web analytics

Help Safeguard Retailers Against Social Engineering Attacks – Source: www.databreachtoday.com

help-safeguard-retailers-against-social-engineering-attacks-–-source:-wwwdatabreachtoday.com
Rate this post

Source: www.databreachtoday.com – Author: 1

Fraud Management & Cybercrime
,
Ransomware
,
Social Engineering

Navigating the Complex Landscape of Evolving Threats and Cybersecurity Resilience

Information Security Media Group


May 15, 2024    

Help Safeguard Retailers Against Social Engineering Attacks

Over the last decade, social engineering cyberthreats have surged among retailers just as the sector’s reliance on customer data, financial transactions and e-commerce platforms has intensified.

See Also: Gartner Magic Quadrant for Single-Vendor SASE

Social engineering, in which malicious actors exploit human vulnerabilities to obtain personal or financial information, can pose serious risks to retailers. As a result, chief information security officers and retail C-suite executives are often working to navigate a constantly evolving threat landscape, investing in robust cybersecurity measures, employee training and proactive defense strategies to help reduce risks.

Unfortunately, no company, regardless of size, is immune to the potentially disastrous effects of complex, sophisticated social engineering tactics.

New Cybersecurity Risks: A Click Away

In 2022, a multinational retail shipping giant fell victim to a massive SMS phishing attack, shining a spotlight on the pressing need for heightened vigilance and more robust cybersecurity strategies. Customers of the shipping service received deceptive text messages requesting payment before their packages could be delivered. An internal investigation revealed that cybercriminals had exploited the company’s package look-up tools to access customer shipping information. Since then, multiple other retail shippers have also suffered SMS phishing attacks.

Phishing scams, which involve fraudulent attempts to obtain sensitive information by posing as a trustworthy entity, have been rapidly evolving and proliferating. David Naumann, a strategic marketing leader for Verizon, emphasized the vulnerability created by consumers’ trust in retail brands. “If a bad actor launches a text-driven phishing attack, even a logical person might accidentally click on a fraudulent text because they’re expecting a package. Attackers trick people because of the volume and number of customers who rely on these retail delivery services.”

Impersonating Employees or Businesses

Attackers also use phishing emails to trick a company’s employees into disclosing login credentials, which can give them access to systems that hold personal identifiable and account information. Once data is accessed and exfiltrated, the organization’s employees and customers can be exposed to the risk of identity theft and fraud. Exploited PII can also create potential compliance issues, compounding woes for those hit with this type of social engineering attack.

Nick McMillon, a security solutions expert for Verizon, emphasized the threat posed by such attacks, including the planting of ransomware as a means of data harvesting. In August 2023, for example, a large Las Vegas casino group experienced a social engineering attack that resulted in the theft of personal information from members of its customer rewards program. The attack, targeting an outsourced IT support vendor, led to unauthorized access impacting thousands of customers.

To help defend against social engineering attacks, McMillon advocates for a multipronged approach that includes employee training, customer education, threat detection and trust enforcement. He emphasizes the importance of access control and encryption as vital components of a comprehensive defense strategy against social engineering, helping to improve the safeguarding of networks, applications, devices and identities.

Insights From Verizon’s Research

As outlined in Verizon’s 2024 Data Breach Investigations Report (DBIR), key social engineering takeaways include:

  • The retail sector recorded 725 incidents, with 369 retailers confirming data disclosure.
  • Primary breach patterns include system intrusion, social engineering, and basic web application attacks, which account for 92% of the retail sector breaches.
  • Driven largely by financial motives, external actors were responsible for 94% of retail sector breaches.
  • Payment card information – 25% – and credentials – 38% – were the most commonly compromised data types in the retail sector.
  • Nearly 3/4ths – 73% – of social engineering pretexting and phishing incidents were attributed to business email compromise (BEC) in the last year.

