The Nasstarian
Brought to you by

Businesses Braced for Christmas Fraud Blitz Shouldn’t Forget About Data Security

In insight / By Phil Muncaster / 12 December 2017

Welcome to the most wonderful time of the year … if you’re an online fraudster. Police estimate that UK shoppers — and by implication, the businesses they shopped with — lost a staggering £16m during the Christmas shopping period last year. That period has extended even further since the advent of the US-driven Black Friday/Cyber Monday sales period around Thanksgiving. This means UK businesses should be on high alert when it comes to identity fraud and online scams in their name.

But they also need to think more holistically about the fraud ecosystem. By improving data protection practices, businesses can help to suffocate fraud in the long run by stemming the breach of personally identifiable information (PII) which facilitates Christmas shopping scams. Given the growing financial challenges associated with Brexit, fraud losses are a luxury no UK business today can afford.

A growing problem

Fraud is estimated to cost the UK a staggering £190 billion each year — apparently greater than the GDP of 141 countries around the world. Much of it is carried out online as fraudsters increasingly look to try their luck remotely, safe in the knowledge that they’ll most likely never be caught. Just as retailers hope to make a large percentage of their annual income in the run-up to Christmas, so do the scammers. Security firm ThreatMetrix, which analyses over 20 billion transactions annually, predicted recently that it would block at least 50 million global fraud attempts over the week of Black Friday alone.

Why the uptick at this time of the year? Because many online retailers choose to accept a greater degree of risk during the busiest shopping periods, to reduce the likelihood of valid sales being declined or escalated to fraud teams. Fraudsters use such busy periods to make larger purchases, knowing they’re less likely to be flagged as suspicious because everyone’s doing the same at this time of the year. What’s more, European retailers are particularly at risk, as online transactions are 63% more likely to be fraudulent than in North America, according to ThreatMetrix.

Helping the scammers are obfuscation techniques including identity and device spoofing, as well as automated bots. The latter are typically used to enable the mass testing of stolen credentials before data breaches are publicly disclosed and customers have a chance to change passwords and order new credit/debit cards.

It’s no surprise Barclays has warned that more than a quarter of online scams happen over the Christmas period. The high street lender estimated that festive fraud will cost consumers over £1.6bn this year and businesses £72m in lost revenue. If there’s one thing we can predict with certainty about cyber-criminals it’s that they always follow the money — and with an estimated £7bn spent online during Black Friday this year, there’s certainly no room for complacency.

Time for action

So what can be done? Well, certainly organisations with an e-commerce presence need to be aware of these risks and double down on anti-fraud measures this Christmas. But in truth, organisations of all shapes and sizes need to get better at data security. Why? Because customer PII is the fuel that feeds the fire of fraud. Data breaches are impossible to prevent 100% of the time. But there are many things firms can do to make themselves a harder target — and the fewer pieces of PII there are available for purchase on the dark web, the harder you make it for the fraudsters over the longer term.

Here’s another idea: migrate customers from outdated username/password-based logins to multi-factor authentication systems. By doing so, you remove another major advantage for cyber-criminals. Taking away these online credentials — which are often shared across a number of services including various e-commerce account logins — will severely impact the fraudsters’ productivity. It will also help to combat phishing attacks, because there will be no credentials to steal. Businesses should turn up the heat further on the phishers by proactively looking for any domains which spoof their brand.

That’s not to mention the risk of Christmas DDoS attacks, which could take out retailers’ sites during their busiest period. Specialist DDoS mitigation services are an investment which will more than pay for itself in protecting your revenue stream this Christmas.

Stemming the tide of breaches

This is all set to come to a head next May, when the EU General Data Protection Regulation enforces strict new requirements on firms to protect personal data on customers and employees. Maximum fines of £17m or 4% of global annual turnover and mandatory 72-hour notification periods should be enough to have attracted the attention of most boardrooms by now. Yet the regulators aren’t prescriptive about the tools and techniques they want you to use to protect this data. So, what should a best practice plan include?

Consider the following:

  • Layered security across the endpoint, network, web and email gateway and servers
  • Prompt patching
  • Strong data encryption
  • Regular off-site back-up
  • Strict access controls (multi-factor authentication) for customer and staff accounts
  • Comprehensive user education, updated and run at least once a year
  • Incident response plan, regularly tested
  • Continuous network monitoring and pen testing

At Christmas, the temptation is to focus on driving profits at all costs, which might result in IT being more concerned about uptime than security. This would be a mistake. Cyber-criminals are nothing if not agile and opportunistic, and will be primed to strike if they think you’re back is turned.

With economic impact of Brexit finally beginning to bite, UK businesses need to strip out preventable costs wherever they can.

Read more about how we protect our client's services here.

Phil Muncaster

Phil Muncaster

Phil is an internationally known technology writer, having regularly written for The Register, InfoSecurity and IT Week on the subject of technology, IT and security.

Comments powered by Disqus