The word “black” in the context of the big retail surge that typically follows US Thanksgiving, which is always on a Thursday, refers to ink, from the time when positive and negative account balances were written in black and red ink respectively.
Simply put: it’s all about spending, both in person and these days, of course, online.
So, if you’re going to be going after Black Friday deals online, amidst the retail frenzy of the season, do you need to do anything special? Take precautions that you wouldn’t normally need? Be more careful than usual?
Even more importantly, if you do tread more carefully online during Black Friday season, can you go back to your more casual and carefree online habits afterwards?
[SLIGHTLY SHORTENED AND EDITED FOR CLARITY. ORIGINALLY LIVE FOR BLACK FRIDAY 2019]
HARRY MCMULLIN. Welcome back to Naked Security Live. I’m Harry, joined by Duck, as always.
So, Duck: Cyber Monday and Black Friday?
PAUL DUCKLIN. Yes, I made a little graphic. [LAUGHS AND HOLDS UP HAND-WRITTEN CARD SAYING “Click *NOW* to buy”]. We’re going to be seeing a lot of that.
What’s crazy is that in the UK, our Thanksgiving is on a Sunday, and it’s already happened. So, we don’t have Thanksgiving like the US. We don’t have Thursday off and then take Friday off as well to make a long-long weekend, so we’ve never had Black Friday.
But now we’ve adopted it, and because there’s no need to pin it to a Friday… I got my first Black Friday special deal on the 1st of November!
And then I actually received an email earlier this week saying, “Hey, it’s Black Friday week!”. So I’m thinking. “Is it a day? Is it a week? Is it a month? Is it a year?
The point is that whatever you do on Black Friday to improve your security because Black Friday fears have motivated you, *make sure you keep on doing it for the rest of the year*.
So you’ll see a million tips out there, special things for Black Friday – we’ll talk about some of them – but the key thing is that if it takes Black Friday fears to make you improve your cybersecurity game, don’t fall back into bad habits afterwards.
Think of it like Quit Smoking Day. That’s the day you decide to give up smoking for the rest of your life. It’s not that you take one day off and then you go back to smoking 30-a-day immediately after.
If it takes Black Friday to motivate you to be more serious about cybersecurity, because you’re worried about losing money, or getting your password phished, or digital stuff stolen from you, then that’s great. Because that means you should be in a position to take cybersecurity seriously forever more.
Sorry, that sounds a little bit like a sermon, but I really I really do mean that!
HM. To start off, what is Black Friday and Cyber Monday, and why is there such a buzz?
Why is there such a rush on things?
PD. That’s a good question, because a lot of people who aren’t from the US wonder, “What does Black Friday mean? Is this black and white as in contrast, as in a situation being cast into black and white”? Is it a racial thing? What’s it all about?
It’s not about black and *white* – my understanding is that the term originates from black and *red* [as in finance], where “being in the red” means you haven’t made all the money you need to be in profit for the year.
My understanding is that, because of this long-long weekend in the US, where Thursday is Thanksgiving, everyone takes Friday off. So the shops offer big sales.
It became such a major part of the selling year, like Valentine’s Day is to florists, that the average business did so well that they actually took their business from being in the red for the year to being into the black, and the rest of the year is how they would make their profit.
So the reason why it is is a good motivator for cybersecurity now is that Cyber Monday is there for you to get all the deals you didn’t get in the real stores on Friday.
I guess the big difference today is the volume, the frenzy, the marketing… the sense that you might miss out.
So, for most people – although, as I said at the beginning, Tip Number Zero is “make sure you that whatever you do on Black Friday, you keep doing it” – there are some additional risks that happen on Black Friday. Because of the volume, because of the frenzy, because you think you’re getting deals, because you don’t want to miss out.
The other thing with Black Friday and Cyber Monday occasions, where there is a little bit of pressure that maybe the deals will go away… you could argue that it is more likely that you would be prepared to take risks.
Maybe you’ll visit a site you’ve never bought from before, or put your credit card number into a site that looks legitimate but isn’t – one that you don’t really know anything about.
There is that risk, when you’re bombarded with deals, that maybe you’ll go somewhere that you wouldn’t normally be inclined to.
So, if in doubt: *Stop. Think. Connect.*
Use the old-school advice that says that if you if you take 30 seconds to think about whether you want to click something, that’s not a big slice of your life, but it could protect you from doing something that you later regret.
HM. I think that moves on quite well to the second question I have here: What are the most common kinds of mistake? What’s the most common thing that people forget at this time when they are online shopping?
PD. The one vehicle that we know really works well for cybercrooks of all sorts, whether they’re trying to sell you things, or whether they want to break into your network and later on implant ransomware to try and squeeze money out of you… what we know is that phishing works still works really well.
That’s where they persuade you to go to a site and it’s not the real site, but you’re convinced enough that you end up putting a password into site X that actually belongs with site Y. Then you get some kind of bogus error, and now the crooks are in possession of something that might let them login as you to site Y.
So, if you’re more inclined to visit sites you haven’t been to, or to go to sites that you haven’t heard of before, and you’re more inclined to log in, and your defenses are down… phishing is something that you need to be really careful of.
Don’t rely on links in emails that end up taking you to sites where suddenly you have to login. You should know where each login page is, so find your own way there, whether it’s via a bookmark, or whether it’s by carefully typing the URL.
And be careful of sites even if they’re not asking for a password. They may say, “Hey, you can enter this survey! Take this survey! Put in some data! You can enter a competition, you might win something!”