Social Engineering’s Impact on Retailers

Social engineering attacks affect retailers in the following ways:

  • Financial losses may result from fraudulent transactions, chargebacks and fines imposed by payment card networks for noncompliance with security standards.
  • Operational disruptions, such as website downtime or system outages, may take place as a result of social engineering attacks on retail organizations.
  • Reputational damage can also happen as customers can lose trust in the retailer’s ability to protect personal and financial information, leading to potential lowering of sales and reducing brand loyalty.
  • Legal repercussions may potentially include regulatory fines for data breaches, lawsuits from affected customers, and government investigations into the retailer’s lack of compliance in following applicable data protection laws.

Retail Threats Ahead

New technologies, changing consumer behaviors and emerging attack tactics each play a role in the evolution of retail social engineering threats. As retailers adopt omnichannel strategies to integrate their online and offline sales channels, threat actors are likely to increasingly target these platforms with sophisticated social engineering attacks, from phishing emails to fake customer service calls and malicious websites.

What’s more, the abundance of customer data coming from omnichannel platforms can create a greater risk of attack success. Attackers may tailor social engineering attacks to individual customers based on their purchase history, demographics and behavior, making them appear more valid and luring potential victims more easily to the bait – especially those in a hurry or for whom the consequences of inaction would seem concerning, even alarming.

Verizon offers integrated solutions that can help retailers – from employee awareness training to mobile security policy, security protection controls, detection and incident response, and ongoing testing and reporting.

Retail sector leaders who are working to harden their cybersecurity posture against this growing attack type can review a helpful resource on the topic from Verizon: Expert Guide to Lowering Social Engineering Risks.

https://www.verizon.com/business/resources/best-practice/an-expert-guide-to-lowering-social-engineering-risks.pdf.

Original Post url: https://www.databreachtoday.com/blogs/help-safeguard-retailers-against-social-engineering-attacks-p-3620

Category & Tags: –

Views: 0

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Joas Antonio
ChatGPT for Cybersecurity by Joas Antonio dos Santos – malwareanalysis #reverseengineering
ChatGPT for Cybersecurity by Joas...
CISO2CISO Notepad Series
How Can We Structure Cybersecurity Teams To Better Integrate Security In Agile At Scale?
How Can We Structure Cybersecurity...
OCCUPYTHEWEB
Linux Basics for Hackers by Occupytheweb
Linux Basics for Hackers by...
NIST
Digital Forensics and Incident Response (DFIR) Framework for Operational Technology (OT) by NIST – Eran Salfati and Michael Pease
Digital Forensics and Incident Response...
Think Big Blog
Top 10 TED Talks to Learn about Cyber Security
Top 10 TED Talks to...
NCSC
NCSC Cyber Security for Small Business “SMEs” Guide.
NCSC Cyber Security for Small...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...
IZZMIER
Incident Response Playbooks & Workflows Ready for use in your SOC & Redteams
Incident Response Playbooks & Workflows...
LOGPOINT
396 Use Cases & Siem Rules Code ready for use for Mitre Attacks Events Detection in Your SOC by Logpoint
396 Use Cases & Siem...

LASTEST PUBLISHED POSTS

Google
We’re All in this Together
We’re All in this Together
CyberSN
U.S. Cybersecurity Job Posting Data Report
U.S. Cybersecurity Job Posting Data...
CISA | Cybersecurity and Infrastructure Security Agency
UNDERSTANDING AND RESPONDING TO DISTRIBUTED DENIAL-OF-SERVICE ATTACKS
UNDERSTANDING AND RESPONDING TO DISTRIBUTED...
McKinsey & Company
Transforming risk efficiency and effectiveness
Transforming risk efficiency and effectiveness
Arnold Antoo
Zero Trust Security Model
Zero Trust Security Model
Richea Perry
Your Cybersecurity Toolkit
Your Cybersecurity Toolkit
IGNITE Technologies
Wireless Penetration Testing
Wireless Penetration Testing
Joas A Santos
Windows API for Red Team #101
Windows API for Red Team...
Economic Research Working Paper
Artificial Intelligence and Intellectual Property
Artificial Intelligence and Intellectual Property
CASOS DE USO APLICABLES EN UN SIEM
CASOS DE USO APLICABLES EN...
IGNITE Technologies
Burp Suite for Pentester
Burp Suite for Pentester
The Institute of Internal auditors
Auditing Risk Culture
Auditing Risk Culture

