As Black Friday unfolds with enticing sales and special offers, it’s crucial to recognise that cybercriminals are also capitalising on the chaos. This poses not only a risk to consumers but also to businesses.
As another Black Friday arrives, with sales and special offers everywhere you turn, it is important to remember that the cybercriminals are also out in force, taking advantage of the noise, confusion, impatience, and stress. This is not just a consumer risk but a business one.
The cyber-threat level rises yearly as attacks become more sophisticated and targeted. This year, the menu of new and enduring attack tactics is joined by the ever-growing power of generative AI.
Why should businesses worry? We live in a world where personal devices are routinely used for and at work. Recent research shows 83% of companies have a BYOD (bring your device) policy. Another source suggests that about 67% of employees use their devices at work, regardless of company policies or restrictions. Additionally, many work devices are used for personal purposes – one study found that 42% of employees admitted to this.
This means that when your employees are targeted with consumer-focused holiday scams, they could be putting your corporate network and assets at risk.
Employers can help protect employees and the business by ensuring staff are aware of the threats and attack techniques they might encounter. According to our security researchers, these include email-based attack tactics such as QR code phishing, or ‘quishing’, where attackers embed QR codes in phishing emails, prompting users to scan the code and visit a fake page that appears to be a trusted service or application. Victims are usually tricked into entering their login credentials, which an attacker then captures.
Other novel phishing tactics cybercriminals use include scams leveraging Google Translate links, image attachment attacks, the use of special characters in attacks and URL manipulation techniques. URL manipulation includes domain impersonation and typo-squatting, where an attacker tricks a target with a subtly different domain name to that of a known, trusted brand. Another example is what’s known as a Punycode attack, where, for instance, the Latin character “a” might be replaced by the Cyrillic letter “а” so that it looks identical. These visually deceptive URLs are used to scam or phish a target.
AI is increasingly used in email attacks to enhance the effectiveness and sophistication of phishing and spear-phishing campaigns. Attackers leverage AI techniques to automate various attack stages, generate realistic email addresses and domains that mimic legitimate senders, and convince email content or content that bypass traditional spam filters and security measures.
There are many things worth doing this Black Friday. If you’re an employer, one should be a quick security review. Do you have effective, AI-based email protection in place, which features impersonation and link protection, among other things? And do you have employees who understand how to spot the latest threat and what to do if they encounter it? If not, now is the time for a training and policy refresh.