Scammers lurk among Black Friday mega-discounts

Read time 5min 40sec

As Black Friday marks the beginning of the festive shopping season, security experts warn the retail industry’s peak sales period will see online scams and malicious cyber campaigns showing unusually heavy spikes.

Black Friday, which takes place this week, on 29 November, is already seeing retailers across the globe offering early deals and jostling to have their products and services at the forefront of this consumer frenzy.

A PwC report says 43% of South African shoppers will choose to avoid long queues this Black Friday and opt for online shopping.

Security firms warn the expected biggest shopping day of the year is also a potential gold mine for cyber criminals.

Last year, global Black Friday sales were estimated to be around $23 billion, with online sales alone totalling $6.2 billion, up 23.6% from 2017. This year, online sales are forecast to hit $7.5 billion.

A Barclays UK bank survey found Black Friday fraud victims lose around £660, on average, through scams designed to lure shoppers away from legitimate sites and draw them toward phishing shopping apps, or cloned Web sites supposedly offering significantly lower discounts.

Other scams include offering shoppers digital shopping cards, or enticing them to participate in pyramid schemes such as 'secret sister' gift exchanges.

Research firm Kaspersky warns this year’s Black Friday sales period will see more cyber criminals using botnets that distribute banking Trojans aimed at stealing users’ financial data, predominantly targeting customers of apparel e-commerce Web sites, specialising in fashion, shoes, gifts, toys and jewellery.

Oleg Kupreev, security researcher at Kaspersky, says consumers looking for deals in these areas during the upcoming weeks are advised to be careful when making online purchases.

“The growing interest of cyber criminals in getting users’ credentials of e-commerce brands is easy to understand. In some cases, there are credit card details or loyalty programme card details linked with these accounts and getting access to an e-shop account of a user would also mean access to their money.

“Even if there is no direct financial gain, personal user accounts contain a lot of valuable information, which is highly valued on the underground market and will inevitably find a buyer,” notes Kupreev.

Kaspersky found 15 malware families targeting a total of 91 consumer e-commerce sites and mobile apps across the world, an increase from last year’s 67 sites.

The most ‘hunted’ for brands were consumer apparel, entertainment and consumer electronics, with 28 Web sites from these categories being part of the malware families mentioned above.

More spending, more risk

On Black Friday 2018, SA saw retail sales increase by 1 952% compared to an ordinary shopping day, according to PwC. The global average was a rise of 663%.

The research firm says in 2019, local consumers plan to spend 36% more than the previous year, with an average spend of around R3 812 per person.

David Warburton, principal threat evangelist at F5 Networks, believesas more Web applications connect to critical components such as shopping carts, card payments, advertising and analytics, formjacking – injecting malicious JavaScript code to hack a Web site – will be one of this year’s most notable threats.

“The hyper-active online activity, combined with potentially compromised purchasing, promotion and sales behaviours, are like red rags to a bull for enterprising cyber criminals.

“Formjacking now is one of the most common Web attack tactics in play. It was responsible for 71% of F5 Labs-analysed, Web-related data breaches in 2018. From denial-of-service attacks shutting down retailers in their revenue-generating prime, to ransomware campaigns extorting your hard-earned spending money, there’s a world of banana skins out there.”

Since many Web sites make use of the same third-party resources, attackers know they just need to compromise a single component to skim data from a huge pool of potential victims, Warburton points out.

While phishing is no longer as seasonally specific or predictable, it remains an attacker’s perennial favourite, as they don’t have to worry about hacking through a firewall, finding a zero-day exploit or deciphering encryption: it is far easier to trick someone to hand over their credentials.

Fortinet researchers studying phishing domains found SA was among the top 20 countries targeted in a large influx of phishing attacks. Around 59% of all successful ransomware infections are also transported via phishing scams.

Doros Hadjizenonos, regional sales director at Fortinet, notes: “Big events like Black Friday are a perfect opportunity for cyber criminals to flood inboxes with ‘special offers’ that don’t exist, leading shoppers to fake Web sites where they part with their banking details to fraudsters.

“Shoppers who fall for these phishing attacks will not only not receive the goods they ordered – they could also become victims of identity theft and have their bank accounts cleaned out by criminals.”

Shoppers are particularly vulnerable to phishing attacks when they’re sifting through masses of special offer e-mails, or sitting up at midnight hoping to grab the best bargains, adds Hadjizenonos.

The latest Annual Crime Statistics, released by the South African Banking Risk Information Centre in June, show a 75.3% rise in mobile banking (USSD), online banking and banking apps crimes combined.

How to avoid being fleeced

While the challenge for retailers will be to protect operations and customers, the good news is that through simple precautionary measures and remaining vigilant, shoppers can stay safe, asserts Warburton.

Recommended security must-haves for retailers include: anti-fraud toolkits, verification tools, creating an inventory of Web applications, vulnerability scanning, implementing Web filtering solutions and inspecting encrypted traffic for malware.

Meanwhile, shoppers must not click through to Web sites from e-mails. Before clicking on a link, hover the mouse over it to check the URL. If it replaces letters with numbers, such as, don’t click on it.

Be sceptical. Unusually low prices and high availability of hard to find items are red flags for scam sites.

Phishing attacks can be carried out through rogue mobile apps, which can also be used to mine for data or to install ransomware. Be wary of unexpected invitations to install new apps on your mobile device.

To learn more about Black Friday tricks and scams, visit

See also