The email domains of popular delivery companies in the UK are insufficiently protected against phishing, spoofing, and other forms of fraud, making them an ideal attack vector this Black Friday and the rest of the holiday season.
This is according to a new report from Tessian, which claims that things could get a lot worse than last year, due to various supply chain issues and poor security protocols.
According to the company, fraudsters could easily impersonate email domains of two-thirds (64%) of the top couriers. Of all the best global couriers, just a fifth (20%) have configured Domain-based Authentication, Reporting & Conformance (DMARC) to its strictest setting, allowing malicious actors to “directly impersonate” a courier’s domain.
Impersonating delivery companies to try and trick people into giving away valuable personal information, such as passwords, is nothing new. This year, a third (33%) of UK’s consumers have already received such a phishing email, but Tessian believes these figures will “soar” during Black Friday and Christmas.
This time last year, the company detected 90,000 phishing attacks, more than three times the amount recorded in the weeks leading up to Black Friday.
How to identify a phishing email
“Identifying the signs (of a phishing email) may not be as easy as you think if attackers are convincingly impersonating a delivery firm in their messages,” comments Tim Sadler, CEO for Tessian. “Therefore, it’s so important to question every message you receive and always think before you click.”
According to the experts, recipients should always be wary of typos and other spelling errors, as those are the first, and most common, red flag. Then, they should verify the sender’s identity, by making sure their name and email address match up, especially for consumers reading emails on a mobile device. Malicious actors will often spoof a brand name, hoping readers don’t take the time to inspect the email domain.
At the end of the day, most delivery companies and retailers have multiple communications channels open at all times. Consumers can do their due diligence by reaching out to the company directly, to confirm the authenticity of the message received.
You should also check out our list of the best security keys out there today
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.