Black Friday 2024 is here!  November 29th is the official day for this event, a true American tradition, followed by the online-focused Cyber Monday. According to a study by the Spanish Organization of Consumers and Users (OCU), up to 76% of shoppers are expected to seek out products and services on the famous “Black Friday”. The average consumer is expected to spend between €200 and €300. Globally, total purchases for the day are projected to exceed $278 billion, highlighting the significant economic and social impact of this phenomenon.

Rocket Digital reports that Spanish retailers are wagering up to 40% of their annual revenue on Black Friday 2024, with the percentage rising to 60% for brands fully dedicated to online sales. This represents a huge business opportunity for countless companies and a potential source of savings for consumers on the brink of the holiday season.

Additionally, 68% of Spanish e-commerce businesses plan to invest in technology for Black Friday, particularly in automation (18%) and data analysis (18%), which are crucial for managing the high volume of orders, forecasting demand, and adjusting strategies in real-time. 

The exponential growth in online transactions over such a short period has increased the risk of cyberattacks and fraud. In fact, Black Friday can turn into a particularly “dark” day for many consumers and businesses if they fail to take proper security measures and ensure service continuity.

In November 2023 alone, Spain saw a staggering 45,000 cyberattacks, resulting in estimated economic losses exceeding €20 million. So far in November 2024, there has been a 138% increase in the number of domains registered with the term “Blackfriday”, with over 6,400 domains now registered. This surge is concerning, particularly if some of these domains are fraudulent websites with malicious intent.

What types of threats do consumers face during this period? While this is not an exhaustive list, here are some of the most common:

• Phishing: Cybercriminals send emails that appear legitimate, redirecting users to fake websites designed to steal personal data. At this time of year, it’s common to receive emails offering enticing discounts or promotions, encouraging users to click malicious links or download potentially harmful content.

• Typosquatting: Fake websites or apps are created to closely resemble legitimate ones, often using minor typos in URLs or app names to deceive users. In the chaos of Black Friday deals and the rush to secure a coveted item, it’s easy to fall for a cloned site that looks identical to your favorite brand’s official page.

• Malvertising: Cybercriminals use online ads to distribute malware or redirect users to fraudulent websites. With the overwhelming number of ads flooding our browsers, it’s easy to accidentally click a dangerous link.

• Smishing and Vishing: These phishing variants operate through fraudulent text messages (smishing) or phone calls (vishing). Attackers impersonate banks or trusted services to steal confidential information. Criminals may also pose as delivery services to obtain personal or banking details. The use of AI by attackers can make these phone calls more convincing, even mimicking the voices of familiar people to create a false sense of trust.

• SIM swapping, where cybercriminals duplicate a SIM card to intercept two-step authentication messages and gain access to accounts or apps. By using malicious apps or ads on a victim’s smartphone, attackers can install programs that give them control of the device.

• Fake apps and promotion frauds. At this time of year, cybercriminals often release apps that appear to be from legitimate e-commerce stores but contain malware. Fake promotions, such as counterfeit discount coupons and “flash” offers, are also common, designed to lure in impulse buyers. The combination of social engineering tactics, the allure of exclusive deals, and the urgency of limited-time promotions can cause buyers to let their guard down when verifying the site. After making a purchase, they may never receive their order.

In light of these risks, what can we do to protect ourselves? Here are some key recommendations to help ensure a safer and more reliable shopping experience:

• It may seem obvious, but beware of offers that seem too good to be true! Always verify the authenticity of the website and try to shop only on reputable sites. Avoid impulse purchases from questionable sources. Start by hovering over the URL to confirm it’s a secure site with a valid SSL certificate. Check for “https://” or “shttp://” in the URL, where the “S” indicates the connection is encrypted and protected with an SSL certificate. This system, however, is not entirely infallible. There has been a significant increase in the number of malicious sites that also use SSL certificates. It’s advisable to review the site’s privacy policy, use tools like Google Safe Browsing to check security, or perform a WHOIS search to verify the website’s owner. Also, pay attention to domain extensions—ensure that the website you’re visiting matches the known domain (e.g., “.es” for Spanish sites) and hasn’t been mimicked with a different extension (e.g., “.org”) to steal your information. Your Security comes first!

