Cyber Threats

Social Engineering: According to analysts from Flashpoint, “Retailers are pulling out all the stops to incentivise spending, this includes a high volume of discount codes and online offers. Threat actors are likely to tailor social engineering campaigns, like phishing and smishing, to masquerade as retail discounts to steal sensitive information from customers.”

Refund Fraud: “Threat actors engaging in refund fraud take advantage of retailers’ return policies, customer service representatives, and third parties to receive fraudulent refunds.”

Since October 1, Flashpoint analysts have seen the ‘partial refund’ and ‘fake tracking ID’ methods emerge as the most popular.

Gift Card Fraud It’s common for threat actors to buy high-priced gift cards to use at a later date. Gift cards can be purchased with compromised financial information or through compromised retail accounts where credit card information is stored. Access to these accounts is often done through phishing attacks, password-spraying attacks, or social engineering attacks.

Flashpoint analysts warn that, “Some threat actors advertise gift card services on deep and dark web forums and chat services in which they offer to acquire goods at a discount by using the fraudulently funded gift cards. These gift cards are also often bundled into advertisements for cash-out services and other financial fraud, as purchasing gift cards is a popular and efficient way to exfiltrate money from a compromised account.”

CMS Access: “Threat actors will likely attempt to exploit retailers’ content management systems (CMS) to harvest customer information, including credit card or payment information.”

“Flashpoint analysts observed many instances of threat actors targeting vulnerabilities in popular CMSs.”

Physical Threats

Merchandise shortage and delays: The global supply chain is still recovering from the impacts of the pandemic and related shutdowns, labour shortages, high inflation rates, and delays in transport. As Flashpoint analysts have witnessed in recent years, heightened holiday shopping tension combined with customers’ inability to obtain their desired items will lead to an increase of in-person confrontations with retail staff, or even physical altercations between customers arguing over items.

“Merchandise shortages are very likely to increase the shipping times of items, which may result in a large number of packages not reaching their intended destination in time for the holiday. This may result in customers harassing employees of post offices and delivery services out of frustration over late packages.”

How can it be managed?

Formalised communication channels: Analysts from Flashpoint say that “Retailers can help mitigate fraud and other cybersecurity issues this holiday season by establishing a clear and formalised communication channel with their consumers. This may manifest as using an official email address or phone number when sending discount codes or updates on stock, or as formalised guidelines as to when and how the retailer may reach out to customers.”

Patching: “Establishing a consistent software vulnerability pathing cycle, offering comprehensive employee training, and enabling multifactor authentication (MFA) on customer and employee accounts can assist in mitigation other fraud, like CMS exploitation and social engineering.”

See the full report here.