Black Friday and Cyber Monday are two of the most anticipated shopping days, with millions of customers flocking online and in store for deals. However, they are also a peak hunting ground for cybercriminals looking to exploit the massive surge in online activity and transaction volume.
Cyberattacks on consumers and retailers surged by over 300% during the Black Friday period in 2024, with phishing attacks mimicking major brands increasing by over 2,000% . Driven by the proliferation of Generative AI, attacks are now faster, more sophisticated and harder to detect.
To assist you in staying secure, we’ve put together essential cybersecurity tips to protect your business over this period. With a proactive approach, you can safeguard customer data, secure transactions and strengthen your brand’s reputation.
In this blog:
- Bolster Your Website’s Security for High Traffic Days
- Secure Your Cloud Infrastructure
- Secure Your Payment Processing Systems
- Fortify Your Supply Chain Security
- Educate and Alert Your Employees
- Monitor for Fraud and Suspicious Activity in Real Time
- Secure the Mobile Shopping Experience
- Modernise Customer Authentication
- Have a Black Friday and Cyber Monday Incident Response Plan
1. Bolster Your Website’s Security for High Traffic Days
Your website may experience a surge in traffic over Black Friday and Cyber Monday, making it a prime target for attacks. By enhancing your website’s security, you’ll protect both your business and your customers.
Action Steps:
- Use HTTPS Everywhere: Ensure your entire website is secured with HTTPS, which encrypts data transmitted between the user’s browser and your website. Implement HTTP Strict Transport Security (HSTS) to enforce secure connections, and regularly update your SSL/TLS certificates.
- Keep Software Up to Date: Regularly update your website’s content management system (CMS), plugins, themes, and server software to patch known vulnerabilities.
- Deploy a Web Application Firewall (WAF): A WAF helps block suspicious traffic and defends against attacks like SQL Injection, Cross-Site Scripting (XSS), and DDoS attacks. Consider using a cloud-based WAF for easier management.
- Run Security Scans: Regular penetration testing and vulnerability scans can identify weaknesses before the holiday traffic peaks, allowing you to address risks proactively.
- Use a Content Delivery Network (CDN): A CDN can improve your site’s performance during high-traffic periods and offers additional security features, including DDoS mitigation.
2. Secure Your Cloud Infrastructure
As businesses rely on cloud services (AWS, Azure, GCP) for scalable ecommerce infrastructure, security must scale dynamically with it.
The necessity for rapid auto scaling during peak traffic introduces significant risks, specifically, misconfigurations are a leading cause of breaches, as temporary, hastily deployed resources or overlooked default settings can inadvertently leave sensitive data stores exposed to the public internet.
Action Steps:
- Address Auto Scaling Security: Ensure security policies (WAF rules, network ACLs) are correctly inherited and applied automatically to new instances launched during auto scaling events. A lack of control here can expose new servers immediately.
- Fix Cloud Misconfigurations: Regularly audit your cloud environment for common errors like publicly accessible S3 buckets, exposed databases or overly permissive Identity and Access Management (IAM) roles.
- Serverless Security Best Practices: If utilising serverless functions (like AWS Lambda), strictly limit the permissions granted to each function and ensure all input and output is rigorously validated.
3. Secure Your Payment Processing Systems
During Black Friday and Cyber Monday, the volume of transactions skyrockets. A secure payment system is essential for customer trust and regulatory compliance.
Action Steps:
- Ensure PCI DSS Compliance: If you handle payment card transactions, ensure your payment systems comply with PCI DSS v4.0.1 requirements. This includes secure storage, processing and transmission of cardholder data.
- Outsource Payment Processing: Fully outsource payment processing to a PCI DSS compliant service provider to minimise your handling of cardholder data.
- Avoid Storing Cardholder Data: Do not store unnecessary customer payment information. If storage is required, ensure data is encrypted both in transit and at rest.
4. Enhance Your Supply Chain Security
Increased reliance on third party services and plugins during high traffic periods creates new vulnerabilities that attackers exploit.
The modern ecommerce stack is an interconnected supply chain of code and services. If any vendor component, even a seemingly benign one like a chat bot or a font loader, is compromised, it can be used to inject malicious scripts directly onto your site, steal customer payment card details in real time and significantly damage your brand trust.
Action Steps:
- Review Third Party Plugins and Integrations: Perform due diligence on all third party software, plugins and widgets used on your site, especially those that interact with the checkout process. Ensure they are being actively maintained and have a good reputation.
- Monitor API Connections: Continuously monitor and secure all Application Programming Interface (API) connections between your ecommerce platform and external services (payment, logistics and marketing). Apply rate limiting and strong authentication to APIs.
- Ensure Vendors Have Adequate Security: Include security requirements and the right to audit in contracts with all critical third party vendors (logistics, hosting and marketing).
5. Educate and Alert Your Employees
Employees are often the weakest link, especially during the holiday rush. While technical systems can be hardened, the human element remains the most vulnerable entry point, contributing to over 60% of security breaches according to recent industry reports.
