With more commerce occurring online this year, and with the holiday season upon us, the Cybersecurity and Infrastructure Security Agency (CISA) reminds shoppers to remain vigilant. Be especially cautious of fraudulent sites spoofing reputable businesses, unsolicited emails purporting to be from charities, and unencrypted financial transactions.
According to Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, Lookout saw a massive spike in COVID-19-related scams when the pandemic first broke out: a 37% increase in mobile phishing attempts. Most of these attempts were directly tied to COVID by posing as relief funds, medical updates, or entertainment for life in isolation.
So it makes sense that there would be a spike in retail-related URLs, especially at a time when online shopping has become the primary way people are purchasing things, explains Schless.
"People are shopping on their smartphones and tablets more than ever before. Threat actors know that. We receive messages about new deals and shipping updates through SMS and social media platforms all the time. Phishing campaigns based on an event, such as Cyber Monday, are built to imitate those communications. We’re programmed to interact quickly with notifications on our mobile devices. It also doesn’t help that mobile devices have smaller screens and simplified user experience that makes it more difficult to spot many of the red flags that would usually warn us of a phishing attack."
Schless notes he has seen mobile-specific phishing campaigns recently where they target users with fake SMS messages pretending to be their local package delivery service. When the user taps the link in the message, they’re asked to identify themselves by entering their credit card number or other personal data.
"To protect yourself from mobile phishing attacks, you should never tap a link from a number or person you don’t recognize. If possible, contact the sender and validate the communication before interacting with the link. If you do tap one of these links, read the full URL in the browser. Phishing sites often use URL spoofing to look like a retailers website, for example, but when you view the full URL it’s actually something very different. You should also protect your phone and your personal data by using a mobile security app that offers phishing protection. Not only will this keep your personal data safe, but it also helps protect any work data you access from your personal smartphone or tablet,” says Schless.
We spoke to security executives about online shopping threats during this season. Below are their responses and some best practices to stay safe online:
Chris Morales, head of security analytics at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyberattackers: “Emails which contain deals and links to discount websites that seem too good to be true will be the main cause of security issues this coming Black Friday and Cyber Monday. It is deal season and the easiest way for a retailer to advertise their deals is by sending customers an email. Because people are eagerly looking for deals, there is a spike in phishing emails during the holiday season and they are easy for attackers to blend in. Don’t go to third party websites advertising specials. Just go to the website, whether it be Amazon, Best Buy or elsewhere. Most importantly, remember that if it seems too good to be true, it probably is."
"For many shoppers, it might seem shopping online would best be paired with a coffee at a local Starbucks. Because people are shopping online, thieves will simply listen in on the shared public network, waiting for someone to unknowingly provide all their credit card information while paying for the latest gifts. The advice here is to not use public internet for anything except general browsing. Don’t give up your credit cards so easily. Save it for home or for a private hotspot network. Finally, don’t sign up for a retail rewards program at a third party site you have never heard of. Everyone is looking for a discount. Many sites on the internet claim to provide these discounts. When people register for these type of sites, they quite often use the same password and email as they would for many other sites. This means when a person registers on a seemingly normal website, they are giving up all their authentication for many other sites. The first piece of advice is to be suspicious of that too good be true deal again. But also, use different passwords. It is hard to remember every password, so I would recommend a password manager like LastPass to provide a secure method of storing and remembering those passwords.”
Brandon Hoffman, Chief Information Security Officer at Netenrich, a San Jose, Calif.-based provider of IT, cloud, and cybersecurity operations and services: “Black Friday and Cyber Monday always present a unique opportunity for cybercriminals and traditional criminals alike. While the cybercriminals are hastily preparing their phishing campaigns and account takeover techniques the traditional criminals are watching the delivery services with a careful eye. This time of year is always rife with crime sprees and this year will be no different. Be on the lookout for suspicious deal related emails, shipment updates and so-called tracking services. Also ensure you are entering any personal or banking related information into a credible site and from a secure networking location (like at home). Be wary of deals that seem to good to be true because in the end you might not pay money but you will very likely be paying another way. Regarding people being at home, one would think this would create more security issues but truthfully it will more likely impact bandwidth issues.”
