From Black Friday to Boxing Day, shopping surges and so do cyber scams. Countdown timers and “last chance” offers create urgency that attackers exploit. Every click has consequences if you’re not prepared.
Recent UK incidents show the scale. During Easter 2025, Marks & Spencer was hit by a major attack attributed to Scattered Spider, disrupting online orders, click-and-collect, and in-store payments, with losses expected to exceed £300 million. Co-op and Harrods also reported issues that affected payment and ordering systems. These weren’t one-offs. They’re part of a broader pattern: criminals time attacks for the busiest trading periods.
Bottom line: the more people rush to buy, the more criminals rush to deceive.
Why shoppers are easy targets
Urgency beats caution. Flash sales push quick decisions. That’s when cloned sites, fake ads, and phishing messages land.
Password reuse opens doors. One breach can unlock multiple accounts.
AI makes scams convincing. Polished, localized emails and texts. Deep-fake voices. Realistic look-alike websites. Traditional red flags aren’t enough.
The smart shopper’s playbook: Dos and don’ts
Do: Strengthen your logins
- Turn on multi-factor authentication everywhere. Prefer app-based codes or security keys (FIDO2) over SMS.
- Use a password manager to generate unique passwords for every site.
Don’t: Reuse or overshare
- Never reuse passwords across retailers, email, and banking.
- Reduce your digital footprint. Think twice before sharing phone numbers, addresses, or birthdays in public profiles.
Do: Pay safely with virtual cards
- Use virtual or disposable cards with preset limits for one-off or high-risk purchases. If details leak, the impact stays small.
Don’t: trust every message or call
- Phishing isn’t just email. SMS (“smishing”) and voice phishing (“vishing”) are common.
- AI voice cloning can mimic trusted people. If you didn’t expect the call, hang up and dial the official number yourself.
Do: Let AI work for you
- Choose banks and providers that use AI-driven fraud detection to flag unusual transactions and suspicious logins in real time
Quick checks before you buy
URL sanity check: Is the domain spelled correctly? Does it match the retailer exactly?
Payment page: Look for HTTPS and a proper certificate.
Too good to be true: Extra-deep discounts on high-demand items are a common lure.
Account hygiene: After a big shopping day, review statements and enable transaction alerts.
For smaller retailers and marketplaces
- Attackers pivot through the supply chain. Smaller sellers often plug into larger platforms and payment providers, which makes them appealing targets.
- Enforce MFA for staff, especially for admin and payment accounts.
- Segment access by role; limit privileges.
- Keep platforms and plugins patched.
- Run phishing drills and establish a clear report-phish channel.
- Test backups and incident plans so you can restore quickly if hit.
The way ahead
The M&S, Co-op, and Harrods incidents underline a simple truth: online shopping carries risk. Consumers can tip the balance. Strong authentication, smarter payments, and a moment’s skepticism make a real difference.
Cybercriminals thrive on distraction and urgency. The antidote is preparation and calm. Make safe shopping habits as instinctive as locking your front door.
At EclecticIQ, we believe resilience starts with awareness and action, both by consumers and by the retailers who serve them.
FAQs
Is it safe to shop online during Black Friday?
Yes — if you use MFA, unique passwords, and trusted retailers. Avoid links in unsolicited emails or texts; navigate directly to the site.
What is a virtual card and why use it?
A virtual card is a temporary card number with a limit. It reduces exposure if a merchant is compromised.
How do I spot a fake retail site?
Watch for misspelled domains, odd subdomains, and unusual payment methods. Check the returns policy and contact details. When in doubt, don’t enter card details.
What should I do if I clicked a phishing link?
Change your password immediately, enable MFA, and contact your bank or card issuer. Monitor transactions and set up alerts.
