Think Holiday Scams Are Just a Consumer Problem? Think Again!

Jay Kelley Miniatura
Jay Kelley
Published November 09, 2023

Singles’ Day in China, the largest shopping day in the world, is November 11.

Black Friday, the biggest shopping day in the U.S., is November 24.

Cyber Monday, probably the biggest online shopping day, is November 27.

So, what do these days have in common, besides an incredible number of deals, a strenuous workout for many people and their credit cards, and banner sales days for retailers and e-commerce sites?

They are a bounty for attackers worldwide.

Instead of taking advantage of incredible savings and buying special items, attackers are eager to walk away with a bag full of stolen passwords, credit card numbers, and much, much more. Oh, and let’s not forget ransomware, too!

Attackers and other bad actors will go to any lengths to steal your data and hard-earned cash. For example, they may:

  • Flood your inbox with phishing emails or your mobile devices with texts containing nefarious links that leverage retailer, e-commerce company, or manufacturer names as a disguise.
  • Flash incredible savings across phony ads that are available with just a click of link—and of course, your credit card number.
  • Request your credentials on what seems like legitimate-looking websites because there’s a padlock in the URL, which usually means the site’s encrypted and allegedly “safe.”
  • Pretend to email or text you from your usual or favorite delivery service with a link that looks real and tracks your order, or stating your order can’t be delivered until you verify your username and password or personal information.
  • Advertise “must-have” products that seem sold out everywhere you search but seemingly are available for a limited time only at a single website and for an unbelievable price. (So, don’t believe it.)

Now, if you’re in SecOps, IT, or other roles responsible for corporate and organizational security, you’re probably reading this and thinking, “This sounds like a consumer-level problem. This shouldn’t affect me or my company. Plus, our employees and other users must go through training and even sign a document that they understand they’re forbidden to use organizational equipment for personal use. So, they wouldn’t do that.”

Don’t bet on that. According to a recent survey, over 50% of respondents said they’ve used corporate devices to check their email or shop, or have allowed friends or family to do the same and over 20% checked their social media over a corporate device.

All it takes is one employee or user to open an authentic-looking phishing email or text, supposedly from an actual retailer, e-commerce company, or manufacturer on a work-issued device, click on a link to launch what’s claimed to be a real-life website, then poof—you could be under attack from ransomware, malware, and other gnarly threats that endanger your organization, network, apps, and data.

So, here are some ideas to use to help educate and protect your employees, users, and organization from attacks misappropriating Singles’ Day, Black Friday, Cyber Monday, or any other shopping holiday:

  • Remind employees and users their work devices shouldn’t be used for personal business, especially shopping.
  • Schedule refresher phishing training to coincide with upcoming shopping holidays. Or send a reminder to employees and users not to access personal email or texts on work devices, and especially not to open unsolicited emails or texts, or to click on links in any email or text, but to directly access the URL and website of the source company.
  • Point out that, even if a website that’s accessed via a link in an email or text or an unsolicited ad may look legitimate and encrypted—and have the little padlock in the URL address—it may be a fake phishing website. They shouldn’t provide any credentials, including login info, or personal or financial info on the site. Again, they should access the source company’s URL and website directly.
  • Note for employees and users that an email, text, or ad promoting any deal that sounds too good to be true is likely not true. So, they shouldn’t click on the provided link, but go directly to the retailer’s, e-commerce company’s, or manufacturer’s website to find the item.
  • The same goes for items that are sold out on any website but available—and only for a limited time—from a single source. Remind employees and users not to click on the link!
  • Tell employees and users if they receive an email or text about an upcoming delivery that includes a link to track the order, says the order is lost and provides a link to trace it, or provides any other link, to not click the link but to go to the provider’s web page directly and track or trace their order from there.
  • Also remind employees and users that if they receive an email or text from a delivery service with information about an upcoming order, but states the service needs their credit card or other personal or financial information to deliver the order, to not provide that information. Instead, they should go to the provider’s web page directly to track or trace their order.
  • If an employee or user suspects something fishy is going on regarding any account they have with a retailer, e-commerce provider, or manufacturer, or if they feel fraud, phishing, or spoofing is going on, they should report it directly to the retailer, provider, or manufacturer.

But even all the reminders and warnings may not be enough because all it takes is one employee or user to slip up and click a link, and your business can be negatively affected. F5 can help.

F5 protects apps and APIs everywhere. From bot protection that secures web and mobile apps and APIs from automated attacks that can quickly escalate to advanced emulation of human behavior, to defending what matters most—your apps, APIs, and underlying infrastructure—with simple, consistent, renowned security, to securing your organization from encrypted threats like ransomware and more, F5 has you and your network, apps, and data secure and protected not just for Singles’ Day, Black Friday, Cyber Monday, or any shopping holiday, but for every day.

For more information on how F5 can protect your organization, apps, and data, please click here.