How to protect your retail business from phishing attacks

Phishing is full of puns – from trawling for potential victims by casting the net widely, to spear phishing through targeted attacks on individuals or small groups – but it is far from being a laughing matter for those retailers caught up in this damaging and costly crime.

Many companies have been caught up in these various forms of phishing as criminals look to dupe individuals into mistakenly disclosing their personal details that can then be used against them and organisations for financial gain.

Proof of phishing’s success as a lucrative criminal activity is the fact it has been around for some time, according to Richard Meeus, EMEA director of security technology & strategy at Akamai, who says: “It has been around for years and is a very common method of obtaining information from individuals.”

The two types of attacks are ‘trawling phishing’ that involves sending out emails or other communications very broadly in order to trap as many people as possible through a generic campaign. The other form is the much more personalised ‘spear phishing’ that can involve a business email being compromised to interject in the workflow of an individual or it could be an email to get people to change a transaction they are undertaking. There are many variations possible.

Many of these emails simply play on the desire of individuals for promotions and winning things. “You see it all the time in social media where there will be a free offer from a famous brand or there will be three questions to answer in order to get a prize. Once lured in by the offer then the criminals will require email addresses and other personal information so will then likely send the victim off to a landing site. It’s very common,” explains Meeus.

For retailers the threat of phishing can hit them via a number of ways including an attack on their customers, their employees, or via a third-party that they deal with. The latter was the cause of arguably the most high profile attack to date on US-based retailer Target in 2013.

It was initiated by a phishing attack on a third-party that enabled the criminals to access the information of as many as 110 million Target customers. The resulting financial hit to the company has reached $1 billion when taking into account the class action lawsuits it has faced and then there is also the long-term brand damage inflicted on the organisation.

Trawling phishing allows the attackers to create large lists of usernames and passwords that can then be tested against other websites – as people tend to use the same credentials across multiple websites. It is believed that Disney and its new streaming service Disney+ were victim to this “credential stuffing” as the criminals were able to sell access to legitimate user accounts for a fraction of their real value, also sometimes resulting in the real customers being locked out.

As criminals become ever smarter, and are now even able to access tools like ‘phishing-as-a-service’ direct from the internet, retailers need to be increasingly proactive in raising awareness of the risks to people of phishing attacks. Much of this is relatively straightforward: “It’s about educating customers [and employees] about phishing and of how you do business online so that people are not duped.”

To this end the likes of JC Penney and Wal-Mart have made public statements detailing exactly what customers can expect from any communications they receive from these organisations. Anything that steps outside of their stipulated formats should, therefore, be treated with suspicion and not be opened.

Meeus also highlights that retailers can link-up to websites such as ‘Have I been Pwned’ that automatically checks to see if a customer opening a new account with them is using the same user name and password that has been compromised elsewhere.

Another way for retailers to counter the various phishing approaches is to circumvent the way the attackers need to divert potential victims off to landing page from where they can seek to acquire their personal information.

Meeus says a lot of this activity is undertaken by the perpetrators providing the victim with a URL or a link to click on. When these are delivered through retailers’ employee emails then a quick automated “sanity check can be made on the DNS request” to ensure the individuals are not falling prey to an attack and being sent to an unsafe landing page.

In order for retailers to protect their customers as well as their own brands and reputations it is very much about being as proactive as possible and keeping on the front foot by adopting best-practice solutions.

Brought to you by