Black Friday in the Time of COVID Threatens Cyber Resilience

In 2020, Black Friday shopping will look a lot more like Cyber Monday and be more of a Black Friday season that runs through November and December rather than one designated day of sales. Because so many people are working from home and are not venturing out to stores due to the COVID-19 pandemic, much of that shopping will be done online and more frequently than ever on corporate-issued devices, putting companies and their customers at risk. However, with eyes wide open and a proactive strategy that combines cybersecurity technology and awareness training, your company can come out of 2020 more secure and better prepared for the year ahead. 

The holiday shopping season has always been a concern. Last year, the Cybersecurity & Infrastructure Security Agency (CISA), the U.S. federal risk advisor, published a November statement warning that “Cyber actors may send emails and ecards containing malicious links or attachments infected with malware or may send spoofed emails requesting support for fraudulent charities or causes.”[1]

Suspicious Domain Registration Rises in Run-up to Black Friday

As part of its regular security research, Mimecast monitored 20 top global retail brands beginning on October 26, 2020 and found almost 14,000 recently registered, suspicious domains related to those retail brands. And new registrations continued during the observation period: On some days, Mimecast saw between 53 and 87 suspicious domains registered in one day for a single retailer.

An example of one common exploit uncovered by the research is shown in the image below: a website attempting to leverage the global athletic brand adidas® to apparently lure customers to an e-commerce site selling a variety of athletic shoes — most notably Nike® — from unauthorized parties not associated with the actual brands. In addition to domains that redirect customers to other brands, the research uncovered fake domains which were likely registered by cybercriminals and other unauthorized actors looking to lure users into disclosing personal and/or payment information and domains that redirect to porn sites respectively.

What’s different this year is that more people could potentially be more vulnerable to such campaigns. Pandemic fatigue, fear of job loss, concerns for the health of loved ones, managing children who are learning remotely, sadness over a very different holiday season experience —  People are stressed and tired, which makes them more likely to fall prey to cyber attackers with timely lures. And so naturally, cybercriminals are stepping up their attacks. Also in the latter half of October, the Mimecast Threat Intelligence Center saw a dramatic spike in blended cyberattacks, including a 30.3% jump in email impersonation attempts a 55.8% leap in malicious URLs embedded in emails. 

Corporate Devices & WFH: A Bad Mix for Cyber Resilience

With so many employees working from home and using corporate-issued devices, the line between work and personal life is more blurred than ever before. Employees are using these devices for professional and personal use, code-switching many times each day as they move back and forth (and back again) from work tasks to personal business, according to Matthew Gardiner, Principal Security Strategist at Mimecast.

A September survey of more than 1,000 businesspeople from all over the world showed that 73% are extensively using corporate-issued devices for personal business. Sixty percent reported an increase in the personal use of such devices since the beginning of the COVID-19 pandemic.

Most concerning, noted Gardiner, is that 23% of respondents said they are installing software for personal use on their corporate devices. Naturally, this raises concerns about employees inadvertently installing malware. But equally important, it reveals a security controls gap — employees apparently having admin rights on their machines. This and other security gaps may have opened up when IT departments rushed this spring to issue devices to workers, many of whom had never worked remotely before.

The impact of these risky behaviors will be compounded as we move through the holiday season. People are online more during the holidays, due mostly to the sharp rise in online shopping deals. Adding to time online is the fact that peak in-person shopping days are giving way to a prolonged online holiday shopping season, especially as we experience a second surge of COVID-19 cases as well as state mandated lockdowns and restrictions.   

“This year it’s going to be less Black Friday and more Black November and most of December as well — it spreads out the risk,” said Jinan Budge, Principal Analyst Serving Security and Risk Professionals at Forrester. Budge spoke during Mimecast’s Don’t Let Your Organization Get Phished this Holiday Season webinar.

Cyberattack Sophistication Rises but Employee Security Sophistication Doesn’t

Holiday deals will be promoted in large part through personal email, which is the number one application remote workers are using on corporate-owned devices, according to the Mimecast research. Personal email represents a vulnerable threat vector, as it is not fully protected by the company’s cybersecurity group, and gets more vulnerable as attackers grow more sophisticated and targeted. 

Unfortunately, end users’ skills do not appear to be growing more sophisticated: The Mimecast survey reveals that 96% of respondents are aware of risks around suspicious email, but 45% said they were still opening these emails. The percentage varied based on factors including respondent demographics, countries of residence and industry. In addition, only a slight majority of respondents said they would report suspicious emails.

It’s perhaps surprising, then, that the survey showed that 64% of respondents have received cybersecurity awareness training that was specific to WFH. Given the actions people are taking (or not taking), they are either ignoring the training they received, or it wasn’t very effective in the first place.

Cybersecurity Awareness Training Must Be A Strategy

Indeed, cybersecurity awareness training must be treated as a strategy and not just as software. In the webinar, Forrester’s Budge noted that organizations should move away from “talking at people” and toward something more engaging.

She noted that her own recent research shows the importance of “transformational awareness initiatives,” including several design principles: 

• Have the courage to use humor and fun.
• Use micro and nano learning.
• Influence behavior change by nudging the audience at the point of risky behavior.
• Use experimental learning and gamification.
• Use stories and analogies.
• Make it personal and relevant.
• Repeat messages frequently.
• Employ engaging, inclusive messages and images.

It’s also important to realize that the work of security awareness training is never done, notes Bryn Donovan, Product Marketing Manager at Mimecast. “It’s not a set-it and forget-it,” she said. 

Rather, organizations should consider security awareness training as part of a cycle, in which they are continually analyzing threats and opportunities and then evaluating the performance of their program based on that analysis. This includes optimizing for industry-impacting “events” like tax season and, yes, holiday shopping, as well as testing employees’ security behaviors using the ways they are being attacked today.

Of course, security awareness training alone will not keep a company safe. Such training must be implemented and maintained in concert with a pervasive email security strategy that tackles multi-vector attacks, phishing, business email compromise (BEC), insider threats and brand impersonation.

The Bottom Line

The intensity and longevity of the holiday shopping season, pandemic fatigue and the rising sophistication of cybercriminals is a tough combination threatening companies’ cyber resilience as 2020 comes to an end. By approaching security awareness training in a thoughtful, purposeful and integrated way — as a layer in the overall security program — organizations can keep themselves, their customers and their employees safe.

[1] “Holiday Shopping, Phishing, and Malware Scams, CISA