98% of UK businesses are now online in one way or another, and they all benefit hugely from the use of websites, social media accounts, and online banking. With the ability for customers to shop 24/7 online it is no surprise that cybercriminals are using this to their advantage.
But there is a price to pay for the convenience of online retail - The rate of cyber-attacks on UK retail businesses has been steadily increasing in recent years. According to the Cyber Security Breaches Survey 2021, which is conducted by the UK government, 38% of UK retail businesses reported experiencing a cyber-attack in the past 12 months, which is up from 19% in 2019.
The most common types of cyber-attacks reported by UK retailers include phishing attacks (72%), impersonation attacks (41%), and ransomware attacks (17%). These attacks can result in significant financial losses, as well as damage to the reputation of the affected businesses.
As well as attacks on the retailers themselves there has been an exponential increase in attacks on online consumers being defrauded themselves, often following a phishing attack - usually being directed to a spoof website of a real online retailer and sending their hard earned money to criminals rather than to the legitimate company itself. This attack, whilst customer focused, has a significant impact on online retailers in that they often lose a sale and may suffer reputational damage into the bargain.
So, what is phishing?
Phishing at its most basic is a cybercrime in which a target or targets are contacted by email, telephone, or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.
You might have heard of phishing, vishing, smishing, quishing, spear phishing, whaling, but all the names mean is that there are a lot of different ways that a cyber-criminal is going to try and get you to click on a link and take you to a fraudulent portal or website.
Criminals use all communication methods, so if a new method comes out, you can be sure a criminal will be there trying to exploit it. To underline this fact we are now seeing a rapid rise in the number of QR Code phishing attacks - here the criminal encourages you to use the code on the screen to go to the spoof website.
How could my company be targeted?
Criminals use information from across the internet to create phishing messages. Knowing what information about you and your company can be found by a criminal can be extremely useful in understanding what information could be included within a phish.
For example, would you believe an email as genuine if it contained your username and password in it? Did you know that if your details have been released in a data breach, usernames and passwords are just one thing that could be known, along with your IP address, address, telephone number, in fact, any sensitive information you might give to a company?
If your company has published that you have just signed a new company, called XYZConsultancy, as a client, a criminal could use that information to create a fake domain XYZC0nsultancy.com to trick you into communicating with them.
Would you click on a link which talked about new ‘Tax refunds for the retail sector – find out more here!’
If a message contains any of the following, really think before you click:
Urgency “you must do this now” – here the attacker is trying to induce you to panic so that you don’t question the action being asked of you
Authority – messages appearing to come from a boss, colleague, or company you engage with regularly, or with information they shouldn’t have unless they are genuine (your IP address for example)
Mimicry – attackers send messages that exploit your daily habits such as “please review your calendar entry – click here”
Curiosity – enticing you with something like “breaking news”
Why do cyber criminals do it?
Simply put, they want access to your systems and money.
Phishing messages are usually designed to get you to click a link or download an attachment. They hope to either steal your login credentials or install malware on your systems, and once they are in your system, stealing your data is likely the next step for them. And after that they may hold you to ransom to get it back, they might just publish it all on the internet or they could simply destroy all your company data without asking for anything. Or they may just wait for an opportunity to take advantage of their position in order to steal money from you, a supplier, or a customer.
What can you do?
All phishing depends on an element of social engineering or interaction with a person, so you really need to make staff engagement and upskilling a priority.
Have a plan in place to deal with phishing attempts and successful attacks. Make sure your staff know how to report an attack and don’t put barriers in place to reporting, such as disciplinary action.
Phishing attacks can be very sophisticated and extremely difficult to guard against but making sure you know how and when an attack has taken place means that you can react in the right way. You really don’t want a staff member too scared to report a successful phishing attack and letting an attacker have an extended period of time in your systems.
The National Cyber Security Centre (NCSC) have created an enterprise Outlook add-in for staff to be able to report email phishing directly from their email box. The NCSC will the actively seek to disrupt the criminals sending these messages, protecting you from them as well as the wider community.
What next?
The impact of a successful attack against your website or network can be catastrophic and lead to website downtime, loss of data and permanent loss of reputation. But all is not lost. Here at the centre, we would recommend that you
Join our community for free and you will be supported through implementing the changes you need to make to protect your organisation. We are a free membership organisation run by the police and funded by the government, so we will always put you and your business first.
Take a look at our free guidance packs, including the free ECRC retail guide which lays out in simple terms what you can do to protect yourself and your customers.
ECRC has affordable student services who can deliver a bespoke security awareness training session tailored to your company and the risks it faces. Contact us to find out more.
Reporting a live cyber-attack 24/7
If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress), please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day, 7 days a week.
Reporting a cyber-attack which isn't ongoing
Please report online to Action Fraud, the UK's national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.
Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050).