WEB AND MOBILE FRAUD
Holiday Heist - Surviving Black Friday and Cyber Monday
Riskified and ORIS Media seminar provides top tips to avoid fraud this peak season.
Black Friday may provide the starting pistol for the traditional peak trading period but also sounds the alarm bells around the increased risk of fraud and cyber attacks targeting retailers at their busiest time of year.
This was the view of cyber experts presenting at the ‘Holiday Heist – Surviving Black Friday’ seminar hosted by the market leader in risk and fraud intelligence Riskified in partnership with ORIS Media on 19th November in London.
The over-arching theme of the event which attracted a wide range of leading retail brands was the fact that it is the season to be even more cautious as fraudsters look to take advantage of hurried and harried retailers letting their guard down around compliance and security protocols.
Both bricks and mortar and e-tail delegates attending the event at the boutique 'One Hundred Shoreditch' hotel were advised to be extra vigilant at this time of year – not from headline-hitting anonymous hackers, but their staff’s own time-critical vulnerabilities when confronted with avoidable social engineering scammers seeking to exploit the over-stretched Christmas rush.
Former fraudster Elliot Castro told the assembled delegates that ‘fraud is not about hackers but human behaviours under pressure.’
The Glaswegian fraud fighting consultant who is an expert in the psychology of scammers served three prison stretches in Canada, Ireland and the UK after stealing more that £2.5 million over a five-year period. He began his criminal enterprise at just 15 after he found a lost credit card on a train.
The author of the book ‘Other People’s Money' said: “Fraudsters target retailers at this time of year because sales and customer service teams are not thinking clearly.”
“If you sound legitimate, over-stretched teams will comply as it’s not what you say, but how you say it,” he said.
“It’s all part of the trust signals given off by fraudsters building clear, coherent identities.”
This provides what experts call ‘cognitive overload’ where normal checks fall by the wayside because of the sheer overwhelming volume of business traffic at this time of year.
His top tips to spotting scammers included demands for same day delivery, repeat orders to the same address using different names and late-night online orders from someone with no purchase history. Businesses, he said, should put in additional checks around gift card purchases and higher value items.
Conversely, while stretched staff are rushed, online and over-the-phone fraudsters bide their time – sometimes waiting hours – to execute the perfect heists by using confidence and urgency as part of their modus operandi.
“Fraud is their job, it’s not a nine-to-five operation,” he said.
This wider theme was picked up by Tim Rawlins, the director and senior advisor at NCC Group, the UK’s largest specialist cyber security business which works with public and private sector clients globally.
Rawlins, whose colleagues at NCC Group are expert ethical hackers and penetration testers, argued that many businesses were unfamiliar with all of their IT assets, with many senior managers unable to identify their business continuity plans – a factor that represented a ‘security debt’ leaving businesses wide open to attacks from three main adversaries – ‘hactivists’, organised criminal gangs, and state sponsored bad actors.
Such cyber penetration, often using ‘synthetic personas’ and exploiting ‘levers of influence’ are aimed at widespread disruption through infecting systems with ransomware and data theft to secure financial gain, or simply denial of service (DDoS) attacks. Cyber incidents like these have recently impacted businesses such as Co-op, Harrods, Marks & Spencer, and Jaguar Land Rover as well as their wider supply chains.
“The attackers are dwelling in systems sometimes for months, sometimes for just hours before launching their attacks having exploited points of vulnerability through blagging, hubris, and social engineering scams on sites including social media platforms such as LinkedIn, WhatsApp and Instagram.”
He suggested staff using social media should keep separate profiles for business and personal use to minimise risks of over sharing personal information that might be used to target them at work.
He said 20,000 Britons had been targeted by attackers using LinkedIn alone.
He concluded that attacks were a question of 'when rather than if' and that ‘hope was not a strategy’ to defeat cyber-crime.
Romy Mor from Riskified said: “The event was hugely successful and thought provoking at this challenging time of year. It certainly gave delegates plenty to think about as they go back to their own businesses.”
To get a deeper look into this season’s evolving fraud landscape, watch Riskified’s on-demand webinar, "Holiday Fraud Unwrapped: Preparing for AI-Driven and Traditional Threats". It explores key trends, real retailer challenges, and practical ways to stay protected .
Click here to watch the on-demand webinar.
