November brings two of the busiest shopping days of the year – the annual Black Friday and Cyber Monday events that originated in the United States have increasingly become a global phenomenon. Cybercriminals will take advantage of frenzied consumers, hoping to find the best deals, and match the non-stop advertising by retailers with an increase in their malicious campaigns.
Whether you plan to shop online or in person at a store, be aware of the possible scams out there – protect your personal information and make shopping safer this season:
- Package delivery scams – They appear to be legitimate correspondence from FedEx, or other well-known shippers, saying a package couldn’t be delivered or claiming to have new information on the status of an order in transit. In reality, the messages are from opportunistic attackers preying on the fact that many of us see an increase in package deliveries during the holiday shopping season. This is how they try to steal your credentials and other sensitive data.
- Fake orders – You might get emails that appear to come from known vendors talking about an order you don’t even remember making. If you didn’t place an order, don’t click that email or text message link. Instead, go directly to the vendor’s website or call them to verify for yourself.
- Gift card scams – the WatchGuard team recommends that people make online purchases with alternate forms of payment other than their debit and credit cards, but solicited gift cards are not one of them. If any seller asks you to pay with a gift card, instructing you to buy one and then use its assigned number to complete your purchase with them, walk away from that seller.
- Fake charities – Many people increase their charitable giving during the holidays, however, there are disgraceful crooks who try to take advantage of this by asking for money via fake charity emails. To ensure you’re giving to a legitimate cause, double-check donation links and verify that any non-profit of interest is a valid organisation before making your contributions.
- Counterfeit websites – Keep an eye out for the fake eCommerce sites that pop up during this time of year. It is not hard for a cybercriminal to generate a website disguised as an online store, even one secured by SSL/TLS (the little lock that appears in your web browser to indicate a secure site). If you find yourself on an unfamiliar website, use an online reputation checker to verify that it’s a trusted merchant before buying anything there.
- Run-of-the-mill phishing – In addition to online shopping-related scams, you can expect a deluge of phishing emails to inundate your inbox around this time of year. Watch out for the fake ones that are trying to phish you using the usual, evergreen tactics.
Scams like these might make some people afraid to shop online, but you don’t have to be. With some common-sense tips and best practices, you can avoid the maliciousness and take advantage of all the real deals out there. Here are some of security pointers for avoiding cyber scams:
- Beware of suspicious links – If you are referred to a link in a suspicious email, always check it before clicking. You can hover your mouse over the link to preview the URL it directs to and ensure it’s the actual domain it advertises. For instance, if the email is from Amazon, you should see “amazon.com” in the domain preview, not some strangely spelled variant of it.
- Use alternate online payment methods – Don’t use your normal credit or debit card to make purchases online. Services like Apple Pay and PayPal enable safe transactions between buyers and sellers by abstracting consumers’ actual financial account details from online payments.
- Only buy from secure websites – Look for the lock in the upper left corner of your web browser. This means all your transactions to and from that website are encrypted. Do not make payments to any site that doesn’t have that lock. That said, know that criminals can make secure web pages too. So don’t treat the lock as a guarantee of a legitimate site – only use it to dismiss sites you shouldn’t transact with because they don’t encrypt.
- Password managers – If you use a password manager, credential theft has less impact because the same password isn’t being used for all your accounts, and, when you do have a credential stolen from a site, you can easily update it much faster.
- Enable multi- or two-factor authentication (MFA/2FA), where supported – MFA is the best way to protect against credential theft. Not all eCommerce sites support MFA, but all the major ones, do. If the site supports 2FA or MFA, you should turn it on and continue using it.
- Watch out for malvertising – This is when an attacker leverages completely legitimate advertising services and frameworks to lure people to malicious links. Be sceptical and try to stick with vendors you know. If there you spot what seems to be an overly good deal for a well-known product, check the actual vendor’s product page to verify its legitimacy. If that deal doesn’t appear to exist anywhere else, you should probably just avoid the ad trying to take you to that site altogether.
At the end of the day, the best strategy comes down to being careful and verifying items before you trust them. If you follow these simple tips, you should have no problem whilst shopping online and in person. Contact the Dolos team, if you would like to learn more about the measures you can take to shop safely.