After 9.9. and 10.10, businesses and shoppers are gearing up for 11.11, Black Friday, Cyber Monday and 12.12. And so are cybercriminals…

In South-East Asia, September 9 has become the region’s biggest online sales event. Similar to the annual Black Friday sale that follows Thanksgiving Day in the US, the so-called ‘9.9 Sales’ this year – despite the economic uncertainty – broke yet another annual record.

It was reported that on Shopee, a leading e-commerce platform in the region, over 12 million items were sold in the first hour of its 9.9 Super Shopping Day. 

This growth in online shopping – accelerated by the pandemic – has been matched by increasingly widespread risk.

The Cyber Security Agency of Singapore has reported more than a 50% rise in cybercrime over the past year, deeming e-commerce scams, phishing, threats and malware attacks the most common types of cybercrime.

In fact, the number of e-commerce scams committed in the island-state from January to March 2020 was up by 116.2% from the same period last year. During this period, people got cheated out of at least S$1.3 million, compared with $469,000 in the same period last year. 

After 9.9 and the recent 10.10 online shopping event, retailers are already gearing up for more flash sale periods coming up in the region – October 10 (10.10), Singles Day (11.11), and 12.12, in addition to the actual Black Friday in November.

In view of the potential dangers ahead for businesses and shoppers alike, CybersecAsia spoke to Aaron Bugal, Global Solutions Engineer at Sophos about e-commerce threats, COVID-19 and the year-end festive sales season:

 Aaron Bugal, Global Solutions Engineer at Sophos talks about e-commerce threats
Aaron Bugal, Global Solutions Engineer, Sophos

What’s fuelling the growth in online shopping – and the increasingly widespread e-commerce threats that accompany it? 

Aaron Bugal (AB): The COVID-19 pandemic has definitely been the accelerant for e-commerce around the region – and the world. With a global responsibility to stay home during this pandemic, consumers had to change their purchasing behaviour, and many brick and mortar businesses had to find an alternative revenue stream, which is why many capitalised on the internet and turned to electronic retailing to order in essentials and even make a living. 

With the attention COVID-19 has generated, everyone is curious when any information is released – presenting the perfect opportunity for cyber criminals, enabling them to take advantage of this curiosity and phishing for personal information, data and money.

How much impact has the COVID-19 pandemic had on consumers’ vulnerability to e-commerce security threats?

AB: Earlier this year, there was a significant spike in malicious phishing campaigns that used COVID-19 as a lure for victims. Cybercriminals have used COVID-19 to advertise cheap and plentiful personal protective equipment, miracle cures and even unscrupulous methods for not contracting the virus to trap victims and make money from of their naivety. 

In most cases we have observed, a new retailer would be pushing these items for sale online and creating a false sense of urgency for consumers to buy whatever was being sold. The pandemic, coupled with many new retailers and shoppers moving into the online world, has enabled many opportunistic cyber criminals to take advantage of them time and time again. 

What should businesses look out for – with 11.11 and 12.12 gearing up – to protect themselves and their customers, based on the experience in 9.9 and 10.10?

AB: Regardless of whether a business is an established retailer or still new to the e-commerce world, the best thing they can do is to ensure that their customers know where to get the most accurate information in real time.

Consumers should be informed on how often the company plans to communicate with them and how – for example, a weekly email or SMS notification of deals to be released on a weekend. And if social media is a preferred channel, they should do so and put in the effort to create an instantly recognized space that is branded and validated by the provider like with Instagram verifications.

Having a verified account reassures users that they are engaging with a legitimate business that they have ventured online to find.

How should brands play a role in educating consumers on such threats?

AB: Brands should be as open and honest as they can be with their customers. Not every business or consumer is an expert in cybersecurity, but taking the time to clearly communicate the right security steps to take with customers can really go a long way. From what they need to do to make their accounts with the business as safe as can be, advice on unique passwords, to even offering multi factor authentication to gain access to services – these are basics that should be mandated. 

Additionally, online retailers should make examples out of the phishing and brand abuse campaigns they catch – use a portion of their website or social feed to educate users on threats they might find online.

What are some key observations you have on opportunistic cybercriminals in the S E Asia region, and what trends can we expect moving into 2021 and beyond?

AB: Every one of us should be very mindful of what we share online, especially when posted to public or semi-public spaces. We have found a great deal of situations where individuals who have shared information on their own hobbies, interests or even promoted brands they love have had this data used against them in a type of spear phishing campaign. 

A cybercriminal will take the time to craft a ‘too good to be true’ offer using the emotional interests that consumers have by leveraging the things they have previously disclosed online.

Furthermore, we continue to see seasonal trends being used by cyber criminals as a way of reaching their own ‘target market’ – and in this case it comes down to the individual to assess these requests with a basic ‘is this too good to be true?’ test.  

Remember: If you don’t expect it, or you didn’t ask for it, or if it’s come at an unexpected time; then it is most likely not something you need right then. Exercise caution with anything unsolicited, and this advice should extend into the online world.