Examining Cyber Fraud During the Holidays

As fall is winding down, the air is cooler, leaves drop, and people start shopping. Some estimates show that 30 percent of yearly sales for small and mid-size retailers take place in the last two months of the year, and 71 percent of consumers will be shopping on Black Friday. To deal with this surge, retailers will hire more than 700,000 employees. Technology is changing the way we shop. Cash is out, even though some 90% of sales will be at brick and mortar stores. Credit cards will be swiped (or inserted) and mobile payments are taking off. All of this means that more payment data will be flowing through more hands than at any other time of the year – and many of those hands are new employees. Hackers know this, and for them, holiday season is an opportunity. For hackers, there’s nothing like fraud for the holidays.

During the 2017 holiday season, online fraud attempts increased by 22 percent. The FTC has warned that gift cards are a favorite target of fraudsters, and loyalty programs have also seen an increase in attacks. Card breaches will always be a favorite, especially for brick and mortar merchants who permit their employees to take cards out of sight of consumers (also for those who have card-not-present transactions).

So how do you keep from becoming a statistic when we update this article next year? There are some simple steps that can help.

  • Maintain PCI DSS continuous compliance. Some companies see PCI DSS compliance as something they obtain annually – a point in time analysis. Gearing up your compliance infrastructure annually makes the assessment process much more challenging. It also can create security gaps. Use your internal resources to test your PCI DSS compliance regularly and ensure that you are keeping up with the security requirements.
  • Be cautious with temp staff. Using temporary staff is necessary during the holiday season. But, you do not have a history of trust with temporary staff before the holiday volume surge begins. Unfortunately, you simply do not know if this staff will be more prone to either individual card fraud or more wholesale efforts (e.g., installing key loggers or malware at payment terminals). Take steps to limit their ability to do harm, such as by disabling USB ports at registers and providing more supervisory oversight.
  • Don’t skimp on QA/QC. Most retailers have some special promotions for the holidays, and this can mean code deployment. We have seen a number of breaches that are the result of improperly tested code, or even the deployment of the wrong code. Continue to follow your QA/QC steps.
  • Prepare for a breach before it happens. Responding to a breach during the holiday season combines a stressful event with the most stressful (but often profitable) time of the year. Preparing beforehand will help minimize disruption to your business when you need to focus on revenue.

If you are one of the unfortunate victims of hacker activity, we have a strong team of breach response specialists to help you with your response and resume business as usual. Please contact any of us listed below, or call our breach hotline at 1-844-GoToDWT.

After the rush of the holiday season is over, you should start enhancing your security for the next holiday season and beyond. This should begin with an in-depth risk assessment to identify areas of concern, followed by targeted information security enhancements. We can help you with how to conduct these tasks, as well as a wide variety of other beneficial security enhancement projects, such as tabletop exercises, policy review, and certifications.