Scams, safety, and shopping sense.
We've received a great deal of advice about safe shopping (and safe giving) during the holiday season. As we get ready for Thanksgiving, we thought we'd share some of the insights experts in government and industry have offered.
Advice from two of the Five Eyes.
Both the United Kingdom's National Cyber Security Centre (NCSC) and the United States' Cybersecurity and Infrastructure Security Agency (CISA) have published some sound common sense about staying safe online.
First, advice from the NCSC, organized under six heads:
- “Choose carefully where you shop.” The online store you've never heard of, or the one with the Pyongyang IP address? These are probably the kinds of place you can pass up. Put your virtual hands in your digital pockets and walk on by.
- “Use a credit card for online payments.” Not a debit card. You may have some protection against fraud with your credit card. If the hoods get your debit card or direct access to your account, then your funds are probably just gone baby gone.
- “Only provide enough details to complete your purchase.” The online shoe store doesn’t need to know Grandma’s maiden name, your Social Security Number, where you were born, and so on.
- “Keep your accounts secure.” With, for example, two-factor authentication, by keeping your software up to date, and by avoiding password reuse.
- “Watch out for suspicious emails, calls and text messages,” because the social engineers can be expected out in force.
- “If things go wrong”...tell the appropriate authorities. There’s an appropriate authority for every jurisdiction.
CISA has published similar recommendations for safer holiday shopping. “Americans are adjusting their travel and shopping habits for a holiday season that’s sure to be unlike anything we have experienced,” Acting CISA Director Brandon Wales wrote in a widely shared email, adding that. “Hackers, scammers and thieves will take advantage of these changes and the generosity of the public during the holidays to target online shoppers and those giving to charities. There are a few simple steps everyone can take to lower their risk and have a safe and enjoyable holiday season.” CISA’s recommendations are organized into three main categories, and they're in substantial agreement with the counsel the UK's National Cyber Security Centre has offered:
- "Check Your Devices." Keep software up-to-date, make strong passwords, and use multifactor authentication.
- "Only Shop Through Trusted Sources." This one begins with an appeal to common sense: "You wouldn’t go into a store with boarded up windows and without signage – the same rules apply online. If it looks suspicious, something's probably not right."
- "Use Safe Methods for Purchases." Credit cards are safer than debit cards, and by all means do check your paycard statements for evidence of purchases you didn't make.
And much the same goes for charitable donations.
Many other experts are offering similar advice. We received a useful reminder from the University of Missouri that seconds the appeal acting Director Wales offered: apply the same care you'd use in your online shopping to your charitable contributions. It's not only shopping scam season, but unfortunately it's also the season of bogus charities and affinity grifting. So here’s how we’d gloss that holiday advice: be good-hearted and generous, but be alert and careful, too. As wise as serpents and as simple as doves.
What sorts of scams can we expect?
You've no doubt noticed that many people are staying home during the holidays, and doing their shopping online as opposed to visiting brick-and-mortar retailers. The criminals notice this too.
There are scams tailored to specific brands, products, and interests. Armorblox researchers have noticed one gang that's promoting and impersonating Ray-Ban, the upscale sunglasses brand. It's not a phishing site, but rather an operation pushing cheap counterfeit knockoffs as the real thing.
Armorblox has a post on this particular scam called, Smoke, Mirrors, and Sunglasses: Ray-Ban Shopping Scam. Arjun Sambamoorthy, co-founder and head of engineering at Armorblox, wrote, “Scammers know that people expect large discounts during the holiday season, and will send malicious emails to take advantage of our heightened expectations. Whenever possible, subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email or the links it contains.”
The tip-off should be the deep discount, much deeper than anyone should expect. Sure, there are sales to be had, but some of them stretch credulity. The FBI warns that unrealistic discounts should be a red flag, the online equivalent of buying something from a dodgy looking guy selling stuff from the trunk of his car.
