Phishing Attacks in the Apparel Industry

October 31, 2017 by Dan Virgillito

Over the past decade, phishing attacks in the apparel industry have become more frequent, and as businesses adopt a multi-channel retail strategy, the impact has become more severe. Cyber criminals can obtain access to design files and other intellectual property, hack personal data of millions of customers, or force a brand to shut down its website and lose revenue.

According to a report by MRC and Forter, internet-based attacks increased 8.9 percent in 2016 due to adversaries shifting over to the web because of the rollout of EMV (microchip-embedded credit cards). The most alarming thing in the report for retailers is that the notable rise in fraud attack rates happened in the apparel industry; comparing the rate of Q4 2016 to that of Q4 2015, there’s a staggering upsurge of 69 percent!

Why Phish Apparel Companies?

The increase in people’s inclination towards buying luxury apparel means that adversaries get to target consumers with good spending power. However, many apparel companies still underestimate the market value of the data they manage and possess. The majority are not aware that a single customer record consisting of personal and financial information could be stolen and sold on the black market for thousands of dollars. This is a significant reason why they fail to prioritize information security.

Then there’s the intellectual property information about the apparel brands themselves that the hackers can glean. For instance, they can lure employees into handing over design-related details or information about the upcoming holiday campaign. With this kind of detail at hand, hackers can blackmail the brand’s executives or staffers and demand a ransom. It is common knowledge that leakage of a brand’s intellectual property puts a severe dent in its hard-earned reputation.

How Are Apparel Companies Phished?

This is commonly done by setting up fraudulent apparel sites by phishing campaigns designed to steal banking and personal information of consumers. A security research firm found no less than 538 registered websites that were using some form of popular apparel brand names including Givenchy, Prada, Gucci and Chanel and were likely to be fraudulent. The shady industry has an estimated annual worth of $460 billion, which dwarfs the $264 billion estimated by eMarketer as the value of the online luxury goods market in 2016.

Also, many apparel brands work with third parties for things such as maintaining their e-commerce sites, processing credit card transactions and manufacturing products. Each of their third-party connection is a potential loophole for adversaries to sneak in through and gain access to confidential information. For instance, if the server of the hosting vendor that stores the data of your e-commerce site gets hacked, you will have to part ways with a significant portion of your business. Hackers can make all that happen by sending a single deceptive email (asking for server authorization or user credentials) to the third party’s company employee.

Stats & Examples of Phishing in Apparel

The essence of any phishing attack is to make the website or email look legitimate. Moreover, when it comes to apparel companies, hackers have something more up their sleeves. Many of them carry out phishing attacks during the holiday season because they can capitalize on employees’ busy schedule. Fulfilling a plethora of orders and answering thousands of customer support tickets takes a toll on staff members, so they are more vulnerable to phishing during this time of the year.

According to Securelist’s 2016 holiday financial threats overview, phishing scams targeting shoppers’ financial information increase during the holiday season. 48.13% of all attacks recorded during Q4 2016 were focused on gleaning shoppers’ financial data, which is 4.75% more than at the same time in 2015. An increase was also seen in the quantity of attacks that leveraged well-known online retailers including apparel brands.

Also, in addition to phishing via websites and emails, hackers are conducting angler phishing scams via SMS text messages and messenger apps. A recently exposed WhatsApp phishing scam promised a gift voucher of €150 to use in Zara’s clothing stores in exchange for sharing personal details. Unaware users are redirected to a fake site which infects their phone (and banking apps) with malware, allowing hackers to retrieve sensitive information. Because texts in messaging apps usually come from friends and family rather than brands, employees and shoppers are more inclined to trust whatever is sent to them.

Steps for Preventing Apparel Phishing

As of this moment, there are only apparel brands that have suffered from phishing – and those that haven’t. This observation stresses the critical need for measures to minimize this cyber threat vector.

Apparel businesses can begin with employee training. A 2014 study revealed that more than 50% of enterprise personnel did not get any awareness training. It could be delivered during employee orientation or at your company’s annual event. If it has arranged virtually the staff members rapidly click through and skim through the content, neglecting essential bits and bobs. Moreover, it is usually done during breaks while reading other content. In contrast, when the training is delivered in person, employees take a more significant interest. They can be educated via videos that explain how a phishing attack is identified, and what to do if they see such an attack.

Additionally, you can use a mock phishing exercise against your own employees to see their susceptibility to phishing. The exercise can be integrated across multiple mediums (email, social media, SMS, etc.) so that employees can learn to identify various types of phishing attempts. And remember, it would take more than one-off phishing exercise. Mock phishing exercise is testing, and you need frequent testing to evaluate your employees and make sure their response remains strong.

Other than testing, consider the reporting capabilities of the phishing simulator. It would be convenient if reporting on testing and training outcome is automated. Ideally, the simulator will have several templates to slice and dice the report to appeal to different executives. Automated reports can be monthly or weekly, coinciding with mock phishing simulations. Also, the simulator may enable you to create your own customized reports to share with other executives.

InfoSec’s SecurityIQ site offers a phishing program named PhishSim. It can simulate a practical (but harmless) attack. Using PhishSim, companies can test the susceptibility of their personnel. If they fall prey to simulated phishing emails, there’s no damage caused – they will be taken to the AwareEd site, where they can see an interactive video that will improve their security awareness. The simulation test also allows users to track campaigns, get a record of learners (victims) and see an overview of successful simulations. The Open Rate displays the percentage of individuals who fell for the attack.

With SecuirtyIQ, it is easy to create a fake-phishing campaign. All you need to do is register an account and create an email template. The phishing simulator offers dozens of pre-made templates that companies can use to simulate a variety of phishing templates. Users can access templates by going to the PhishSim section and clicking on “templates” > “contributed” – this brings up a list of over 100 realistic template options.

SecurityIQ also enables users to make their own templates. If you take this route, know that real emails contain very few visuals. The best approach is to replicate an actual email simply. Here’s a real Bank of America bill pay alert and a phishing email created with PhishSim. Can you spot the difference between the two? We have left the answer in the image caption.

Figure 1. Phishing email created with PhishSim (on the left) and a real email message from Bank of America (on the right)

Preventing phishing attacks lies in the hands of apparel companies, but it takes having training, testing and reporting in place to protect your firm from slip-ups. If personnel are not aware of the risks associated with opening links inside emails and SMS messages, then nobody can put an end to apparel brands falling victims to phishing attacks. Educating employees and testing their susceptibility to phishing attacks is the best way cultivate a security culture that closes the door on apparel phishing.

Posted: October 31, 2017
Dan Virgillito
View Profile

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news. Visit his website or say hi on Twitter.