2021 Holiday Shopping Threat Landscape

by | Dec 9, 2021

The holiday shopping season brings together the perfect confluence of factors for cybercriminals to attack enterprises and consumers alike. Cybercriminals strategically plan attacks during holidays to take advantage of a company’s limited capacity to respond and a consumer’s increased spending. Furthermore, holiday retail sales are forecasted to increase from 7 to 9 percent this year. Online global spending will reach US$910 billion, a statistic that underscores how cybercriminals continue to foresee dividends from targeting the retail sector.

Organizations in retail and other supporting sectors face the dual threat of (1) storing personally identifiable information (PII), such as customer financial data, and (2) dealing with high levels of spending within a short timespan and often at limited capacity, making them a valuable target for threat actors. This Resilience threat advisory highlights some persistent holiday-themed threats and suggests mitigation measures to encourage vigilance during the holiday season.

Social Engineering

Holiday Scams: During the holiday shopping season, threat actors will likely use social engineering to target victims in order to get victims to disclose sensitive data, such as credit card information or one-time codes for logins. Cybercriminals send consumers phishing emails and text messages masquerading as legitimate advertisements or customer service-related emails from retailers. These messages will likely try to pressure consumers into disclosing information in order to receive orders or discounts.

Spoofing and impersonation: When managerial staff is out-of-office during the holidays, cybercriminals use their (anticipated) absence as the perfect opportunity to strike. They impersonate CEOs and high-level executives, asking lower-tiered employees to perform actions while their boss is away, such as transferring money, sharing login credentials, etc.

Phishing & Smishing

Think before clicking into holiday deals: Cybercriminals know that people are scrambling to find gifts for loved ones around the holidays, and then send malicious holiday “deals” to infect your device with malware. An employee who checks their personal email on a company device may click on an email offering an incredible sales price, exclusive coupon, etc. that takes them to a spoofed website or requires them to download something that could infect their computer. 

Smishing (SMS phishing) attacks remain popular: smishing was in the top five fraud scams attempted in the second quarter of 2021. It is likely that threat actors will incorporate smishing, along with phishing, in their overall fraudulent activity in order to steal information or attempt to gain access to corporate resources.

Smishing attacks allow threat actors to target victims more directly via their mobile devices. Victim phone numbers can be collected in a variety of ways, including by buying compromised credentials en masse on Deep and Dark Web (DDW) marketplaces. In more targeted attacks, threat actors can collect specific information from public social media accounts like Facebook or LinkedIn.

Physical Threats

Inspect shipping notices: For many businesses, sales are booming during the holiday season, and supply chain woes are compounding the issue. Cybercriminals know that your business may be stocking up on inventory around this time of year. If you get an email saying an important company shipment was delayed, think before clicking attachments. These social engineering attempts often work because criminals know you’re eager to have items delivered on time and will download the attached information in haste— infecting you with malware before you have time to reflect. 

In addition to shipping alerts, be cautious of physical breaches as well. During this time of the year, it’s not uncommon for bad actors to impersonate mail personnel to gain access into a building. Think about it, who doesn’t hold the door open for the smiling delivery man juggling boxes a mile high? Once in, this cybercriminal could breach or steal computers or devices, servers, paperwork, and more.

Enterprise Recommendations 

To protect the enterprise, Resilience recommends retailers set a baseline of security best practices, which can also aid in detecting and mitigating social engineering attacks used in refund fraud and card-not-present fraud schemes. Retailers can also mitigate the risk of leaking sensitive data by employing customer identity access management solutions (CIAMs). CIAMs share preliminary customer data, such as email addresses, only with the appropriate resources in a retailer’s network environment. 

Organizations can also be proactive in defending their networks, data, customers, and employees against the anticipated increase in holiday cybercrime by implementing security measures including, but not limited to conducting back-ups and patch management of devices, managing security training; implementing email security and network security tools; protecting endpoints; enforcing strong password hygiene, and preparing an incident response plan.


1. Back-Ups: Restoration from recent clean backups is an effective strategy for recovering from a ransomware incident. Keep multiple iterations of backups in case backups become infected or encrypted maliciously. This backup methodology is referenced as a [3-2-1] strategy.

a. Review and update backup policies

i. Perform a thorough audit of all business data and where it is stored; too often data is missed from inclusion in a backup as it went unknown.

b. Keep at least 3 copies of critical data. Production data and 2 copies of production data on two different media, one of which to be sent off-site or completely air-gapped.

c. Make regular backups and frequently review backup retention to ensure critical data is kept for sufficient time. During restoration, it may require numerous generations of backup data to properly restore.

d. Clean and robust backups using write-once, read-many (WORM) with comprehensive backup access controls to prevent infection or undesired access by attackers.

e. Maintain and backup logs for a minimum of one year.

f. Test and plan; perform real-world scenario testing and review of backup plans to have knowledge of restoration times and to help facilitate priority of systems to be recovered.


