Top 5 Cyber Threats to 2021 Consumers

December 17, 2020 - Ensighten

2020 has been anything but normal and has in many instances changed our lives for the foreseeable future. Many businesses have hinted that they are seriously considering a work-from-home first landscape and schools have implemented online lessons and activities. For consumers, while physical shopping has remained accessible, online transactions have surged leading to different demographics using the web for more than just social networking. 

As we head into 2021, cybercriminals will continue to use any and every opportunity to take advantage of people who either do not take their online security seriously or simply do not know how to. Here we will discuss five cyber threats that consumers will face in 2021. 

 

1 // Phishing and similar scams 

With misinformation around the pandemic and noise from the US presidential election, 2020 was certainly a year of conflicting news – with much of it designed to appeal to certain types of people or audiences. Cybercriminals use this very same principal to target markets with the purpose of stealing their financial data by sending enticing emails to get their attention and trustonly to then get them to reveal sensitive data. 

This trend will continue to escalate into 2021 as scams attached to vaccine news, health alerts and government announcements become common. We can expect to see criminals continue to attach malware to enticing emails which in turn will perform everything from holding data ransom (ransomware) to silently stealing sensitive information, such as credit card or social security numbers. 

How can vendors help? 

From a vendor perspective, there is not much that can be done short of consumer education. Websites should make it clear that they will never send emails asking for passwords or personal information, nor will they ever attach anything and as such, consumers should avoid opening any attachments and treat them all as malicious. 

 

2 // Password reuse abuse 

Human beings are often creatures of habit when it comes to passwords, reusing them repeatedly. Most people have accounts with tens if not hundreds of different sites and will use the same passwords across many of them. The problem is that when one of these websites is breached and criminals manage to obtain credential lists, they will then employ techniques to use those credentials on other sites and often manage to gain access given the reused details. 

With the usage of password managers being still somewhat rare – even with the mainstream browsers now having them built-in – cybercriminals will continue to take advantage of this human flaw heading into 2021 by purchasing large stolen password lists off the dark web and using stolen accounts to do everything from purchase goods to identity theft. 

How can vendors help?

One of the best ways in which vendors can help prevent such threats is to employ automated activity (bots) against their site. When criminals obtain large password lists, they often look to automation software which can test thousands of credentials quickly, flagging ones that work. Vendors should look to bot mitigation technology to prevent such activity and protect both their customers and their business from fraud. 

 

3 // Online skimming

Modern websites are made up of many thousands of lines of code, often utilizing a myriad of third-party plugins to bring everything from credit card processing to chatbots. When an organization makes use of these extensions, they introduce a level of risk by accepting that when a user visits their site, the user gets content and code not only from the vendor but also the third parties. 

There are several issues associated with the use of third-party code from compliance enforcement of the CCPA and GDPR legislation to ensuring that the third parties being used are not doing anything other than what they advertise with the organization’s customers. Criminalssuch as Magecart, will often target weak third-party technologies and insert malware into their codebase, which gives them access to copious amounts of sensitive customer data when used alongside a vendor’s website – data which will then be resold on the dark web. 

How a Magecart attack happens

How can vendors help?

Online skimming is one of many client-side attacks which take advantage of poorly protected code, often in third-party plugins. It is a website owners' responsibility to implement client-side security to protect their website and customers against them. Client-side security works by adding a small code layer to a vendor’s website which runs when a consumer accesses the site, preventing sensitive data being accessed and exfiltrated by rogue code – even when part of third-party functionality. 

 

4 // Malicious browser extensions

Browser extensions are certainly not new and bring great functionality – such as automatically searching for coupons when shopping and blocking potentially offensive content. Most browsers have marketplaces which provide access to many thousands of extensions, installable with just a few clicks. 

Cybercriminals will often create malicious extensions, advertising them as ad blockers or extensions to save money when shopping. Unfortunately, many of these rogue extensions are designed simply to steal data. While it is easy for a vendor to put the ownness on the consumer, the vendors are ultimately left out of pocket when criminals use stolen data to frequently purchase goods.

How can vendors help?

Browser extensions work by injecting code dynamically into web pages to alter their functionality and rogue extensions will often exfiltrate data, such as usernames, passwords and credit card numbers. By utilizing client-side security, vendors can prevent plugins from being able to access customer data and send it to unknown locations, such as rogue servers. 

 

5 // Identity theft

This last one is not so much a threat, but more the result of the other mentioned threats and their resulting breaches – the theft of consumer data and its use to enact fraud. Identity theft costs businesses billions of dollars through lost revenue, increased cost of doing business, higher insurance premiums and more. While many consumer threats are a direct result of bad consumer behavior, such as password reuse, unpatched devices or the installation of rogue extensions, it is the business that often suffers the consequences with rejected charges and more. 

How can vendors help?

Vendors are ultimately responsible for their customers and protecting them within their virtual world, including their online experience and the information they shareBusinesses should do everything they can to protect their websites from all possible avenues of attack and not simply assume that insurance can mitigate any losses. 

With an increase in compliance legislation, vendors are facing more pressure than ever to take measures designed to ensure they are responsible and proactive in the fight against data theft. 

Get in contact with Ensighten to learn more about how you can protect your website and customer data from existing and emerging attack methods in 2021 or watch our video on common attack methods.