• Be cautious of phishing emails masquerading as trusted retailers. Double-check the sender's email address, confirm the domain is correct, and ensure the email subject is relevant to your purchase, that it’s not just some “random delivery error”. Legitimate businesses will never ask for personal or financial information via email or phone. If you detect any signs of phishing, trust your instincts and avoid responding!

• Use a dedicated payment card for online purchases, ideally one with secure features like two-factor authentication, and limit your daily spending. Regularly review your card statements to catch any unauthorized charges.

• Avoid using public Wi-Fi for online shopping. Many stores and other establishments offer free Wi-Fi as a courtesy to their customers, but these networks are not always secure. If you must use them, always enable a VPN to protect your data.

• Keep the software on all the devices you use for online shopping up to date, and use antivirus software for added protection. Be sure to adjust your browser settings to limit third-party tracking.

• Beware of fake apps: only download apps from trusted sources like the Apple App Store or Google Play Store.

• Use strong, unique passwords combined with two-factor authentication. Remember, weak or reused passwords can easily be compromised.

• Beware of scams on social media. Fraudsters often use social media platforms to redirect you to fake websites that trick you into making unwanted transactions.

• Before scanning a QR code, please verify that it makes sense and matches the context around it.  This applies to both online and physical locations. Ensure the code hasn’t been tampered with or placed by someone with malicious intent.

• Be cautious of “fake consultants” offering last-minute discounts or loyalty programs in malls or stores. Always check their credentials and verify their association with the establishment.

• Exercise caution when using ATMs in busy areas. Look for any unusual devices or signs of tampering before using them.

• If you didn’t place an order, you shouldn’t be receiving one. Some criminals impersonate delivery services to trick you into providing personal information or commit fraud.

• ... and most importantly, use COMMON SENSE. Don’t let your guard down—there’s no such thing as a “too good to be true” deal, and products won’t sell out if you take a few extra minutes to verify the information.

What about the challenges the selling companies themselves face during this time?

As we mentioned at the beginning of this article, Black Friday is an incredible opportunity for retailers to boost their sales in the final stretch of the year. However, it also presents significant challenges in terms of information security and business continuity. The key areas companies need to focus on are:

• Availability and processing capacity. The exponential increase in transactions will require substantial processing and storage capacity from information systems. IT managers must carefully plan their infrastructure capacity and consider backup solutions like cloud services to strengthen system performance, while also ensuring contingency mechanisms and scalability if needed.

• Strengthening cyberattack detection capabilities. Attacks such as denial-of-service (DoS), ransomware, and attempts to exfiltrate sensitive customer data and transactions are expected to increase significantly. The capabilities provided by a Security Operations Center (SOC) or Computer Emergency Response Team (CERT), as well as the use of XDR and other security solutions, are critical for business survival. Additionally, strengthening human resources dedicated to security services is essential in the event of a disruptive cyber incident.

• Ensuring the security and integrity of the software lifecycle. It’s vital to ensure that changes to production systems do not introduce vulnerabilities, configuration errors, third-party malicious components, or unnecessary open APIs or ports. Special attention should be paid to third-party software integrations, payment gateways, and interfaces with logistics operators responsible for product delivery. This is a considerable challenge.

• Cybersecurity insurance may be a prudent option to mitigate potential liabilities arising from a cyberattack.

• Updating and training on the Business Continuity Plan (BCP) and Crisis Management Plan (CMP). In the event of a major incident, companies must have the technical and human resources in place to restore operations as quickly as possible, minimizing both financial and reputational losses. 

Enjoy your Black Friday and happy shopping!!!

Author: Ángel García-Madrid Velázquez