Search

Guidance for retailers to prevent websites becoming Black Friday cyber traps

The NCSC is encouraging small online shops to protect their customers from cyber criminals over key shopping period.



  • National Cyber Security Centre notified over 4,000 small business sites whose customers' payment details were being stolen

  • The UK’s cyber experts reveal that hackers are exploiting a vulnerability in popular e-commerce software

  • SMEs urged to update software to avoid financial and reputational damage


Small online retailers are being encouraged to protect their customers and profits from the threat of callous shopping skimmers who could target them on Black Friday and Cyber Monday.


The activity of skimming exploits a vulnerability in software used at the checkout page on shopping sites to divert payments and steal details of unsuspecting customers. The National Cyber Security Centre - a part of GCHQ - proactively identified 4,151 compromised online shops up to the end of September and alerted retailers to these security vulnerabilities.


The majority of the online shops used for skimming identified by the NCSC had been compromised via a known vulnerability in Magento, a popular e-commerce platform.


Retailers are urged to ensure that Magento - and any other software they use - is up to date. The NCSC’s website has guidance on running a secure website, including moving businesses from the physical to the digital.


NCSC Deputy Director for Economy and Society Sarah Lyons said:

“We want small and medium-sized online retailers to know how to prevent their sites being exploited by opportunistic cyber criminals over the peak shopping period.
“Falling victim to cyber crime could leave you and your customers out of pocket and cause reputational damage.
“It’s important to keep websites as secure as possible and I would urge all business owners to follow our guidance and make sure their software is up to date.”


The Chancellor of the Duchy of Lancaster, Steve Barclay said:

"On Black Friday and Cyber Monday the hackers will be out to steal shoppers' cash and damage the reputations of businesses by making their websites into cyber traps. "It's critical, with more and more trade moving online, to protect your business and your customers by following the guidance provided by the National Cyber Security Centre and British Retail Consortium."

British Retail Consortium Assistant Director for Consumer, Competition and Regulatory Affairs Graham Wynn said:

“Skimming and other cyber security breaches are a threat to all retailers.
The British Retail Consortium strongly urges all retailers to follow the NCSC’s advice and check their preparedness for any cyber issues that could arise during the busy end of year period.
The Cyber Resilience Toolkit for Retail, produced in partnership with NCSC, is available on the British Retail Consortium’s website for retailers to consult and boost cyber defences.”

The compromised shopping websites were identified by the NCSC’s Active Cyber Defence programme, which seeks to remove malicious websites and scams from the internet before they harm the public.


The NCSC has monitored for these shops since April 2020 and issued warnings to site owners and SMEs about their software being up-to-date.


With more businesses using technology and e-commerce than ever before, it has never been more important to think about online security - whether IT is managed in-house or by an external service provider.


Individuals should visit ncsc.gov.uk for clear guidance on the steps to take to protect their accounts and devices from the majority of online harms.



Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).


The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.

 

EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.