DomainTools researchers for their part have noticed a criminal turn toward Amazon. Not actually Amazon, but rather with sites that appear to be Amazon-associated or Amazon-themed. The hasty, rushed, harried, or unwary might overlook the bogus domains. Amazon's the top banana for spoofing, with DomainTools scoring one-hundred-eighty-one "high-risk" domains for Amazon. Walmart (thirty-seven) and Best Buy (thirty-six) are distant also-rans.
Tim Helming, DomainTools Security Evangelist, wrote, “Cybercrime does not exist in a vacuum, and this huge pivot towards Amazon from threat actors is reflective of just how dominant the retailer has become. While this does not mean that other shoppers can rest easy, it does indicate that Amazon customers are the ones most at risk of phishing attacks. For this reason, we would recommend exercising extreme caution in the run up to Black Friday and Cyber Monday.”
And so what should shoppers do to protect themselves?
Saryu Nayyar, CEO of Gurucul, offered six numbered items of advice:
- "Malicious actors know people are more likely to open emails with timely subject lines, and the COVID-19 pandemic has led them to create new and clever phishing schemes using subjects related to the Pandemic, Unemployment, Stimulus and Vaccine trials. These emails will frequently offer links for more information, such as discount offers or perhaps even to register as a potential vaccine recipient. It’s important not to follow any of the links or open any attachments, as they often contain malware designed to steal your personal, financial, or credit information."
- "Avoid online shopping scams by shopping on secure sites. Cyber Monday deals can save consumers lots of money, but they can also scam them out of serious money as well. One of the biggest (and FIRST) indicators of a potential Cyber Monday scam is a website with no SSL certificate. Check the URL and if it is missing an “s” after the 'http,' then the site is not secure and you should shop elsewhere."
- "Check out as a guest. Constantly entering in the details of credit card numbers, shipping and billing addresses, etc. can be tedious, but it will help avoid the headache of having to deal with credit card theft. Consumers should never store credit card information on a website unless they are 100% sure it is secure to do so. And even then, it’s not a guarantee that the merchant can protect customer data from all the bad actors."
- "Avoid online shopping over public Wi-Fi. Checking out the latest Cyber Monday bargains at the airport coffee shop sounds like a great way to kill time before a flight. However, it is strongly advised that consumers avoid using public Wi-Fi when doing online shopping. Hackers use open networks to access devices, so avoid a sneaky Wi-Fi scam by waiting until you’re on a secure network."
- "Monitor bank accounts. This should be a no-brainer, but with the chaos surrounding the holidays, hackers are depending on consumers to forget to monitor their transactions. Many of us depend on our banking institution’s fraud monitoring software to alert us if an unusual transaction is made. However, it’s easy for small transactions for small amounts of money to go unnoticed. Make a note to check your accounts daily for extra fraud protection and financial safety during the holidays."
- "Watch out for malvertising (Malicious Advertising). When scouring [the] internet for the best online shopping deals, shoppers are bound to be shown a plethora of advertisements. Cyber criminals use “malvertisements” as bogus pop-ups or alert warnings to prompt users to click. Once they click or load a bogus web page, they unintentionally install data-stealing malware and infects their system. Consumers can cut their risk by installing an ad-blocking browser plugin and setting their browser to flag malicious content."
Mounir Hahad, Head of Juniper Threat Labs at Juniper Networks, also sent a set of guidelines for safer shopping: "To protect themselves on Black Friday, Cyber Monday and throughout the holiday shopping season, here are three ways consumers can protect their online security.
- "Don’t register at every website – they don’t need to host your PII or payment data.
- "Think twice about signing on through Google or a social media account – this gives away much more data than many would care to share.
- "It’s difficult at this time of year to remember every website you use, but try and keep track of those you’re using for the first time or have only infrequently used and monitor your charge card data."
Remember: as simple as doves, but as wise as serpents. You may say all of this is just common sense, and of course it is, but it bears repeating nonetheless. Safe shopping, all.