Skip to main content
Security Scorecard

‘Tis the Season for Payment Fraud: 5 Top Holiday Shopping Risks

Posted on December 16th, 2021

Holiday shopping is right around the corner, but unfortunately, Black Friday isn’t just an opportunity for shoppers and retailers — it’s also an opportunity for cybercriminals.

While criminals have always been attracted by the money that changes hands on Black Friday, the last couple of years have been a magnet for cyber attacks. The pandemic means that more people than ever shopped online in 2020 — with shoppers spending $14.13 billion online last year on Black Friday. UN trade and development experts UNCTAD, reported earlier this year that the e-commerce sector saw a large rise in online retail sales, from 16% to 19%, in 2020. Adobe Analytics predicts that growth will continue this year.

Where there is money, however, there will be thieves. A recent report found that attacks spiked much higher on Balck Friday and its Chinese counterpart, Singles Day, than in 2019. While retailers are always popular targets for criminals, cyberattacks on e-commerce are up this year, and that will have implications for both retailers and shoppers on Black Friday weekend, as well as throughout the whole shopping season.

What are some of the biggest risks holiday retailers and shoppers face this year? Below are a few of the most common threats.

1. Formjacking and credit card skimming

When shoppers input their payment information during checkout, there’s a chance they’re sending their financial information to bad actors. This sort of attack is called formjacking or skimming - cybercriminals inject malicious JavaScript code into an online form, which hijacks the form and uses the page to collect the information that’s being entered by users.

Formjacking attacks were popularized by Magecart, a consortium of cybercriminal groups that specialize in attacking online shopping cart systems to steal credit card information. They get their name from the Magento system, which they’re known for attacking. They have been around since at least 2015, but are still quite active today — in 2020, scams targeting the checkout forms of online retailers rose by 26%, according to reports.

2. Attack of the Bots

2021 was the Year of the Bots, which was not good news for retailers.

While bots have always been a headache for online retailers, a recent report found that in 2021 the number of monthly bot attacks on retail sites increased 13% compared to 2020. An unfortunate trend is that many of those bots were more sophisticated than previous versions, meaning, they produce mouse movements and clicks that appear to be human behavior, and are difficult to detect. Imperva estimates that at least a quarter of online traffic on retail sites is made up of bots, and 57% of retail website attacks are by bots.

3. DDoS attacks

Distributed Denial of Service attacks (DDoS) occur in every sector, and retail is no exception. A DDoS attack happens when an attacker overwhelms a site with a high number of requests, and during the holiday shopping season, when traffic is already high on retail sites, it’s likely some attackers will launch DDoS attacks — reports indicate that such attacks have increased, with retailers seeing about 14 DDoS attacks a month in 2021.

4. Credential theft and account takeovers

If retailers are relying on the strength of their users’ passwords this holiday season, that may be a recipe for credential theft. People are notorious for using weak passwords, duplicating passwords, and sharing passwords, and criminals are willing to take advantage of those issues by using brute force attacks and other methods to gain access to accounts.

Retailers will have to walk the thin line between making authentication easy and convenient for users (require too many Captchas and your shoppers might give up) and securing users’ information with authentication like passwords or two-factor authentication.

5. A longer shopping season

Supply chain problems and shortages mean that users are starting their holiday shopping early this year, and retailers are likely to start offering deals earlier as well. This also means retailers will need to be extra vigilant about security for a longer period of time this year, as criminals experience a larger window of opportunity for cybercrime.

Smarter shopping and selling during the holiday season

There are plenty of steps both shoppers and retailers can take to reduce fraud this season. Smart shoppers should think critically about the store addresses they’re visiting and the apps they’re downloading, for example.

Retailers, overwhelmed during the holiday season, should get some cyber security help. While managing third parties can seem cumbersome, intelligent automated tools can leverage existing data on cyber security risk in order to help online stores manage their third-party IT risk.

Platforms such as SecurityScorecard’s Security Ratings help identify and prioritize third-party cyber risks. Trusted by the world’s leading brands, Security Scorecard can help you strengthen your risk management framework, reduce risks, and have a happier, safer holiday shopping season.


Return to Blog
Join us in making the world a safer place.