While consumers focus on scoring holiday deals ahead of Black Friday and Cyber Monday, cybercriminals have their sights set on an even bigger prize: your credentials. While a wide range of retailers offer discounts on products for the major online shopping event over the holiday season, it will also attract cybercriminals who exploit the increased activity to launch attacks through email, text, and phone scams—particularly targeting user credentials. Cybercriminals frequently target this shopping period to enable fraud and conduct other malicious attacks. We expect to see an uptick in similar cyber threat activity over the next several weeks.
The following are key cyber threats related to passwords during Black Friday and how they can compromise your account security.
- Phishing is one of the most common tactics used to steal passwords. Cybercriminals craft fake emails, SMS messages, or social media posts that appear to come from retailers offering exclusive deals, gift cards, or urgent account notifications. They also spoof delivery services like UPS since a lot of shipments for online orders occur during this period. Victims are then directed to fake login pages that mimic the real site. When they enter their credentials, the attackers capture the username and password. Once attackers gain access to an account, they may use the same credentials to target other accounts the user owns, especially if passwords are reused across multiple services.
- Credential stuffing is another common attack method during high-traffic shopping events like Black Friday. This occurs when attackers use previously stolen username-password pairs (often from unrelated data breaches) to attempt logins on various sites. Attackers use automated tools to try large volumes of login credentials. If users reuse passwords across different services, attackers can potentially gain access to their accounts. If successful, attackers can hijack accounts, place fraudulent orders, or change shipping and payment details.
- Cybercriminals may create fake apps or websites to trick users into providing their login credentials. Users may download a malicious app or visit a fraudulent website that appears to offer special deals or early access to Black Friday sales. These apps or sites prompt users to log in with their credentials, which are then stolen by the attacker. Beyond just stealing credentials, these malicious apps can also install malware that steals additional information, including other stored passwords on the device.
- During large-scale shopping events, attackers may distribute malware, such as infostealers, that target stored passwords. Infostealers are malware designed to steal credentials stored in browsers or password managers. During Black Friday, attackers may target users with malware disguised as legitimate tools or deal notifications, infecting their systems and harvesting stored credentials. If infostealers gain access to a user's device, they can compromise multiple accounts, including banking, email, and social media.
New Threat Vectors Pose Unique Threats
While most of this activity isn’t new, we expect to see some new threat vectors emerge.
- With artificial intelligence (AI) tools like large language models now more readily accessible, cybercriminals can create more convincing phishing/smishing messages and social engineering campaigns at scale. Threat actors can rely on these tools to craft well-worded, grammatically accurate messages to add legitimacy to their campaigns. Widely available AI tools also allow more low-skilled threat actors to set up and run mass phishing campaigns. Since ChatGPT launched in November 2022, there has been over a 4,000% surge in malicious phishing messages, according to SlashNext’s The State of Phishing 2024 report.
- QR codes have become more common as they’re convenient for contactless transactions and information sharing, but they have also become a target for cybercriminals. Quishing, or QR code phishing, has increased significantly in recent years. In 2021, QR codes were used in only 0.8% of phishing attacks; by the first half of 2024, that number increased to nearly 11%. QR codes are a popular marketing tool that can be used in online retail in many ways, such as driving traffic to a store’s page, making payments, or providing customer support. This leaves the door open for cybercriminals to use malicious QR codes for attacks to redirect users to fake websites or login portals that request personal information or other sensitive details, download malicious files to a user’s device without their knowledge, redirect payments to threat actors’ bank accounts, or in social engineering attacks to bypass security measures like moving the attack from a protected email environment to a mobile device.
- The explosion in digital retail has transformed how we shop and interact with brands. Social commerce made up about 5% of US e-commerce sales in 2022 and is expected to increase to nearly 7% by 2025, according to Mintel research. Meanwhile, cybercriminals have developed sophisticated techniques to exploit social media platforms, using them as potential attack vectors. Social media users interacting with supposed trusted brands to shop online may have a false sense of security. Beware of fake accounts impersonating brands or promoting supposed products and links.
Keep Your Passwords Safe
During Black Friday, heightened online commerce activity creates a prime opportunity for cybercriminals to launch password-related attacks. Consumers must remain vigilant, avoid common pitfalls like reusing passwords, and employ strong security practices such as MFA and password management tools. Taking proactive steps to secure accounts is the best way to defend against these prevalent threats. To stay cyber safe this holiday season, consider the following countermeasures:
- Always check the URL before clicking on a link or entering your login credentials. If a message over email or text seems suspicious, block the sender and delete it.
- Enable multi-factor authentication (MFA) for your accounts to add an extra layer of security. That will prevent anyone with access to your credentials from simply logging in.
- Avoid password reuse by using unique passwords for each account. A password manager can help generate and store complex, distinct passwords for different services.
- Only download official apps from legitimate stores like Google Play or the Apple App Store.
- Use antivirus software to scan for malware and avoid downloading software from untrusted sources. Consider using a password manager that encrypts credentials.