Hoards of people lining up at Walmart's storefront is the classic Black Friday image.
Instead of going out at 2 a.m. for a deal, shoppers can stay in bed and shop online. It's easier for them and the bad actors who want to steal payment information.
In the month leading up to the shopping holidays, there was a 400% increase in phishing activity, according to research from cloud-based security company Zscaler.
Black Friday and Cyber Monday sale emails have been flooding consumer inboxes, but retailers won't say "anything about your transaction being secure [or] anything about what they're doing to secure the data from a technology standpoint," Jerry Ray, COO of SecureAge, told CIO Dive.
"When I look at our sales cycles, and when I look at the sales cycles of partners of ours who sell other products, we've never noticed that the holidays have increased [security spending] for any enterprise customers."
Jerry Ray
COO, SecureAge
Retailers ensure compliance with various regulatory programs for privacy, or updating payment processing systems and antivirus software, but "I haven't seen investment in new tools or infrastructure for any reason other than capacity," said Ray. "When I look at our sales cycles, and when I look at the sales cycles of partners of ours who sell other products, we've never noticed that the holidays have increased [security spending] for any enterprise customers."
Researchers estimate about 6,000 potential e-commerce phishing sites are live on the web and expect 3,000 more by the end of the year, according to NormShield.
Cybercriminals feed on customers shopping on a potentially malicious site or inputting personal data into a corrupt link.
The bad actors behind Magecart skim sites for payment data through point-of-sale portals by "injecting JavaScript" into popular sites, according to Zscaler. The malware can track cookies, locating where data is stored and how it travels.
Magecart is "smart enough to check for old card details," and once a card is validated, it sends the details back to the hacker.
Shopper discretion is advised
As holiday shopping heats up, secure shopping practices fall on the customer, not the retailer.
"Organizations aren't necessarily going to be forthcoming in relation to their particular cybersecurity strategy," Carl Wearn, head of e-crime at Mimecast, told CIO Dive. But a general statement "establishing or guaranteeing a minimum level of security that can be expected in terms of the encryption or the security of data is likely to be seen as a significant step in the right direction."
The U.S. Department of Homeland Security's Cyber and Infrastructure Security Agency (CISA) issued a warning earlier this month for consumers. "Be aware of potential holiday scams and malicious cyber campaigns, particularly when browsing or shopping online," the agency said.
Last week Macy's confirmed a data breach, which occurred for one week in October. The breach was a result of a "highly sophisticated and targeted data security incident," the company said.
Hackers potentially compromised customers' names, addresses, phone numbers and payment card data, though mobile transactions were left untouched, according to the retailer.
While there is heightened awareness of data use, companies have to be sensitive to data security.
"I would expect that any organization dealing with large quantities of personal data to comply with best practice in relation to its storage and security, at the very least by following the guidance set down by frameworks such as NIST and the UK's National Cyber Security Center," said Wearn.
Even the most diligent consumers can't defend themselves from a "highly sophisticated" cyberattack. "The overwhelming majority of attacks remain less-sophisticated," prompting human error-based compromises, according to Mimecast's Threat Intelligence Report. Ninety percent of cyberattacks stem from human error.
"The more individuals are aware of their own use of technology and how that can render them vulnerable, the more knowledgeable and capable they will become in securing themselves," said Wearn.