With the holiday season looming, many shoppers are looking to take advantage of Black Friday / Cyber Monday discounts with their favourite online sellers. But ...
With the holiday season looming, many shoppers are looking to take advantage of Black Friday / Cyber Monday discounts with their favourite online sellers. But this increase in marketing material and online purchasing also presents an opportunity for malicious actors to trick customers into interacting with phishing emails, which can have a negative impact on their holiday shopping experience.
At Stitch, we work to prevent fraud for the businesses that use our solutions. This often includes card or identity theft, which can be the result of phishing attacks and scams.
To help everyone remain safe during the holiday season, we’ve put together some advice that businesses can share with their customers.
When searching for “types of phishing,” a lot of results will likely come up. We’ve simplified this into three core types of actions a phishing email might try to force a customer to take:
1. Open a malicious document
This type of phishing aims to achieve some level of remote code execution on someone’s computer, typically by exploiting an outdated version of Adobe or tricking them into running Office macros.
Example of phishing: Microsoft Office
This can be a real problem and a favourite way for attackers to get access to a machine. Customers should be careful when they’re running anything from an untrusted person, and rather, open PDFs in Chrome’s built-in PDF viewer.
2. Inadvertently do something malicious themselves
This is often called CEO fraud–in this case, an attacker spoofs an executive and tries to get money paid urgently into an account. However, technically this could include any attack where someone is social-engineered over email to perform malicious actions, such as sharing confidential documents or revealing sensitive information.
Example of phishing: CEO fraud
These attacks typically target people who have the ability to move money within organisations. As a result, most people do not need to worry about CEO fraud. However, the safest option is to verify sensitive requests through a different communication channel.
3. Enter sensitive information into a malicious website
This kind of attack vector has been around since the mid-90s, and while implementations have become more flavourful, the fundamentals remain unchanged. In this case, an attacker crafts an email masquerading as a reputable company, or a representative of the company. This email is something that requires action: either information needs to be confirmed, or something has gone wrong and needs to be urgently rectified.
Regardless, when you click on the link in the email, you are taken to a fake website that captures your data. These websites will typically look identical and could even redirect you to the legitimate website’s login screen after you enter your details.
Example of phishing: malicious website
Customers are likely to receive an influx of marketing communications around the holiday season, and identifying which might be malicious can be difficult. This may be exacerbated by an increase in potentially legitimate deals that sound a bit too good to be true, or simply the general increase in online shopping promotion. If they’re unsure, there are a few ways customers can verify the legitimacy of an email.
A bad way to spot phishing
If a sender is using incorrect grammar, an unfamiliar tone or incorrect spelling, there’s a good chance it’s a phishing email. This is no longer a strong signal, as modern phishing emails are increasingly sophisticated (and spellcheckers are everywhere). Additionally, this relies on users having a firm grasp of written English. Most businesses cannot expect a large number of their customers to be able to critically proofread emails.
Better, but still difficult ways to spot phishing
Phishing emails (or lures) typically have a few key features:
The best, but least convenient, way to protect yourself from phishing
All of the methods mentioned above can be confusing. Instead of trying to memorise a number of domains and agonise over small details, a far more robust way to avoid phishing scams is to build a habit of not clicking on links in emails. When prompted to perform a time sensitive action on a website, instead of clicking in the email, customers should browse to the website the way they normally would (i.e. via Google, a bookmark, your browser history, etc) and authenticate that way.
Most services today have red notifications visible on a toolbar, which will help users perform required actions. This method is a little bit less convenient, but it takes all of the burden of understanding phishing off of customers so that they can focus on living their lives.
As a result of email phishing scams, customers are highly susceptible to bank card fraud and identity theft, and this is exacerbated during times of high traffic such as Black Friday.
If you’re an e-commerce business, chances are you’re looking to instill more confidence in your consumers while also combating fraud on your platform. Stitch’s pay-by-bank product includes measures to enable zero-fraud payments, such as identity verification and suspicious activity tracking, which prevent phishers from using customer details maliciously on your platform.
For businesses that use Stitch to enable bank payments, we match the bank account details on a customer’s side (e.g. name, email, address) to the details that the business has for that customer. For example, if a customer is trying to checkout on your site via Stitch InstantEFT, we can first conduct a check on the customer’s bank account ownership against your own KYC information, ensuring that the customer isn’t using a third party’s details to pay for the transaction.
Because we link to customers’ financial accounts while a payment transaction is happening, we can also check any suspicious transactions against their bank account behavior to ensure that they are good actors on your platform.
Using these methods, we’ve been able to fully eliminate fraud on our pay-by-bank product, making it easier for consumers to pay and for businesses to securely and directly accept payments.
Want to learn more about how you can enable seamless, instant bank payments on your platform, without fear of fraud? Get in touch at email@example.com.