Holiday Hacking: Beware The New Year ‘Flash Sales’

It is Jeff Bezos’ online retail mammoth, Amazon, which most people credit with the global export of Black Friday in 2010. Since then, the ONS statistics show weekly Internet purchases during the month of November have almost tripled, and internet sales as a percentage of total retail sales have more than doubled from October 2010 to 2018.

The “Flash Sales” associated with the last weekend of November are no longer exclusive 24-hour deals – often running during the entire week running up to Black Friday and beyond – and culminating in so-called Cyber Monday when retailers cut prices still further for the goods they’re selling online. However, the end of November marked just the beginning of the “flash sale” festive period, with sales and discounted offers often running right up to Christmas, and culminating in the New Year sales at the start of January.

The data is clear when it comes to online retail spend. Greater numbers of people, in more countries than ever before, are spending more money overall and significant amounts (close to 20 percent in the United Kingdom) are being captured online.

With more consumers taking to their smartphones, tablets and apps, purchasing has certainly become easier. However, as brands increasingly take to hawking their deals through digital channels, including floods of promotional emails to inboxes (and the (seemingly) incessant “ping” of tweet and text alerts highlighting great deals), the opportunities for hackers looking to misappropriate consumer data have undoubtedly increased, too.

While online scams are not solely exclusive to the Black Friday of festive sales periods, it is worth noting that these periods are particularly appealing for hackers given the surge in consumers looking to make online purchases — all of whom are potential targets.

I’m guessing that if you’re reading this blog, you’ll no doubt have had experienced some of the following Black Friday and Cyber Monday tactics. Typical stings likely included phishing emails pitching “time limited” cheap designer offers, or bogus websites trying to lift credit card details – remember those? More sophisticated approaches include: blackhats planting malware and cryptojacking modules wherever they think consumers might click, or even posting malicious apps posing as branded special offers.

Beyond the immediate effects of any of the above scams, there are more sinister applications for stolen data and personal details on the Dark Web. With enough captured data, organised criminal cyber groups or simply “lone wolf’” actors can create profiles and even entire fake individual histories that they can use or sell for a variety of illicit purposes.

Having read the last couple of paragraphs, you may have felt that the only option you had this holiday season was to unplug your Internet router, stow away all laptops and tablets and turn off your Amazon Alexa. But that is neither the aim of this blog, nor would that be realistic or practical. If you take anything from this piece, simply take it as a reminder that while surfing the Internet for deals – holiday or unrelated – try to remain aware of your online surroundings. Remember the old adage: if it sounds too good to be true, it most likely is.

Regardless of time of year, always try to shop on top-ranked search results, or even type suspicious URLs in manually to check links for typos, repeated letters, or other flaws that could indicate an impostor site. Always use legitimate apps, only downloading them from accredited platforms like Google Play or iTunes, and always use the most up-to-date versions of an app. For the super security-minded out there, you can even check the developer account that posted an app if you still aren’t convinced of its legitimacy.  

With cybercrime and global regulatory environments evolving at such a fast pace, organisations of today can ill afford to rest on their laurels when it comes to the ways they use and secure the data they own and work with on a daily basis. With the European Union’s General Data Protection Regulation now established, the recent implementation of California Consumer Privacy Act, and Canada’s own data privacy laws coming into effect earlier in November, the monetary and reputational cost of downtime, data leaks and data misuse just got a whole lot more real this past holiday season.