2. Security Awareness & Training: It is difficult to solve the “me, myself, and I” human element of ransomware with technology. Many vectors require a human to push the button and do so unknowingly.

a. Train employees about the dangers of phishing and the risks they present.

b. Leverage real-world scenarios for mandatory security awareness training, simulated exercises, table-tops, etc.

c. Continuously train and retrain employees about security hygiene best practices. For example, malware can make its way to USB drives which are dropped for unsuspecting users to plug in so it will be important to educate users on why USB port access is disallowed or why not to insert non-company USB drives into a computer.

d. Create and maintain business continuity, disaster recovery, and incident response plans and educate all users on their role in these plans, if any.


3. Email Security: Email is the most commonly used vector to deliver malicious payloads to an end-user. In order to secure your organization’s email platform, it is recommended to do the following:

a. Filtering of unsolicited emails (SPAM).

b. Advanced filtering and sandbox capabilities to detonate (test) potentially malicious indicators of compromise and block either at the firewall or email gateway.

c. Implement DMARC to reduce the chance of spoofed or modified emails from valid domains.

d. Disable macros.

e. Alert users of messages originating from outside of their organization.

f. Record and track data loss and instances of sensitive information being shared over email. (DLP)

h. Visibility and prevention of account takeovers and filters established to forward mail outside of the organization.


4. Protecting Endpoints: Keeping track of endpoints can become increasingly difficult as the business grows. As endpoint inventory grows, so do the risks they present. Basic log data from devices is not always useful unless this information is correlated to the likelihood of a security event occurring.

a. Regular checkups, or Vulnerability Scans, of the entirety of your organization’s physical and logical endpoints.

b. Gain additional visibility and insight into what occurs on an endpoint with log monitoring and Antivirus, Anti-malware, and/or EDR solutions.

c. Provide the ability to quickly react to an incident and isolate affected or compromised hosts from the rest of the network.

d. Detection, containment, investigation and elimination of malware are the fundamental elements of an EDR solution for protecting endpoints.  

e. Coupled with an organization’s appropriate level of network segmentation; damage caused by compromising an endpoint from malware bypassing the EDR can be minimized compared to networks without segmentation.

f. If managed by a third party(ies), ensure security standards of the third party(ies) are sufficient to the standards of the organization.

g. Point-of-Sale Systems (POS): Securing POS are critical to ensuring the protection of customer financial data.

i. Install antivirus software

ii. Use point-to-point encryption that enables secure data transfer between the unit and the gateway

iii. Implement a POS monitoring system that can send video clips and notifications

iv. Patch, update, inspect, and test the POS regularly

v. Ensure the physical security of the POS

vi. Educate employees on how to identify suspicious activity

vii. Enable multi-factor authentication on the POS

viii. Ensure PCI compliance


5. Network Security: Not every device, user, or endpoint needs the ability to connect and partake in the network discussions occurring by every other device, user, and endpoint on the network.

a. Implement an Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) to detect and/or prevent command and control activity and other malicious network activity.

b. Network segmentation can provide physical or logical separation of networks, such as placing cardholder data within one segment of the network while keeping web servers and other elements that are public-facing within their own segment. This separation can assist in the prevention of lateral movement and further distribution of ransomware from compromised hosts.

c. Baseline and analyze network activity over a period of time to understand legitimate patterns of your organization and distinguish this activity from anomalous network activity.


6. Incident Response Plan: Developing a solidified and agreed-upon path to respond to a security incident is critical to successfully recover and ensure business operations suffer inconsequential interruption:

a. Policy: The first step of developing a policy or plan is to identify which events are considered incidents and provide an organizational structure, including roles and responsibilities, for responding to these events. This could include incidents that occur on systems the enterprise uses but are outside of their physical control, such as service-oriented systems provided by third parties.

b. Create a response team: Predetermining which experts to be part of the incident response team ensures organizations have the best-suited personnel to respond.

c. Incident handling and reporting: Provide a detailed process for executing the incident response policy and plan to ensure chain-of-custody preservation.

d. Communications: Create a communications plan that describes which incidents need to be reported to which outside parties such as the media, law enforcement agencies, and incident reporting organizations. 

e. Audit: Performing regular audits of the incident response plan will allow stakeholders to gauge how well prepared an organization is to respond to an incident.