Cybercriminals use clever scams to defraud millions of people every year, regardless of the season. But with the holiday season – and the biggest shopping days of the year -- just around the corner, it’s more important than ever to keep your guard up and stay vigilant.
Due to the distractions of the hectic holiday season, it’s easy to see where we (which means you AND your employees) might be more susceptible to online scams. And smart scammers are happy to capitalize on the hustle and bustle of the festivities with well-placed and timely scams that can fool even savvy end-users.
With that in mind, here are some of the more popular online scams to avoid this holiday season.
Sales, Discounts, Deals
While that sounds pretty vague, it’s for good reason. Cybercriminals follow the news and the seasons, and when the big story of November and December involves good shopping deals, it creates opportunity for the bad guys.
Last year, holiday shopping grew 8 times faster online than in stores (Source: Fortune.com). And the 2017 shopping season is expected to surpass $100 billion – a 13% increase from 2016 (Source: DMO by Adobe).
ADI (Adobe Digital Insights) is also predicting that most consumers will be on the hunt for bargains.
Both the increased volume and the focus on deals set up nicely for cybercriminals, who will no doubt be busy creating phishing scams and malicious websites advertising “can’t-miss” deals.
While phishing scams are prevalent all year long, last year 110,000 new phishing scams were detected in November and December alone.
Email deals from major retailers are common, and most of them are going to be legitimate. But it still pays to be cautious about them, particularly if you receive an offer from a store or seller that you have never dealt with before.
It’s also smart to still verify those promotional offers or sales that are supposedly from major retailers, as they could also be spoofed. Train yourself to take a few seconds to double-check the URL or better yet, navigate to the retailer’s site on your own instead of following the link provided to you in the email.
Remember too that any deal that sounds too good to be true IS. You should never have to provide an upfront payment to secure a prize or any type of financial assistance. And if you’re required to pay for something with a gift card or a wire transfer, it’s a major red flag.
Best bet with email deals is to trust your gut – if anything about an email seems “off”, then you’re better off missing out of that “sale” in favor of keeping your information and your network safe.
Many of us never stop to consider the potential risks of a holiday e-card. After all, it’s usually just a cute and harmless message from a family member, friend, or co-worker right?
Unfortunately, that’s not always the case.
Just like with online shopping, the increased use of this inexpensive and convenient way to send greetings created opportunity for scammers. So while the majority of e-cards are perfectly safe, there are known e-card scams out there.
E-cards can contain malware, and once you click on it or download, it’s often too late to do anything about it. In some cases, you end up with a virus that lays dormant for a while, or you may inadvertently agree to having spyware or adware downloaded by clicking on the Terms and Conditions box so you can see your card.
We strongly recommend against opening any e-card with an attachment – the risks are just too great. Trusted e-card companies like Hallmark would never send them as attachments, and any vendor that does should be treated as suspect.
Other red flags of bogus e-cards include:
- Spelling mistakes
- Errors – for example, it says you sent the card when you actually received it
- It’s from an unknown sender
- It has a generic or bogus name like “Card Sender”, “Joe Cool” or “Secret Admirer”
- The URL looks odd or just seems “off”
With e-cards, the safest thing is to just not open it if you have any doubt at all about its legitimacy.
Invoices and Email Receipts
Depending on the size of your holiday shopping list, just keeping track of what you bought and where you bought it from can be overwhelming.
This too creates opportunity for hackers, who have found success in creating fake purchase receipts.
Ideally a fake receipt is something that we could easily spot (or at least it would raise a red flag), but at holiday time, it’s conceivable that you might have forgotten about a purchase…especially if the receipt appears to be from a known retailer like Amazon or Walmart.
So the reality is that distracted and busy holiday shoppers are more susceptible to this type of scam.
A bad click on a fake receipt might lead you to a spoofed webpage or result in a malware download - possibly even ransomware.
If possible, try to keep track of what you purchased from where, and the amounts. That way you can simply check your list (and check it twice!) if you see such an email hit your inbox. But even if this type of organization isn’t in the cards, you can still avoid falling victim to this type of attack by avoiding clicking on links in these types of emails.
You should also avoid opening up any attachments that claim to be invoices or receipts, unless you are 100% certain of the validity of the sender.
Shipping Status Notifications
Similar to fake email receipts, these fake shipping notifications generally increase around the holidays. With so much shopping being done online and shoppers getting packages delivered daily, it’s natural to want to check on the shipping status of your purchases.
Unfortunately, cybercriminals have taken full advantage of this scenario with phishing campaigns that entice end-users to click to check their order status.
Often the wording is vague and it may allude to a delay or delivery failure, which plays on your emotions (oh no, what if my ugly sweater doesn’t get here in time for the party?), and the next thing you know, your computer has been hit with malware.
We’ve probably all seen some version of this since it’s been around for years. It can appear to be from the USPS, DHL, UPS or FedEx.
