‘TIS THE SEASON CHRISTMAS RISKS FOR RETAILERS

AFRG will deep dive into key dates for threat actors targeting the retail and fashion industry in 2024.

Key Dates

Singles Day – November 11

Thanksgiving Sales – November 23

Black Friday (White Friday in some parts of the Middle East) – November 29

Small Business Saturday – November 30

Cyber Monday – December 02  

Global Participation

Black Friday originated in the US in the 1980’s, as part of a post-thanksgiving sales event, and has over the years expanded into a global enterprise of sales, discounts, and promotions, thrust at consumers within a mere few days in the lead up to Christmas. One other major holiday event is the 24-hour shopping extravaganza called ‘Singles Day’, created in China to promote anti-valentines, and has since taken favour among Middle Eastern countries such the United Arab Emirates and parts of Europe such as Spain.

Across wider Europe, countries such as the UK, France, and Germany, all started to adopt Black Friday in the last three to four years, alongside central and southern American countries, China and southeastern Asia, and parts of Africa. In the Middle East, the day is marked as ‘white Friday’, a symbol of positive emotions, images and goodness.

Ransomware Groups

In general, some of the biggest threats facing retail transpire from ransomware-based cyber attacks all year round. During the holiday season, ransomware-focused threat groups will show more desire to target the retail industry and include:

• RansomHub

• BlackBasta

• Royal

• Akira

• BlackCat (AKA ALPHV),

• Cl0p,

• LockBit,

• Play.

Consumer Expectations & Cyber Crime Activities

Retailers can expect to see a rise in consumers wanting to shop seasonal sales earlier this year, with the customer experience, post-purchase playing a crucial role such as “Hassle-free returns and real-time tracking” being key drivers”.

Retailers are advised to keep their websites updated, making sure technology is equipped to handle the influx in visitors, alongside updated inventory lists and stock is well-managed.

Rise in Fraud

Seasonal days such as Black Friday offer an influx in fraud, with increase in traffic, risks increase meaning robust security during the checkout process for customers needs to be implemented.

Scammers are likely to seek out opportunities to use tactics such as social engineering (phishing) via email and SMS messaging, website impersonation by registering a string of different domains mimicking legitimate retailers to advertise fake deals, and deploy malware (Magecart) into the checkout process by exploiting web server software vulnerabilities, and creating fake checkout forms to extract financial data from customers.

Citizen’s Advice claim in new research one in five (18%) of people across the UK have fallen victim to finance scams in the last 12 months. Enhanced technology such as artificial intelligence (AI), QR code scams, and social media have increased fraudulent behaviours. There are concerns AI will increase online fraud (70% British consumers) while shopping fraud on social media amounts to 51% of fraud cases.

Organised criminals are also getting involved in return fraud as a service schemes, designed to target retailers through technology usage, advertising and promoting through social media ads and via platforms like Telegram, Discord, Facebook, TikTok, and Instagram; while communicating with other organised criminals discussing strategies for fraudulent behaviours.

Organised criminals are marketing services on Reddit, TikTok and Telegram, using “refund method” — or “r3fund,” to skirt content moderators. In December 2023, Amazon filed a lawsuit against several people globally with alleged ties to a wide scale refund fraud operation stealing millions.

In 2024, retailers are tightening return policies, offering store credit instead of cash refunds, and implementing return fees to customers who are victims of fraud. The UK also recently introduced the Payment Systems Regulator (PSR) new rules on Authorised Push Payment (APP) fraud to reduce increasing threats from fraud. Under the PSR new rules, people making payments from UK accounts will benefit from further protections including being reimbursed with five business days of making a claim, coverage of up to GBP£85K, applying from 07 October 2024.

Payment fraud is set to increase across point-of-sale terminals, ATM’s, online and mobile channels during peak season sales across the retail industry.

The latest figures from the Crime Survey for England and Wales (CSEW) shows an estimated 20% increase in consumer and retail fraud, alongside an estimated 9.2 million incidents of headline crime including theft, robbery, criminal damage, fraud, computer misuse and other abusive activities ending June 2024.

58% of attacks originate from phishing

47% of stolen user sessions leverage Amazon domains

92% of credential access techniques were brute-force attempts

Financial and reputational impacts of fraud through account takeover for example can be severe for both retailer and customers because threat actors are using legitimate accounts and details to make large fraudulent purchases. After the victim identifies the unauthorised activity and issues a chargeback with their card issuer, the retailer will have to decide to refund in order to not lose the customer or dispute the claim; and if too frequent chargebacks are made against a retailer, this can result in appearing in a ‘high alert’ category.

Fraudsters are likely to combine a personal identification number such as a social security number (SSN) or a social insurance number (SIN) with a fake name and address. During Black Friday and peak season, high volumns in online traffic may make it harder to monitor all account activity.

In the first half of 2024, over GBP£570M was stolen in payment fraud, while total cases of fraud rose by 16 percent compared to 2023.

