Black Friday Cautionary Tales: Phishing, Card Cracking, and Gift Card Fraud

Christmas shopping season is a lucrative time of year for cybercriminals. In the UK alone, shoppers lost more than £15 million to fraud in the run-up to Christmas 2020. Of this, £2.5 million was lost over a single weekend: Black Friday to Cyber Monday.

Online shopping scams are expected to ramp up ahead of Black Friday this year, too. Card cracking is particularly high risk, as heightened traffic volumes make it more difficult for many retailers to detect high volume brute force attacks. Gift card fraud is also expected to rise as more customers buy gift cards for friends and family.

Recent Black Friday cyberattacks offer a stark warning for shoppers. So what lessons can be learnt from previous Black Friday scams, and how can retailers and shoppers protect themselves throughout Christmas shopping season 2022?

Copycat websites pose a risk to your brand trust

In 2020, Which? reported an influx of fake websites that imitated the sites of trusted brands, including childrens’ toy brand Little Tikes. Scammers set up a similar URL and directed Facebook ads to their fraudulent site. The site used Little Tikes’s real logo and branding to develop a legitimate-looking site:

Shoppers who purchased products from the site found unauthorized sums of money taken from their bank accounts. One shopper reported that scammers took £170 from her account, despite making a small purchase worth £2.50. Another reported buying a heavily discounted climbing frame which never arrived.

While customers are rightly upset over lost funds, brands should be worried about this, too. Scams like these can significantly damage customer trust — so it’s important to be vigilant when sites like these crop up.

What shoppers can do

Make sure any social media ads you click are from the company’s official account. If you’re not sure, avoid clicking on the ad — go directly to the brand’s website instead.

What retailers can do

Report suspicious sites to the domain provider. They can investigate and get the site taken down.

Gift card scams are hard to trace

Gift cards and vouchers are popular with Christmas shoppers — so there’s an increase in gift card scams at this time of year. They’re also easy to sell on, and hard to trace once used. In 2017, the government issued a warning about scammers who posed as HMRC representatives and coerced people into buying gift cards to pay off supposed tax debts.

In another instance, scammers targeted charity workers by imitating the charity CEO and asking them to buy gift cards as a Christmas present to staff. Many charity volunteers are retirees who may be less aware of these types of scams.

What shoppers can do

Gift card fraud often involves people unexpectedly contacting you and using persuasion or intimidation tactics. If you get an unexpected call or email, ignore it or put the phone down. If you’re worried that you may actually owe money, call HMRC (or whoever claims to have called) on the phone number from their website.

What retailers can do

Keep all staff up to date with cybersecurity training, whether they’re voluntary, remote, part-time, or full-time. It’s also worth investing in cybersecurity software to protect customer loyalty points and gift cards.

Phishing leads to card cracking and other brute force attacks

Phishing attempts also rise during the festive season. When online Christmas shopping peaked due to the Covid-19 pandemic, there was a spike in parcel delivery scams. According to a BBC report, scammers sent texts and emails demanding a fee for redelivering packages, and attempted to extort financial details from shoppers.

Businesses and customers can both be targeted by phishing scams, so it’s important for everyone to be vigilant. Phishing scammers bank on people feeling panicked and acting without thinking, especially during the Christmas shopping season when there are time-limited deals and time-sensitive parcels on order.

What shoppers can do

Take a zero-trust approach to emails. If you’re not 100% sure who sent the email, don’t click on any links or download any files. Never enter your payment card information unless you’re certain the site is legitimate and secure.

What retailers can do

Make sure staff can recognize a phishing email or text. Encrypt all data so that even if credentials are exposed, data access is limited.

Order notifications take phishing tactics offline

Some scammers try to make their phishing attempts appear more legitimate by persuading you to contact them by phone. The ‘payment confirmed’ email below spoofs an Amazon order notification. The sender’s email address is a Gmail account, which should ring alarm bells. But many recipients were more concerned about hundreds of dollars apparently being taken from their bank accounts.

Recipients were directed to call the phone number on the email. Fraudsters then asked for the caller’s card details to cancel the order. Card details could then be sold on the dark web, opening people up to card cracking and account takeover attacks, or used to make fraudulent purchases.

Spoof phone calls aren’t a new method of social engineering. But they’re still easy to fall for — so customers must know what to do when they’re asked for sensitive information over the phone.

What shoppers can do

Legitimate companies don’t need your card information to cancel or view orders, so don’t hand over your details. If you need to contact a company by phone, take the number from their real website rather than an email.

What retailers can do

Make shoppers aware of your procedures for order notification and cancellation, so it’s easy for them to spot when something is out of the ordinary.

How does phishing lead to card cracking?

Customers who reveal their bank details online worry that criminals will steal money directly from their account. This is a real risk — but card cracking could cause more damage in the long run.

Card cracking is a brute force attack. Criminals buy partial or full card details from the dark web, then use bots to find out which card details work, and/or discover any missing elements.

Phishing enables scammers to gather data that can later be used for card cracking. Card cracking is dangerous because it means more than one bad actor can ultimately get hold of and use customer card information. That’s why customers and businesses must be vigilant about data protection.

Learn more about what card cracking is and how it works.

How to protect your customers from scams this Black Friday

Bots are the basis for most modern cyberattacks. Criminals use bots to steal money from customers and defraud businesses. That’s why defending your website and app against bot attacks is the best way to protect your customers this Black Friday.

Web application firewalls and location-based filters will only get you so far. These solutions can’t always accurately detect bots, so you could be preventing real users from accessing your site. Plus, sophisticated and unknown bots can swiftly bypass these cybersecurity measures.

Netacea’s bot management solution stops even the most advanced card cracking bots and gift card scammers. Our AI-based bot detection system accurately detects and blocks bad bots, while allowing good bots and real users to access your site seamlessly.

Learn why Netacea is the best anti-bot solution, then book a demo to make sure your site is protected in time for the 2022 Christmas shopping season.