When employees are focused on fulfilling orders and handling customer queries, they are highly susceptible to social engineering tactics, such as urgent requests for credentials or fund transfers, that exploit their trust and their desire to quickly resolve tasks.
Action Steps:
- Address AI Powered Threats: Train employees to recognise new, sophisticated attack vectors:
- Deepfake Phishing: Be alert for urgent, unexpected voice or video calls (internal or external) impersonating executives. Establish secondary, verifiable communication procedures for high value requests (e.g., transferring funds).
- AI Enhanced Social Engineering: A large number of phishing emails are now contextually perfect and indistinguishable from legitimate communications. Employees must focus on source integrity rather than spelling or grammar.
- Provide Phishing Awareness Training: Regularly conduct simulated phishing attacks.
- Limit Access Privileges: Apply the principle of least privilege by restricting access to sensitive systems and data.
6. Monitor for Fraud and Suspicious Activity in Real Time
Real time monitoring is critical, as it helps you spot threats and respond quickly to prevent financial loss and data leaks. During the rapid surge of Black Friday transactions, threats like Account Takeover (ATO), credential stuffing and automated fraud rings can execute hundreds of malicious actions within minutes.
Delaying detection by even an hour can result in substantial financial damage and compromise thousands of customer records, therefore, real time alerts and anomaly detection are essential to containing incidents before they escalate.
Action Steps:
- Implement Advanced Fraud Detection Systems: Use fraud detection software that utilises machine learning to identify unusual transaction patterns (e.g., rapid multiple purchases, mismatched billing or shipping addresses).
- Set Up Security Alerts: Configure alerts for unauthorised logins, multiple failed login attempts or changes to critical data.
- Regularly Review Logs: Continuously monitor and analyse server and application logs for signs of suspicious activity.
7. Secure the Mobile Shopping Experience
With mobile commerce dominating holiday sales, securing your mobile channel is critical. Customers increasingly complete their entire shopping journey, from browsing to checkout, on smartphones and tablets.
This massive transaction volume shifts the attack surface from the desktop browser to the app and mobile browser, necessitating defences against unique mobile threats like malicious apps, device rooting/jailbreaking and credential stuffing attacks targeting mobile APIs.
Action Steps:
- Secure Your Mobile App (if applicable): Implement application level security measures like code obfuscation, runtime application self protection (RASP) and secure storage of sensitive data within the app.
- Implement Mobile Specific Fraud Detection: Utilise tools that analyse device ID, location data and behavioral biometrics to detect mobile only risks like jailbroken/rooted devices or fraud rings operating across multiple accounts.
- Address Mobile Wallet Security: Ensure your integration with services like Apple Pay and Google Pay uses secure tokenisation and that your backend systems are protected from API level attacks related to mobile wallet transactions.
8. Modernise Customer Authentication
Account takeover remains a top attack vector because it leverages stolen credentials from third party breaches. Attackers use automated tools to perform credential stuffing across millions of ecommerce accounts, seeking a successful login. To counter this widespread, automated threat, simply encouraging strong passwords is no longer enough.
Businesses must actively update customer authentication to modern, secure standards like Passkeys and authenticators, which are inherently resistant to large scale phishing and credential theft.
Action Steps:
- Emphasise Passkeys: Strongly promote and implement Passkeys as a modern, phishing resistant alternative to traditional passwords for customer accounts.
- Offer Passwordless Authentication: Implement passwordless options like magic links or one time codes (OTP) sent via email or an authenticator app, offering a frictionless yet secure path.
- Update MFA Guidance: Migrate customers away from SMS based MFA, which is vulnerable to SIM swapping attacks. Strongly recommend and support the use of Authenticator Apps (e.g., Google Authenticator or Authy) or hardware security keys instead.
9. Have an Incident Response Plan
Despite preventive efforts, incidents may still happen. An incident response plan prepares your business to handle breaches efficiently and transparently.
Action Steps:
- Define Clear Procedures: Develop a detailed incident response plan outlining the steps to take during a cybersecurity incident, including containment, eradication, recovery and communication.
- Assign Roles and Responsibilities: Ensure every team member understands their role in responding to security incidents.
- Test Your Plan: Regularly conduct drills and simulations.
- Prepare a Communication Strategy: Be ready to communicate promptly and transparently with customers and regulatory bodies if an incident occurs.
Stay Secure for a Successful Black Friday and Cyber Monday
Black Friday and Cyber Monday can be incredibly profitable, but they demand a modern, vigilant security strategy. By implementing these updated tips, you can protect your business and customers from cyber threats, ensuring a smooth and secure shopping experience through 2025 and beyond.
Need Help Securing Your Business for Black Friday and Cyber Monday?
Our team offers customised cybersecurity solutions to help you stay protected this shopping season. We provide specialised services like Penetration Testing and Compliance Readiness Assessments (including PCI DSS v4.0) .
Contact us today to learn more about how we can support your business during the holiday season! 👇