Retail businesses are vulnerable to a range of cyber security threats during this new way of working.
The impacts of Coronavirus (COVID-19) on the retail sector has accelerated the changes that we already were seeing in this sector. When physical stores closed, there was a swift adoption to online options, and contactless payments and deliveries which in turn has driven an increase in cyber security risks and fraud that retailers need to be aware of.
These new ways of working, along with the increased adoption of cloud and software-as-a-service means retailers will also need to consider:
With the increase in demand in such a short time, additional and/or local supplier options are also being pursued which means third party risk can also increase. And as consumers are embracing more digital interactions with retailers, they too are at increased risk of social engineering and retail-based scams.
We highlight some key insights into cyber security impacts in the retail sector and actions to consider to protect your retail business and your consumers.
More and more organisations are going contactless, and this isn’t just about payment platforms with tap and go/tap and pay, we’re now also seeing delivery options moving towards a contactless model – and both of these can increase fraudulent activity in the form of:
Fraud in these areas had already been increasing:
With more consumers social distancing and physical stores closed the need to operate via ecommerce has become paramount. Customers are spending on average 10-30 percent more online with ecommerce consumer sales increasing 28 percent during the coronavirus pandemic.5 This is driving more online capabilities for retailers, but is also highlighting the issues that arise when operations are moved online. Retailers need to build security into their design from the outset to protect their brand, reputation and customers. Consider the following:
In particular, your organisation should have the capacity to handle sudden increases in traffic whether it be from a sales/marketing campaign or in the event of a cyber security attack to avoid denial of service (DoS) attacks or distributed denial of service (DDoS) attacks. Link 11 (European Cyber Resilience Company), reported in an increase in the DDoS attacks of 30 percent during the early stages of the pandemic (17 February – 9 March).6
It's important to consider your suppliers and other third parties’ cyber security as well. A third party risk assessment should be undertaken before giving any third parties access to your business networks. It is also important to verify the access they give their third parties, how they handle customer data, what cyber security protocols they have in place and their organisation’s security policies. For example, a larger retailer had a credit and debit card breach after hackers were able to break into the company’s network using network credentials from a refrigeration and HVAC systems vendor. This allowed hackers to install malware on the retailers POS systems, which in return allowed the collection of data relating to approximately 40 million customers.
Attackers are using the coronavirus as a way to target more consumers, in fact the Australian Competition and Consumer Commission’s Scamwatch received more than 100 reports of scams about COVID-19 in the last three months, and the volumes continue to rise.7 Coupled with the fact that consumers shopping online more, are also signing up to newsletters, eDMs and getting notifications of shipping details which can make them more susceptible to email phishing scams that could masquerade as your business. There have been well-publicised scams using FedEx, Australia Post and other well-known delivery service providers encouraging users to click on links to track their parcel, but the link causes malware to download.
It’s important to protect your business and brand, as well as your customers, from being attacked. To help, ensure that your email communications are clear, well-written, well-branded and consistent so consumers can easily identify authentic messages from your business versus a scam.
Some of the increases in fraudulent activities include:
Retailers need to consider how to protect their customer’s identity. While creating logins for users to access newsletters and track the progress of their order is commonplace. It’s important for retailers to minimise the risk of compromise and customer data breaches, specifically, retailers are vulnerable to credential stuffing, the automated use of collected surnames and passwords to gain fraudulent access to user accounts. Some ways to protect your customer data includes:
The age of your customers may affect how at risk they are of security compromises. Older customers may not have a complete understanding of how to use security tools and multi-factor authentication. It’s worth considering how you could offer them additional support. This age group are also often using older banking methods and are more likely to default to cash rather than cashless options. This puts them at greater risk of compromise because they are often unaccustomed to new payment methods and ecommerce.
A younger customer is often more tech savvy but does not have the ability to obtain credit, therefore they are more reliant on payments methods such as Visa Debit, Paypal, Mastercard Debit etc. But this generational group are more susceptible to social media based phishing attacks. It’s important to note:
As retail businesses start to navigate through the immediate impacts of coronavirus and towards the new normal, these security risks will need to be understood and planned for.
If you have any questions regarding the content of this article and would like speak to someone from our team please contact us.