Cyber threats in retail increased by 25% ahead of Black Friday

In 2024, over 38 million phishing attacks were carried out by cybercriminals posing as well-known shops, banks and tech stores. Stolen data from the cards used for payments was sold on dark web forums, at prices ranging from $70 to $315 per set.

Kaspersky closely monitors developments in cyber threats related to shopping. As consumers gear up for major sale periods, such as Black Friday, looking for the best deals, the company's researchers are noticing that cybercriminals and fraudsters are preparing to exploit this demand. They specifically seek to steal personal data, money, and transmit malware through deceptive, attractive shopping.

From January to November 2024, Kaspersky products prevented 38,473,274 phishing attacks linked to e-commerce, payment systems and banking institutions. 44% of these involved the use of banking services as bait - an increase of almost 25% compared to the 30,803,840 phishing attacks recorded in the same period last year.

Scammers often pose as big stores like Amazon, Walmart and Etsy, sending misleading emails claiming to offer exclusive discounts. These emails lead to fake websites that look like legitimate ones, usually with subtle misspellings or slight variations in the domain name. Those who try to shop through these websites usually fall victim to fraud and lose their money.

Consumers' desire to win gifts is also often exploited. Fraudsters send messages promoting time-limited surveys with sweepstakes, which offer valuable prizes such as free iPhone 14. To motivate victims, they claim that only a few "selected" users will win the offer, putting pressure on recipients to act quickly. The scammers offer some "rewards" to users in exchange for the "basic information" they share, such as their email address, and also for the monetary transaction they make on the fake website.

Having studied the path followed by fraudsters, Kaspersky experts reveal that the stolen data is either directly exploited or sold to dark web markets. The value of the data determines its price. For example, complete sets of stolen credit card data, known as "fullz", usually include the card number, expiration date, CVV code, holder's name, billing address and phone number.

As part of this promotional campaign, one vendor offered a 10% discount on stolen credit card data from countries such as Canada, Australia, Italy and Spain - with prices ranging from $70 to $315 for each card, depending on its quality and origin.

To get the most out of Black Friday this year, be sure to follow a few safety recommendations:

• Do not trust any link or attachment you receive via email: check the sender carefully before opening anything.
• Check the e-shop websites carefully before entering any information: is the URL correct? Are there any spelling or design errors?
• Protect all devices you use for online shopping with a reliable security method.
• If you wish to buy something from an unknown company, check the reviews before making a decision.
• No matter how many precautions you take, you probably won't realize something is wrong until you see your bank account or credit card activity. So if you are still receiving paper copies of transactions, don't wait for them to get to you in the mail. Log on and check online to see if all the charges look legitimate - and if not, contact your bank or the company that provided your credit card directly to correct the situation.