Tom Pendergast, Chief Learning Officer at MediaPro, a Seattle, Washington-based provider of cybersecurity and privacy education: "For reasons that scarcely merit mention, we will likely see the biggest online shopping season EVER this holiday season, not in size, perhaps, but in percent of shopping done online. Not only will more people shop online than ever before, but many more of them (the ones who used to rush the stores at midnight, I’m guessing) will be shopping online for the first time. If you think it’s holiday season for you, think of the joy this season will bring to cybercriminals. After all, they get to prey on all manner of human vulnerabilities that come to the fore during the holiday season: guilt, urgency, excitement and a frenzy for deals.
Here's a quick cybersecurity checklist:
- Update Your Software: Most software updates improve the security of your browser, your apps, and your operating system, so update regularly to let your software work for you.
- Beware of the Special Offer: Email or social media messages offering “deals” or “special pricing” may seem tempting, but beware if these take you anywhere but the main access point for the retailer. After all, if you saw a guy standing outside a store offering a special price, you wouldn’t take it—you’d walk in the front door.
- Watch Out for Fake Order Confirmations and Shipping Notices: If the shipper doesn’t announce who they are, you can be sure they’re fake. You might consider creating accounts at the major shippers (FedEx, UPS, USPS) so that you control your shipping notifications.
- Use Unique Passwords or “Guest Access” for Every Site: Using the same password from site to site is a recipe for turning a single instance of fraud into a major problem, so create a unique password for places you shop regularly and use “guest access” for single-use visits.
- Use Your Credit Card (or Other Payment Method with Fraud Protection): Take advantage of the fraud protection provided by credit card issuers, and never enter your banking account information directly, or comply with requests for non-recoverable payments like money transfers, pre-paid gifts cards, or bank-to-bank transfers. Debit cards are also protected from fraud, but the process to recover your money may take longer.
- Be Cautious with Shopping Apps: Just like websites, apps can be spoofed or copied, so if you want to use a shopping app, get it from a legit source and limit the information you share with it.
- Beware Bogus Charities or Appeals to Holiday Distress: This one isn’t about shopping, but it is about not getting suckered! People’s hearts open during the holidays—and cybercriminals are happy to take advantage by pulling on your heartstrings to get you to give money to fake charities or to fund made-up calls for help. As always, do your research to check for legitimacy.
Joseph Carson, chief security scientist at Thycotic, a Washington D.C. based provider of privileged access management (PAM) solutions: “Cybercriminals take advantage of victims when they are most vulnerable and this is especially true when making impulse decisions when shopping online. They are trained in the art of using social engineering to lure unsuspecting victims to click on a simple, seemingly harmless link in. However, it is an extremely malicious malware waiting to take over your account, steal your money or even worse steal your identity. Cybercriminals use fear, time and money to lure victims to making them do something they wish they had not. Using fear of potentially losing a ‘once in a lifetime’, time sensitive bargain online, that could save you money, is one example. You expect that you will get these limited specials, however, the cybercriminals are simply trying to abuse your vulnerable trust. Cybercriminals will sift through tons of social media information to search what you are looking for and offer you the best deal in the world simply just to steal your password to your accounts.”
Steve Durbin, managing director of the Information Security Forum, a London-based authority on cyber, information security and risk management: “When shopping online, especially at a busy time like Black Friday and Cyber Monday, be sure to update your security software and check that your firewall and antivirus is working. Always use genuine and familiar sites. If you don’t know them, check them out via Google or your favorite search engine. Also, beware of email “offers” from companies you don’t recognize and even those that you do know but shouldn’t be emailing you – they’ll likely contain a malicious click through link or even an attachment. Don’t click through or download the attachment unless you are completely certain that they are legitimate.”
CISA also encourages online holiday shoppers to review the following resources.
- CISA’s Online Shopping Tip
- CISA’s Holiday Online Shopping page
- CISA’s Social Engineering and Phishing Attacks Tip
- The Federal Bureau of Investigation’s (FBI’s) ‘Tis the Season for Holiday Online Shopping Scams - Don't Be a Victim Announcement
If you believe you are a victim of a scam, consider the following actions.
- Report the incident to your local police, and file online reports at the Federal Trade Commission’s Report Fraud page and the FBI's Internet Crime Complaint Center (IC3) page.
- Watch for unexpected or unexplained charges to your account. If any appear, contact your financial institution immediately and close any accounts that may have been compromised. See CISA’s Preventing and Responding to Identity Theft Tip for more information.
- Change any passwords you might have revealed immediately. Avoid reusing passwords. See CISA’s Choosing and Protecting Passwords Tip for more information.