Online fraud is hitting younger users harder, with nearly 70% of 16-24-year-olds encountering fraud at least once a year, compared to 38% for those aged 45-54.

New research by cyber security professionals also shows an influx of AI-driven cyber attacks, rising to half a million in the last six months. The AI tools being leveraged include ChatGPT, Claude, and Gemini, alongside specialised bots that are designed to scrape websites for LLM training data. AI tools can be used by retailers, employees and customers for digital transactions, limited-time promotions, and the gift cards and loyalty points stored in accounts.

Grinch bots and DDoS attacks cause major disruptions during the holiday shopping season, affecting both retailers and consumers alike. Now, with the widespread availability of generative AI tools and LLMs, retailers are contending with a new wave of sophisticated cyber threats.

Business logic abuse as the most common AI-driven attack, accounting for 30.7% of all incidents. Business logic abuse involves exploiting the legitimate functionalities of an application or API to carry out malicious actions, such as manipulating prices, bypassing authentication, or abusing discount codes. Cyber criminals are now leveraging AI to coordinate large botnets more efficiently, enhancing the effectiveness of these attack. Attacks from bad bots account for 20.8% of AI-driven threats. 

Types of Fraud

Refund Fraud occurs when a threat actor claims an item arrived damaged in the hope of keeping the item for free.

Organised return fraud as a service - is increasing by organised criminals in 2024, targeting retailers through technology usage, cyber criminals advertising and promoting through social media ads and via platforms like Telegram, Discord, Facebook, TikTok, and Instagram, communicating with other organised criminals discussing strategies for fraudulent behaviours. Organised criminals are marketing services on Reddit, TikTok and Telegram, using “refund method” — or “r3fund,” to skirt content moderators.

Synthetic identity fraud – takes place when threat actors create accounts online using real-world information relating to individuals bought on the dark web including personal information such as name, address and so forth. According to recent research, there has been a 500% increase in high-risk synthetic identities in circulation in the UK since 2020.

Fraudsters are likely to combine a personal identification number such as a social security number (SSN) or a social insurance number (SIN) with a fake name and address. During Black Friday and peak season, high volumns in online traffic may make it harder to monitor all account activity.

Fake Delivery Scams target large volumes of people through mass campaigns, knowing that some are likely already expecting parcels, and then coerces victims into sharing information and bank details to rearrange delivery. Recently, Evri parcel delivery service has been facing an influx in scam text messages being sent to customers, however from random spoofed mobile numbers. ‘Failed delivery attempts’ and ‘package damage missing postal code’ are sent alongside phishing links using a shorter URL generator to mask real URLs, while others lead to QR code scanning to download malware.

Survey fraud promises fake rewards for sharing personal information and completing surveys. The emails are designed to trick people into completing a survey in order to claim a free prize. If you receive a suspicious email, you can report it by forwarding the email to: report@phishing.gov.uk.

Purchase Scams are conducted by cyber criminals who offer too-good-to-be-true prices, impersonating genuine retailers on fake websites. Fraudsters can also sell non-existent products at discounted prices to attract buyers. The victim pays in advance for goods or services that are never received, usually ordered on an online platform such as an auction website or social media. Also referred to as triangulation fraud, these types of scams usually take place on third-party sites such as Amazon and eBay, whereby the scammer lists items that are non-existent or are not immediately available, meaning when the victim purchases the items, they will not recieve the items or the scammer uses stolen credit/debit card details to make the purchases and then ship them to the buyer. The victim is the person whose details have been stolen and used for frauding, leading to chargeback requests against the platform through card merchant. Triangle Scams mean too-good-to-be-true-prices, unverified sellers, unusual payment requests and non-standard shipping practices.

Gift card scams are rising in popularity since gift cards are not subject to the same regulations as credit and debit card transactions, nor are they linked to specific individuals. In October 2024, UK retailer Tesco issued a statement after an elderly customer was scammed GBP£140K through gift card purchases. The threat actor pretended to be a well-known musician on social media platform Facebook, sending messages about purchasing Apple gift cards and getting the money back eventually. Moving away from Facebook, the messaging app ‘Signal’ was used offering a level of de-tracking.

Guidance

Avoiding navigating to untrusted or unknown websites and never assume that links on known websites are safe.

Where possible view items in person before making payment.

Research the seller and site and always read the reviews. Check several review sites and compare them.

Password support - Three Random Words technique to keep your online accounts secure.

2SV - 2 step verification for your accounts including email, banking, social media, and shopping to keep cyber criminals out, even if they discover your passwords.

Report scam messages - ActionFraud. 

MFA - Should be enabled on accounts by using two or more proofs of identity to log in. For example, using your login details as well as an authentication code (Microsoft Authenticator App from Apple Store and Google Play Store). Additional forms of MFA include a PIN, secret question, fingerprint, and biometrics (also helps protect against deepfakes/AI).