As we near the end of this pandemic-hit year, both retailers and shoppers alike hope to find some cheer in the imminent holiday season.

And like it or not, cybercriminals and hackers can’t wait to crash this retail bash, especially when much of it is likely to occur online – an expected 33% year-over-year surge to a record $189 billion!

In light of this, both shoppers and retailers need to be mindful about the cybersecurity risks that await them this holiday season. Here are a few recommendations to help ensure a safer experience for all.

For consumers, think twice before trusting emails and websites for deals

As millions of shoppers venture online, hackers will be on the prowl for sensitive personal and financial data.

Using crafty phishing emails, a common fraudulent theme could be messages that impersonate popular online brands and retailers. Consider exercising these simple, proactive steps to avoid being hooked by such scams.

Before you trust email that appears to be from your favorite retail brands or online platforms, make sure you read the message content thoroughly. If you spot unusual grammar or spelling errors, then you’ve got your first hint.

A large number of phishing sites that came up during Amazon’s recent Prime Day sale serve as fitting examples here. Take a closer look at the senders’ email addresses to further verify your suspicions.

Don’t get too tempted to download a “special festive season pass” or promo codes from suspicious emails – and of course, don’t click on links inside such emails. Fraudulent phishing mails may carry malicious attachments or links to bad URLs that can download zero-day malware or ransomware on your device, putting your personal and financial data at great risk.

If you’re not sure about a particular message, try matching the link in the sender’s email address with the destination address of the link when you hover over it. If they don’t point to the same web address, then you may want to report the email message to your service provider or security vendor so that further distribution among potentially vulnerable online shoppers can be prevented.

And finally, be careful when typing website URLs manually. One errant keystroke and you might end up on a typo-squatted domain (a lookalike yet fake URL – often a phishing site). To avoid such risks, consider a password manager. Not only do password managers remain a good line of defense  against weak passwords, but such tools don’t get tricked by malicious URLs that can be easily overlooked by error-prone human eyes.

For retailers, keep your systems patched, adequately protected, and PCI DSS-compliant

As mentioned, it’s not just shoppers who will be targets of cyber-crime this holiday season. Here’s how retailers can strengthen their cyber-resilience as well.

Start with security training that educates your team about the latest phishing scams, including the types of data that cybercriminals target and examples of crafty scam emails. Furthermore, provide your team with an easy way to report such suspicious email or similar activity to your IT security personnel.

If you’re planning to keep your brick-and-mortar stores open, make sure the operating systems on your point-of-sale computers are patched with the latest security updates. Consider and additional cybersecurity measures such as a capable anti-malware solution, next-gen firewall, server protection, and encryption to protect mission-critical systems that operate inside your retail network. Network segmentation can also help protect such sensitive systems by enabling the creation of restricted and isolated zones that are managed with more granular access controls.

If your retail business has embraced cloud-based applications and you’ve got an extended multi-site network of branch locations, franchise partners, and supply chain partners, then adopting a zero-trust security philosophy becomes critical. The basic principle is “trust nothing, verify everything” and can help establish trusted access across a distributed retail network while ensuring better safeguards to protect cardholder privacy. Read this Sophos whitepaper to gain a better understanding of the zero-trust security approach

Also, be sure to conduct a review to see if your existing cybersecurity arrangement adheres to the recommendations of PCI DSS guidelines. Read this Sophos reference card for a quick understanding of key security requirements mandated by the Payment Card Industry Data Security Standards.

If your retail business does not have adequate in-house security expertise or if you’re managing with skeletal security staff, then this is a great time to bring in a managed security partner who will ensure constant monitoring of your retail network, online systems, and e-commerce portals for suspicious activity.https://player.vimeo.com/video/467892062

Sophos can help you keep your focus on your business and while leaving your security concerns to our elite team of threat hunters. Read about the Sophos Rapid Response service and get immediate help to keep your business and customers protected this holiday season.

For everyone, double-check your password hygiene and transaction authorizations

The truth about easy-to-guess passwords is that hackers like them just as much as you do! Cybercriminals enjoy feasting on security vulnerabilities such as poor passwords or the absence of multi-factor authentication. Consider this simple advice for safe and secure online holiday shopping.

If you’re a shopper, use strong passwords for online transactions and don’t reuse them at multiple sites. Think of a more complex passphrase by using a combination of letters, numbers and special characters. Instead of keeping an arsenal of passwords in your head, a more practical and safer approach is to use a good password manager.

These utilities are simple to set up, easy to use, and all you need to remember is the vault’s one master password. If you’re an online retailer, ensure your account creation feature demands a strong mix of such elements and urge your customers to reset their passwords regularly. Many online retailers also offer multifactor authentication, so consider leveraging such features as well.

And one final tip for consumers: make the most of the security features offered to you by your banks and credit cards. Regularly monitor and review your credit card limit, review your phone and email information for accuracy, and set alerts for large or suspicious purchases.

This has been a difficult year and hopefully the holiday season proves to be a great time to relax, shop, and have fun. And by taking the proper cybersecurity precautions, both shoppers and retailers can enjoy a great end to the year.