As the end-of-year holiday season approaches, and with it promotions galore with Black Friday, Proofpoint’s IT security researchers looked into the protection levels of the main e-commerce sites in France. According to their results, more than half of e-commerce sites do not offer effective systems to protect customers against phishing scams.
As you know, Black Friday is scheduled to begin this Friday, November 24, 2023. For millions of French people, this will be an opportunity to get good deals ahead of the Christmas holidays. However, this period also represents the perfect opportunity for pirates to defraud the customers of the main e-commerce sites, particularly with phishing or email attacks.
For those who still don’t know, phishing is one of the 7 most widespread online scams. Generally, this consists of false emails which usurp the identity of a public service (such as the fines site, the famous Personal Training Account or the Crit’Air sticker), of a known person or of a business. The goal is to get you to click on a corrupted link or take you to a fake page to steal your personal information or banking details.
58% of commercial sites do not offer sufficient protection against phishing
As users prepare to flood onto e-commerce sites in search of golden deals, Proofpoint security researchers have conducted a study on the levels of cyber protection of the main merchant sites in France. According to the results obtained, 58% of the most visited sites in France have still not implemented cybersecurity measures basic to fight against phishing scams.
To reach this conclusion, the Proofpoint experts based themselves on the presence or absence of a DMARC record by e-retailers. To summarize, DMARC is an international standard which still constitutes to this day the most powerful weapon against this kind of attack and domain spoofing (domain name theft). You should know that DMARC has three levels of email processing:
- Monitoring
- Quarantine
- Rejection
The last level offers the most protection, since it guarantees that suspicious emails will never arrive in customers’ mailboxes. However, 58% of the sites analyzed do not offer the Reject level of DMARC protection, therefore leaving an opening for hackers to trap users with fake emails. According to Proofpoint, we find this trend on the sites on the list with a .fr extension (of the 24 .fr sites in the list, only 12 display the recommended level of protection Rejection).
10% of sites do not use DMARC
Furthermore, 90% of the main merchant sites in France have published a basic DMARC record (10% of sites therefore have no protection). “Email remains the most common vector of IT security compromise, across all industries, but especially in e-commerce when targeting individuals,” explains Loïc Guézo, director of cybersecurity strategy at Proofpoint.
He pursues : “DMARC remains the only open technology capable of protecting against domain name theft […] It is urgent for e-retailers to arm themselves, so that their customers can make their purchases with complete peace of mind.”
Also read: Hackers seek to exploit Google Calendar to steal your personal information
How to shop safely
As Black Friday approaches, Proofpoint also shares some tips for users to strengthen their security and avoid falling victim to these online scams:
- Protect your passwords : vary passwords using a password manager and enable multi-factor authentication
- Beware of fake sites : Beware of fraudulent sites that imitate the interface of those of reputable brands. Look for possible anomalies such as spelling mistakes, low quality logos, a strange or unusual domain name, etc.
- Never click on links contained in emails or SMS: If in doubt about the origin of an SMS or promotional email, never click on the links present and directly enter the address of the known website in your browser to access the offers offered
- Always take the time to read the comments when you are about to download a new application or a popular website. This remains an effective method for detecting a scam or fraud
Remember that from February 2024, accounts that send a significant number of emails (companies, public services, health organizations, etc.) will have to have emails authenticated before being able to send them to Gmail and Yahoo addresses. This is a decision taken by the two web giants to strengthen the fight against spam and online scams.