Businesses trying to claw back lost revenues during the festive season, combined with distracted and fatigued online shoppers and increasingly sophisticated cyber criminals, are set to create a perfect storm of cyber crime this Black Friday and through the festive shopping season.
This is the warning from Mimecast cyber security specialists Duane Nicol and Mikey Molfessis, who were speaking during a Mimecast webinar on brand impersonation this week.
The cyber security experts warned that brands were being cloned to trick consumers into parting with their personal information or credit card details. “Cyber crime has exploded and it’s evolving faster than we have seen in years,” said Nicol. “Leading international brands like Apple, Netflix and WhatsApp are among the most used in phishing attacks, but criminals are also starting to localise their attacks, so every company is a target.”
He added that in the first three months of the pandemic, Mimecast picked up 115 000 COVID-19-related registered spoof domains. In another example, in the space of just two days, Mimecast found over 500 domains impersonating Netflix. And in a bid to take advantage of the good nature of humans, domains faking charities were proliferating, luring people to donate money and hand over their banking details.
Mimecast research has found that around 88% of businesses have experienced spoofing or domain hijacking.
“This is hugely damaging because customers tend to blame the legitimate brands when they are tricked into losing money. And, generally, if you lose a customer’s trust, you’ve lost them for years. An angry customer can also spark a Twitter storm that destroys trust in the brand across a broad market.”
To combat these attacks, which means protecting both customers and legitimate brands, Mimecast advises using DMARC and Mimecast Brand Exploit Protect to be notified of e-mails being sent out in their name, and enable them to proactively take down cloned sites.
“The aim should be to find out early, while the attack is still in preparation stage, and to tackle phishing at the source rather than reacting to the symptom,” said Molfessis. “By scanning for domains as they are registered, you can take them down in a matter of minutes or hours. The longer these attacks are live, the worse it is for consumers and, ultimately, the trust in your brand.”
They warned that fatigued users with a false sense of security because they are using work devices are a significant cyber security risk.
Said Nicol: “That’s because cyber security awareness training is often ineffective. Big challenges include the fact that users don’t engage and don’t pay attention, they don’t learn the right things to do, and many have a dismissive attitude towards security. In fact, new research on the use of company-issued devices found that although 94% of South Africans said they were aware that links could potentially infect their device, half of them said they still open e-mails that look suspicious.”
He said training and awareness programmes had to be made user-centric and engaging, with real-world testing, risk scoring and custom remediation to reduce the risk of users clicking on dangerous links.
To protect consumers, Molfessis said: “I tell everyone – if it seems too good to be true, it probably is. Everybody is a target – don’t click on the link inside a marketing e-mail, rather go to the Web site. And to organisations, I’d advise – train often and train right. Don’t focus on only one area of security such as protecting your organisation at the perimeter; focus on user awareness and brand protection too.”
Share