Security gaps could dim Australian retailers’ Christmas shopping season

Australians reported more phishing scams in September 2020 than in any month since the ACCC ScamWatch program began collecting data in 2017, heightening concerns that the combination of coronavirus lockdown fatigue—and a hoped-for resurgence of holiday shopping to bolster the crippled national economy—could be a disastrous combination as other analysis shows that most retailers aren’t managing payment security correctly.

Some 5,421 phishing scam attempts were formally reported by Australians during September—a 28% increase over the 4,221 attempts reported in August—and victims admitted losing $268,440 to the scams during the course of the month.

That was a 75% increase over the $153,585 lost during August—suggesting either that cybercriminals have stepped up their campaigns to take advantage of the changing economic climate, or that exhausted victims have let down their guard after months in challenging living and working conditions.

The pace of scams accelerates before the holiday shopping surge

“The opportunity COVID-19 has presented to scammers is undeniable and reflected by the rise in reports and sums lost,” said Crispin Kerr, ANZ area vice president at security provider Proofpoint ANZ, which has observed ongoing phishing campaigns that have surged throughout the course of the pandemic. “It is important that people remain vigilant and aware of the rise in phishing scams, even as the country continues to manage the impact of COVID-19 and embarks on the road to recovery for many sectors.”

September marked the end of the first tranche of the government’s JobKeeper and JobSeeker financial assistance packages and changes to their financial amounts, with the Australian Taxation Office reporting the extensive circulation of scam emails related to the programs and fake claims of tax debts.

These program changes—on top of COVID-19 themed scams that have generated more than 4,700 scam reports and $5.48 million in losses during the pandemic alone—bode poorly for coming months as a surge in online shopping leaves physical retail sales suffering uninspired growth.

E-commerce sales are expected to explode this holiday shopping season, with predictions of a sales surge as much as 30% sure to catch the eye of cybercriminals who have a history of success in going where the money is.

Gift cards, in particular, may become particularly popular phishing lures after having been flagged as “the growth engine of the season” in retail—but a potential liability as they are perennially popular with fraudsters.

“The coronavirus has not changed how fraud is committed but has shone a bright light on the risks of fraud in a digital age,” said Krista Tedder, payments director at analyst firm Javelin Strategy & Research, in introducing a research report exploring the escalation of digital fraud during the pandemic.

Evolving customer-engagement paradigms, “combined with the sophisticated nature of tools that criminals have available to them, provides a road map for financial institutions to build their fraud-mitigation strategy over the next several years,” Tedder wrote. “Financial institutions will face significant risks, in reputation and from financial losses, if changes are not implemented.”

More data but less protection

Even as cybercriminals found their footing during the pandemic, the online and offline merchants they target may be doing themselves no favours. According to Verizon’s recent 2020 Payment Security Report, just 27.9% of surveyed organisations were confirmed as still being compliant with mandatory PCI DSS standards, which mandate protection of sensitive financial information for any company handling sensitive personally identifiable financial information such as credit card numbers.

In the face of the rapid change, every online and offline retailer has dealt with this year, such insecurity presents a clear danger to the security of financial information—and CSOs, Verizon warned, may be powerless to reverse the trend. “CSOs face constricted budgets, a limited hiring pool, and a mountain of immediate problems to solve,” the report’s authors note. “This leads to short-term thinking: applying technology for quick fixes rather than developing strategic plans with top management for long-term solutions. When those quick fixes inevitably fail, CSOs move on to the next job, often in about two years. Their successors too often merely repeat the cycle.”

Steady declines in ongoing PCI DSS compliance have been observed over the past few years, with the current rate of just one in four companies retaining their compliance, well down from the 55.4% figure in 2016. That dramatic decline suggests many companies achieve PCI DSS compliance as required, but subsequently fail to maintain it as business processes, systems and technological protections change.

Indeed, just 51.9% of companies said they had successfully tested security systems and processes, while only 66.2% said they were tracking and monitoring system access appropriately. Said Sampath Sowmyanarayan, president for global enterprise at Verizon Business:

Unfortunately we see many businesses lacking the resources and commitment from senior business leaders to support long-term data security and compliance initiatives. This is unacceptable.

The recent coronavirus pandemic has driven consumers away from the traditional use of cash to contactless methods of payment with payment cards as well as mobile devices. This has generated more electronic payment data, and consumers trust businesses to safeguard their information.

Payment security has to be seen as an ongoing business priority by all companies that handle any payment data. They have a fundamental responsibility to their customers, suppliers, and consumers.

Reversing the trend, Verizon’s analysis warns, requires CSOs and executives to approach data-protection strategies as strategic investments rather than quick wins—with CSOs needing to “tell compelling narratives that align security agendas with corporate agendas”.

A matter of regaining consumer trust

Balancing security will quickly become a drag on companies as they reinvent themselves for data-driven COVID-era retail—which will increasingly involve larger quantities of behavioural and personal data, as well as identity-related information that will push retailers’ security strategies more than ever, said Okta chief product officer Diya Jolly during a panel session at the company’s recent Okta Showcase conference:

There’s more and more data being gathered about all of us by the brands that we use,” she said, “and that’s not a bad thing because they end up making sure they can deliver a much more tailored and customised experience.

But then it puts the onus on all of us, as digital-first organisations, to really maintain high levels of security and privacy, and to keep that front and centre for our customers so we can continue to regain their trust.

Regaining that trust requires careful and ongoing examination, said Will Larson, CTO of app maker Calm, of the balance between collecting data for use by machine-learning-driven analysis and protecting against the risk it creates.

“We have to be more selective on the data that we retain long term,” he said. “It’s not just from a cost perspective, but also from a risk perspective. I think we’ve all worked at a company where the motto was like ‘We’ll just keep all the data and figure out what we want later’, but I think we’re going to see a world where all digital companies are really conservative about what data they retain. When you have tens or hundreds of millions of users, it’s a deliberate decision around which data you keep and how to use it.”