You might be tempted to try this. What’s the harm in giving away a little bit of data, even if there’s almost no chance that you’ll win anything?
Well, the problem is that the reason for the person collecting the data may specifically be to use it against you in some cybercrime in the future, and that’s a very good reason not to put it in!
So, *if in doubt, do not give it out*.
That advice applies all year round, and twice as much on Black Friday and Cyber Monday.
HM. We just had a viewer saying that she always saves a fortune on Black Friday… so if you see your family or your friends getting deals, that could be another incentive to join the trend?
PD. OK, so I’m not I’m not a retail expert – I’m not really that much into sales, I tend to buy things when I need them and I don’t care whether it’s Friday, Wednesday or Tuesday, but there is some research that suggests that the many of the deals may not be quite that special. So don’t get suckered.
But it is true that I have met people who’ve bought things where you can’t believe the price they paid. Maybe they’re buying a big-screen TV that’s supposed to cost $1000 and they actually scored it for $250, and when you go and look a month later the prices are back up, say to $800. And you tink, “Wow, they did well there.”
So, there is a lot of pressure: Better close this now! Better buy this now!
I’m not saying don’t rush into those deals… well, I *am* saying don’t rush in. You don’t have to avoid them altogether, but a little patience could save you a lot of money.
HM. I think we’ve talked about a lot of the issues there, so, in summary, what are your main points of advice?
PD. OK, I’m going to reach for my notes so we make sure we go through them all!
We’ve mentioned most of these, but I’ve got four tips. Actually, it’s going to be five, because I’ll start with Tip Zero, which is what I said right at the beginning.
[TIP ZERO]
Whatever you decide to do to improve your cybersecurity on Black Friday or on Cyber Monday, *keep on doing it on Tuesday, Wednesday, Thursday Friday*. That’s really important because, if you think about, we’re coming into the festive season; we’ve got Christmas coming up; then, at least in the UK and many Anglophone countries, we’ve got the New Year sales; then you’ll have the spring sales.
These are all things that crooks can hang their hat on.
In the US it’s the end of the tax year at the end of December, so then the tax scams come. In South Africa the tax year ends at the end of February; in the UK it’s at the end of March; in Australia at the end of June… there is always something for the cyber crooks to zero in on.
If it takes Black Friday to make you lift your cybersecurity game, keep it lifted forever. Like quitting smoking: keep on quitting!
[TIP ONE]
Over and above that – I think you’ve said it many times on Facebook Live videos – if it sounds too good to be true, it *is* too good to be true.
Forget this thing that it’s “probably too good to be true”. Just assume that if you’re finding it hard to believe… then don’t believe it at all!
You can you can save yourself a fortune that way.
[TIP TWO]
The second thing I would recommend is: get and use a password manager if you’re not using one already.
That’s one of those tools that has a master password – yes, you have to pick a good one, and you have to be cautious with it – but the big deal with a password manager, in a situation like Black Friday when you might be clicking links that take you to fake sites, is this.
As well as picking a different password for every site, which makes it harder for the crooks; as well as picking a complicated, random, long password for every site because the computer can remember a number this long [STRETCHES ARMS WIDE] as easily as you can remember your cat’s name… the hidden coolness of a password manager is that, if you go to a fake site, the password manager won’t put your password in *because it’s never heard of that site before*.
So it’s a great way of protecting yourself from phishing, as well as making sure that you don’t take risks with passwords.
And as a side tip, if you have a service that lets you have 2FA (two-factor authentication), where you get a code that’s texted to your phone or you have an app on your phone that generates a second code which is different every time, then use that as well. Because with 2FA, if the crooks do get your password, they also need that code, and the code changes every time.
[TIP THREE]
The third thing I particularly recommend for something like Black Friday, when you think, “I’m prepared to take risks buying something from someone that I don’t know much about, but what if they’re rogues? What if they can’t keep up with demands? What if I lose my money?”
Consider getting a prepaid credit card to use with those sites. Prepaid credit cards have a fixed amount of money on them, and when the money’s gone, that’s that. So you are greatly limiting your exposure if the crooks do get hold of that number.
[TIP FOUR]
The last tip, and I’ve used this aphorism before, as any carpenter or joiner will tell you: “Measure twice; cut once.”
It’s possible that you could get hit by a scam, on Black Friday, Cyber Monday or any day of the year, that is so well crafted by the crooks that anybody would fall for it. I’ve seen some really good ones in my time, where I thought, “Wow, I came so close to clicking that.”
But in very many cases, on scam sites, phishing sites, bogus sites… there is often at least one giveaway.
Not all crooks mess up their their HTTPS certificate; not all crooks use a dodgy looking domain name; not all crooks make spelling mistakes; not all crooks make a mistake with the currency sign… but if they do make a mistake, *make sure you don’t miss the tips that are obviously there*.
And that’s what I mean by, “Measure twice; cut once.”
Have a little bit of patience; take your time; have a look; and if you see something phishy, you’re probably saving yourself from loads of trouble.
It doesn’t take a lot of effort – most people can do it, but you just have to have the will to do so.
If you have a slight doubt about something, then the doubt is there for like a reason.
That was about seven tips for you!
HM. Thank you very much for tuning in, and if we haven’t answered your questions we will answering them after the live stream.
So thank you very much for watching, everyone, and until next time, stay secure!
PD. Not just until next time… until the time after, and the time after that!
Remember, cybersecurity is for life, not just for Christmas!
Learn more about Sophos Managed Threat Response here:
Sophos MTR – Expert Led Response ▶
24/7 threat hunting, detection, and response ▶
