How to Defend Against Digital Cyberthreats This Holiday Season

Cyberattacks increase during the holiday season

Research on cyberattacks shows a direct correlation between the holiday season and a rise in cybercrime. In 2022, for example, we observed that malicious bot activities in commerce in the Asia-Pacific (APJ) region increased by 3x during the year-end holiday season compared with the beginning of the year.

As the online shopping season takes full swing, financial information is frequently used to facilitate transactions across many different platforms and application programming interfaces (APIs). This sudden spike in data that's moving across the internet is very enticing to cybercriminals — spurring them to action and putting businesses in danger.

4 key holiday shopping hazards

Consumers, tempted by holiday campaigns and special deals, tend to make more online purchases during this time of year. Here are four of the key threats that businesses and individuals should be aware of while holiday shopping.

1. Web application and API attacks. Digital commerce and payment platforms face a significant risk from hackers who try to exploit vulnerabilities in the software that powers these platforms, especially during major sales campaigns.

2. Distributed denial-of-service (DDoS) attacks. As customers rush to make purchases, there's a heightened risk of DDoS attacks. If a DDoS attack makes your website inaccessible, revenue takes a hit at the exact time when sales should be highest.

3. Malicious bots. These bots are designed to carry out large-scale attacks, such as taking over consumer accounts during peak shopping times, leading to fraudulent activities. 

4. Web skimming attacks. Attacks like Magecart have become more prevalent during the holiday seasons. These attacks, which steal sensitive credit card and payment information, are akin to ATM skimming but are executed digitally. The captured data is then used to commit financial fraud.

Retailers aren’t the only ones at risk

Making a digital purchase is not just about logging in and paying. Behind digital commerce platforms are multiple processes involving many different parties. Cybercriminals don’t need to attack the end merchant, but can go after other parts of the supply chain, including:

• Product suppliers. As orders and processed payments increase, suppliers become part of a larger supply chain, making them increasingly vulnerable to data breaches, ransomware, phishing, and other types of cyberattacks.

• Financial service providers. Fintech companies, payment processors, e-wallet providers, and banks are all involved in transaction processes. Whenever financial data is transferred from one point to another, it’s susceptible to data breaches and exposure.

• Logistics providers. Logistics providers possess customer data that’s essential for delivery, such as names, addresses, and phone numbers. This makes them attractive targets for cybercriminals who aim to harvest data for further attacks like phishing.

Retail resilience: Stay ahead of evolving threats

Businesses should anticipate a surge in attacks during the holiday season and proactively evaluate the effectiveness of their existing security measures. Leaders can start by asking: Do we have the right tools that can scale to defend against a large volume of attacks?

It’s important to note that the risks outlined earlier in this article — web application and API attacks, DDoS attacks, malicious bots, and web skimming attacks — are not protected against by general security tools, such as antivirus software and firewalls. Retailers need to continuously assess and reassess their security posture, taking inventory of the specialized tools they have to protect themselves and their customers from malicious bots, web skimming attacks, data scraping, and other advanced threats.

Always be aware of risk exposure. Do you know exactly which services you’re providing? Are you running just a website, or are there also associated apps or APIs? As cybercrime continues to evolve, businesses must strengthen their security protocols and adopt robust measures to defend against advanced threats.

Empower consumers to decode the deals

As phishing attempts become increasingly sophisticated, businesses and retailers should also enhance consumer awareness campaigns and provide ways for customers to verify the authenticity of communications and transactions.

Consumers need to understand that if a deal they see on email or social media looks too good to be true, it likely is. Attackers capitalize on end-of-year sales when most retailers are offering discounts and sending many more marketing emails and SMS messages.

Cybercriminals can easily impersonate these brands, with generative artificial intelligence making phishing and social engineering attempts appear more authentic. Consumers must take steps to be certain their interactions are legitimate.

Although currently rare, it’s likely that deep fake videos will increasingly be used to influence consumers to download malware or make fraudulent transactions. Though these emergent threats are at the nascent stage, we need to build defenses and raise awareness now before they become pervasive.