More Latest Published Posts

cisco
Cyber Incident Response
Cyber Incident Response
CSR Cyber Security Council
EVERY BUSINESS HAS DUTIES OF CARE IN THE FIELD OF CYBER SECURITY
EVERY BUSINESS HAS DUTIES OF CARE IN THE FIELD OF CYBER SECURITY
SYBEX
Cybersecurity ESSENTIALS
Cybersecurity ESSENTIALS
Agency for Digital Government
Cyber security in supplier relation ships
Cyber security in supplier relation ships
RINKU
Curso de introducción KALI LINUX PARA HACKERS ÉTICOS
Curso de introducción KALI LINUX PARA HACKERS ÉTICOS
CNIL
PRACTICE GUIDE GDPR
PRACTICE GUIDE GDPR
FERMA
THE ROADMAP TO STRATEGIC RISK MANAGEMENT
THE ROADMAP TO STRATEGIC RISK MANAGEMENT
ENISA-EUROPA
Cyber Resilience Act Requirements Standards Mapping
Cyber Resilience Act Requirements Standards Mapping
CYTAD
Essential Data Privacy Checklist
Essential Data Privacy Checklist
SF-ISAC
Digital Operational Resilience Act
Digital Operational Resilience Act
SYNGRESS
DIGITAL FORENSICS WITH Open Source TOOLS
DIGITAL FORENSICS WITH Open Source TOOLS
IT REVOLUTION DEVOPS ENTERPRISE FORUM
DevOps Automated Governance Reference Architecture
DevOps Automated Governance Reference Architecture
SANS GIAC CERTIFICATIONS
Detecting Attacks on Web Applications from Log Files
Detecting Attacks on Web Applications from Log Files
EUROPEAN DATA PROTECTION SUPERVISOR
ANNUAL REPORT 2023
ANNUAL REPORT 2023
TechTarget
IT Disaster Recovery Plan Template
IT Disaster Recovery Plan Template
Opstune
IOC Scan Framework v2.0
IOC Scan Framework v2.0
Federal Office for Information Security
Indirect Prompt Injections
Indirect Prompt Injections
the Department of the Environment Climate and Communications
Guidelines on CyberSecurity Specifications
Guidelines on CyberSecurity Specifications
Edelman
INCIDENT RESPONSE REFERENCE GUIDE
INCIDENT RESPONSE REFERENCE GUIDE
Security METRICS
Security Metrics Guide to PCI DSS Compliance
Security Metrics Guide to PCI DSS Compliance
SOC TIPS Cybersecurity
Guia de Resposta a Incidentes de Segurança para LGPD
Guia de Resposta a Incidentes de Segurança para LGPD
CDCP
FIREWALL Audit CHECKLIST
FIREWALL Audit CHECKLIST
GitGuardian
Secrets Management Maturity Model
Secrets Management Maturity Model
MegaCorp One
Sample Penetration Test Report
Sample Penetration Test Report
FORTINET
Routing in FortiGate
Routing in FortiGate
FUTURE OF PRIVACY FORUM
Risk Framework Body Related Data (PD) Immersive Tech
Risk Framework Body Related Data (PD) Immersive Tech
ENISA
Remote ID Proofing Good Practices
Remote ID Proofing Good Practices
Google
Why Red TeamsPlay a Central Rolein Helping OrganizationsSecure AI Systems
Why Red TeamsPlay a Central Rolein Helping OrganizationsSecure AI Systems