Last updated: September 5, 2018
With Black Friday, Cyber Monday, and the holiday shopping season soon to be in full swing, cybercriminals are working overtime to turn your deal hunt into a score for the bad guys.
Below, we outline a few perennial holiday shopping scams, as well as a couple of relative newcomers to the scene. Familiarize yourself with the warning signs associated with these hoaxes and our tips for avoiding them. Help make your holidays memorable for the right reasons, not the wrong ones.
Phishing scams are a golden goose for cybercriminals. These fake emails are easy to create, cheap to send, and bear tons of fruit in the form of payment card information, account login credentials, and other sensitive pieces of data. Even seemingly innocent messages — like electronic greeting cards — can have malicious software (aka, malware) concealed within them.
Social engineers know that email inboxes will be flooded with order confirmations, shipping notifications, and special offers during this time of the year. They pattern their malicious messages after legitimate emails, which makes it easier to trick recipients. And they are not shy about using big-name brands and logos — like Apple, PayPal, FedEx, and others — to make things look more realistic. (A 2017 Amazon Prime Day scam is a great example.)
Before you interact with a message, give it a good look and make sure everything seems on the up and up — and remember that it’s always better to err on the side of caution. Logos, ‘from’ addresses, and signatures are not proof of legitimacy; you must look deeper for confirmation.
Here are some questions to ask yourself about unsolicited emails:
Do I definitely know where this message came from?
Does this message look like others I’ve gotten in the past, or is something off?
Is this message confusing or does it make sense?
When I hover over the ‘from’ address and web links, do I see addresses that make sense or does something look suspicious?
Is this message asking me for personal information (like login credentials, credit card numbers, etc.)?
If you’re even a little unsure, close out of the email. Instead of clicking a link or downloading a file, visit a website by keying the address into your browser, and log into your accounts via secure channels to confirm offers and notifications.
Social engineers are practiced at the act of deception, and they know things that look trustworthy are usually taken at face value. They will often plant advertisements that link to login screens and web pages that look nearly identical to well-known sites. As with emails, you must look below the surface to ensure you don’t get caught turning your valuable information over to scam artists.
There are also two themes that fraudsters regularly tap into in order to trip up unsuspecting web surfers: Charitable giving and the pursuit of great deals and hard-to-find items. Though these two are at seemingly opposite ends of the spectrum, both are common practices during the holiday season. Since social engineers seek to take advantage of natural emotions, you can see why they choose to set up phony charities and create websites that claim to offer the must-have gifts that shoppers seek.
The best way to avoid falling for online imposters is to restrict your online interactions to known, trusted websites and non-profit organizations, preferably those you’ve had personal experience with in the past.
Here are a few things to watch out for:
If you are going off the beaten path, just be sure to do your research. Ask for friends’ recommendations (online reviews can be faked), and shop only on sites that offer secure, authenticated checkout.
Check out additional holiday shopping tips for a safer online experience.
Social media is an excellent avenue for social engineers to distribute their scams — and unsuspecting users will often do it for them. Fake links, stories, and offers (like free gift cards) have long existed on social media, but there’s a newer post making the rounds that’s actually illegal to participate in in certain countries.
In 2015, the BBB warned about social media gift exchanges, which promise 36 gifts in exchange for buying one small gift for a stranger. This is an electronic version of mailed chain letters, and we’ve seen many forms of this — $10 gift cards, books, jewelry, makeup, and more, like the "Secret Sister Gift Exchange" and "Secret Wine Bottle Exchange" that took Facebook by storm in late 2017.
Regardless of what participants are asked to buy, all are pyramid schemes. If you do participate, you are highly unlikely to receive any gifts back…though you could get more than you bargain for from a legal perspective. As the BBB cautioned, "According to the US Postal Inspection Service's gambling and pyramid scheme laws, gift chains like this are illegal and participants could be subject to penalties for mail fraud." They are also illegal in Canada.
On social media, the lure of “too good to be true” is frequent and strong. The tips shared in the earlier sections will also serve you well on these sites and apps. It’s important to remember that, without your engagement, social engineering scams can’t be successful. Your choices and decisions matter.
Much is made of online schemes, but holiday hoaxes are not confined to the internet. Though there are a wide range of social engineering scams that rely on personal interactions, delivery theft and fraud are of particular concern during the holidays.
Unfortunately, there are a number of reports of people stealing holiday deliveries from porches and mailboxes each year, and the numbers continue to see an upward trend. An insuraceQuotes.com report from 2017 indicated that nearly 26 million Americans had packages stolen from their homes by so-called "porch pirates" before they could open them — an increase from the 23.5 million thefts reported in 2015.
It’s suspected that criminals make a regular habit of following delivery vans in order to identify their targets. Many thefts have been caught on security cameras, but although the videos have helped victims obtain refunds, the cameras weren’t able to prevent the thefts themselves.
You also need to be wary of any unexpected deliveries you receive. The BBB has warned of delivery hoaxes that are designed to steal credit card and debit card data. When packages are delivered to individuals, the courier claims to require a “small verification fee” to complete the delivery. Instead of processing a payment, a handheld scanner collects card data for the scammer to use later.
Whether you have a webcam or not, it’s a good idea to take advantage of protections offered by shippers. Try to schedule deliveries for days that you or someone else will be home, or have packages delivered to an office or other location that offers more consistent security. Track your packages so you know when they will arrive, and consider using signature services (which can cost extra) to ensure that items won’t be delivered when you aren’t around.
To avoid shipping scams this holiday (and year round), make an effort to use known, reputable delivery services and to be proactive about protecting your purchases. Should you be asked to pay a fee to receive a package, refuse the delivery until you are able to confirm the shipment is legitimate.
Posted by Gretel Egan on 11.21.16
Posted by Gretel Egan on 11.21.16
Posted by Gretel Egan on 11.21.16