combat because they often have separate, siloed systems for internal and online purchases. This makes it difficult for retailers to verify customer identities and pinpoint fraudulent orders.
Read our Security Guide to help in the battle against cybercrime