Hari Raya is a major celebration in Malaysia, and many countries in Asia and worldwide, as numerous Muslims journey home to celebrate the end of Ramadan. It is also a significant retail event. It is also a time where consumers will splurge on food, drinks, new clothes and other luxury purchases over the festive period.
Unfortunately, as more consumers turn to online shopping, holidays such as these are inevitably becoming a prime target for cyberattacks that disrupt business operations and steal sensitive customer data. IBM annual report on global security threats, the X-Force Intelligence Threat Index 2024, shows that the retail and wholesale sector accounted for 10.7 percent of all attacks in 2023, up from 7.3 percent in 2021. Previous research has highlighted a sharp increase in fraudulent e-commerce websites in the lead-up to Black Friday sales.
There are good reasons why the spending fever associated with holidays is a prime target for cyberattacks.
Celebrations like Hari Raya or the Lunar New Year are when many people’s guards are down to phishing campaigns, and other email and social media scams. Sensitive personal and payment data (such as email addresses and credit card details) can be left open on devices. Alternatively, people can be induced to give them under false pretences.
The retailers that people put their trust in can also let down their defences, allowing data to be stolen by cybercriminals seeking to make money.
Identity theft an unwanted holiday gift
Cyberattacks come in many forms, but stealing users’ identities by logging into valid accounts has become the path of least resistance for criminals. There are now billions of compromised credentials accessible on the dark web.
X-Force’s data shows a 266 percent increase in the use of infostealing malware in 2023. This targets personally identifiable information such as email, social media, and messaging app credentials, as well as banking details and crypto wallet data. Infostealers are now linked to 10 percent of all attacks – and this is only likely to grow as generative AI becomes more widely used.
Access to compromised credentials enables cybercriminals to modify users’ personal information, lock users out of their accounts, make purchases in users’ names, empty accounts, and set up fake accounts.
The idea that an authentic-seeming e-commerce website selling holiday gifts is fake, or a link to an enticing product pitched through our inbox could be malicious, is the last thing online shoppers expect. Fake discounts and limited-time sales are designed to create a sense of urgency that an offer is too good to refuse.
Unfortunately, such attacks are challenging to detect and require a costly response. According to X-Force’s data, security incidents involving valid accounts required enterprise security teams to take nearly 200 percent more complex response measures than with average incidents.
Of course, it’s not just consumers that are at risk during holiday periods. It only takes one employee to click on a too-good-to-be-true offer or fake link in their inbox for an organisation to face significant financial or reputational damage. Furthermore, security teams may be significantly understaffed during holiday periods as team members take a break to join in the festivities.
Where to from here?
Protecting against cybersecurity threats during the holidays is a joint responsibility of both organisations and consumers. Retailers should only ever be collecting the data they need, in order to minimise their footprint. Access should be carefully restricted to specific employees.
Deploying endpoint detection and response tools on all servers and workstations helps to spot infostealers and ransomware. Improving credential management practices by implementing multi-factor authentication can also reduce risk.
Having a specific cybersecurity response plan in place for holidays will reduce the time to respond, remediate, and recover from an attack. Ensure that your organisation has the right staff on call to handle an emergency, should it occur.
In terms of everyday hygiene, employees fundamentally need to know the risks and what to look out for. Training should cover topics such as identifying suspicious links, the dangers of connecting work devices to public networks, and the importance of strong passwords.
For their part, consumers should be educated to know when a purported communication from a company such as a bank or retailer is authentic and when it is fake. We all have a responsibility to safeguard against sites that look poorly designed and unprofessional, provide no contact information and ask for credit card details without reasonable reasons why.
While there is no silver bullet to being cybersafe during holidays such as Hari Raya, being aware of the risks and having plans in place to counter them can help ensure that no unwelcome guests interrupt the celebrations.
The most wonderful times of the year should not be the most vulnerable times, too.
Note: This commentary was contributed by IBM Malaysia.
