Black Friday - a time when retailers across the UK slash their prices and take advantage of Christmas shoppers seeking a bargain. And Cyber Monday follows very closely, kick-started by the American National Retail Federation in 2005 as a way for smaller online retailers to compete.
While this offers a great opportunity for retailers and shoppers alike, Black Friday and Cyber Monday have also become a beacon for cybercriminals, exploiting the surge in online shopping. Many companies are busy perfecting their sales offerings, but an alarming number overlook this serious flaw of these seasonal flash sales - creating more vulnerable customers.
It’s reported that there has been a stark 52% surge in retail-focused cyber threats ahead of Black Friday this year, with stats from last year showing that 37.5% of attacks impersonated online retailers. This is especially worrying when you consider that there is predicted to be a 520% increase in generative-AI-driven traffic at the end of the month, making the threat larger and more complex than ever before.
The flash discounts spur sales, with customers spending £1.12 billion on Black Friday last year (a 7.2% year-on-year increase from 2023) and £926 million on Cyber Monday (up 5.1% year-on-year), according to Global Banking & Finance. Clearly, this frenzy of deals under a strict timeframe creates a dangerous environment for shoppers, because it directly opens them up to cyber scammers.
Cybercrime is a real problem for retailers because it fundamentally erodes trust and causes widespread reputational damage. Scammers are growing increasingly sophisticated, and failing to defend against them risks financial losses for customers and business owners.
So, how can you shield your customers from fraud?
While you might think you can spot a scam easily, cybercriminals increasingly use advanced technologies, including AI, to carry out highly convincing phishing attacks. These criminals design polished phishing emails, fake adverts, copycat social media profiles and fraudulent websites that mimic legitimate communications almost perfectly. These criminals often aim to separate customers from their hard-earned cash by ‘borrowing’ the credibility of real retailers.
Let’s look at a recent example: this year, scammers targeted Stripe, a payment processing platform. In a carefully orchestrated scam, criminals sent fake emails that claimed the recipient’s Stripe account password had been updated. They then directed the recipient to click a link to reset their password if the change wasn’t authorised. This link, however, led to a phishing site that stole sensitive login credentials.
In another example, couriers DPD Local warned people to be vigilant against emails from criminals that mimic the company to trick recipients into providing data or downloading malware.
Deepfake scams are also becoming a serious concern. Criminals are now using AI-generated voices and videos to impersonate customer service representatives, delivery drivers and even senior brand personnel. These hyper-realistic deepfakes remove many of the telltale signs customers once relied on, making phishing attempts harder to recognise during high-pressure shopping periods. Retailers are now seeing scams where AI-cloned voices request “failed delivery fees”, or deepfake video ads which drive shoppers to spoofed websites disguised as Cyber Monday promotions.
These scams highlight how easy it is for shoppers to fall victim to cybercriminals during this popular, fast-paced sales period.
To fight phishing scams, businesses need to educate their customers and secure their communication channels. While it won’t help reassure customers by making them feel vulnerable, companies that actively warn customers about threats reduce the risk of scams and ensure customers are more on their guard.
One way to do this is to share updates about common phishing tactics, such as fake courier messages or fraudulent emails, through newsletters, social media and website banners. By actively educating customers, businesses empower them to stay vigilant and avoid falling victim to scams.
While consistent branding across all communication channels helps customers identify legitimate messages more easily, a distinct identity doesn’t make you immune to being imitated. Businesses must ensure they regularly ramp up their communication security. Using protocols like DMARC (Domain-based Message Authentication, Reporting and Conformance), companies can stop scammers from sending fraudulent emails that appear to come from their brand.
Delivery and payment updates, which are another common target for scammers, also require extra care. Businesses can centralise these updates within secure platforms like their official website or mobile app - which means that the risk of customers trusting fraudulent SMS messages or stray emails would likely reduce dramatically.
Educating customers about basic cybersecurity practices strengthens their ability to defend themselves. Businesses should encourage customers to use two-factor verification (2FV), create strong and unique passwords, and verify links before clicking.
Whether you like or loathe Black Friday and Cyber Monday, their focus on spending amplifies the risks of phishing scams. According to the UK’s National Cyber Security Centre (NCSC), shoppers lost over £11.5 million to cyberscams during the winter of 2023-2024. This figure will likely continue to climb, especially as cybercriminals improve their tactics with AI to eliminate telltale giveaways.
Customers have almost endless alternatives in today’s competitive market and can easily switch to competitors should they perceive a brand as unsafe or inherently untrustworthy.
So, now's the time to remain vigilant and ensure that your cybersecurity is as varied and robust as your main offering - or risk becoming a victim by proxy. To learn more, get in touch with our expert team at Duncan & Toplis.