This scam isn’t going anywhere, so remain vigilant this holiday shopping season. If you need to check the status of a package, you should navigate directly to the site and log into your account to see the details that way. Or pull up your order # and call them.
Christmas Party Invitations
With all the legit party invites circulating the internet this time of year, is it really any wonder that this too has become an attack vector?
Click on a phony invite though and you’ll end up installing malware on your device.
The same rules apply for invites as cards – if you don’t know the sender, don’t open the invite. Never open an attachment purporting to be an invite, unless you are absolutely certain about the source. And even if you think the invite is legit, double-check the URL and proceed with caution.
If anything at all about the invitation seems suspicious, you’re better safe than sorry. For example, if you don’t think your very conservative company President is likely to invite you to a toga party (or even to host one at all) on Christmas Eve, you are going to want to trust your gut and assume that invite to be phony.
Those survey emails that promise some sort of reward – gift card, money, etc. – in exchange for completing a survey can end up being nothing more than a scam.
The hacker then ends up with some level of personal information about you, which is all they are really after with these. It could be that the survey gathers an additional detail needed for a more advanced phishing attack, or it may even directly ask for financial information.
Remember that you shouldn’t have to provide financial information to secure a promised reward.
With surveys, use the risk-reward analysis and ask yourself, is the risk really worth the potential reward? Most likely the answer is no, meaning it’s much safer to just skip the surveys altogether.
If you do feel compelled to complete a survey, follow the standard best practices and first carefully check the URL and the email sender, and look carefully for any misspellings or awkward phrasing that might signal a phishing attack.
Not only is it the most wonderful time of the year, but it’s also a time when many of us choose to make contributions to charitable organizations.
Which makes charity scams all the more enticing for cyber criminals.
You can click here to read a detailed article about avoiding charity scams, but the basic best practices for donating safely and ensuring that your contribution makes it to the organization you wish to support include:
- Contact the organization directly, either by phone or by navigating to the website on your own (not from a link in an email)
- Be wary of charities that appear to have been newly created, just for the holidays (or in response to a recent disaster)
- Avoid giving cash donations
- Don’t respond to unsolicited emails or phone calls. Even if you believe it’s from a trusted organization, it’s still better to stay in control of this and contact them directly using the known URL or phone number.
- Be very cautious of emails with attachments that claim to include photos or videos – these attachments may contain viruses
- If someone is pressuring you to donate or requesting a donation via a Visa gift card, it’s a red flag.
- If you have any doubts about the legitimacy of an organization, vet them using one of the many non-profit resources that either rate or at least confirm a group’s status.
Tips For Avoiding These Popular Holiday Scams
Do an online search
These scams are often repurposed and/or sent out en masse so in many cases, a quick internet search with the subject line of the email or the deal or some identifier from a suspicious email can quickly confirm it to be a scam.
For example, if you enter the phrase “ecard from secret” into Google’s search bar, the first suggestion to appear is “ecard scams from secret admirer”. That right there tells you that it’s a scam, and you can select from numerous articles providing more information.
Don’t trust your caller ID
Accept the fact that scammers are able to spoof caller ID information and that the name and number you see displayed aren’t necessarily real. If someone calls you asking for money or personal information, don’t be fooled by the caller ID display. Hang up.
Be cautious and verify
With the volume and sophistication of these types of scams increasing, it’s impossible to identify every single potential risk out there. Which means that a healthy dose of skepticism is your best defense.
If something seems suspicious, don’t trust it.
Also train yourself to take a few extra seconds to verify things like the URL, the spelling, and the email sender.
And finally, when it comes to request for personal information, always stay in control of where you land on the internet. Just because that email looks like it came from your bank, doesn’t mean it’s not a phishing message. If you have any concerns all about the status of any account, either call them directly or navigate to their known site on your own in a clean browser window.
Understand social engineering tactics
When you are aware of the tactics being used against you, it's much easier to spot them, and avoid becoming a victim. Phishing campaigns use very sophisticated social engineering tactics, so make sure you understand this and that your team does too.
These tactics primarily prey on your emotions, and attempt to create a sense of extreme urgency, in an attempt to convince the target to react quickly and emotionally.
Secure Your Network
Having strong network security overall is Just as important as educating all end-users about these popular holiday scams. This layered approach is your best bet for protecting your business network, and it should be reinforced during the holiday season.
From a network perspective, avoiding these types of phishing attacks and scams means you should:
- Use Anti-Spam and anti-virus software
- Keep your operating system and applications up-to-date
- Have properly managed firewalls
- Invest in 24/7 monitoring services
With employees opening up personal email on company computers, they are more than likely going to be shopping online, opening up invites and looking for good deals over the next 6 weeks. Which could invite trouble onto your network if they aren't aware of the risks.
And that makes this the most important time of the year to educate your team members about these potential threats, and to prioritize your network security strategy. The health of your business depends on it.