You’d better watch out: ‘Tis the season for holiday shopping scams
It’s always a mad scramble to find the perfect gifts in time for the holidays. And like the Grinch gazing down at Whoville, cybercriminals are watching, and they’re ready to take advantage of your haste.
Whether it’s pilfering personal information or duping consumers into scams, there’s a lot more at stake than presents and a roast beast.
This year’s holiday season will likely be trickier than those of years past. COVID is forcing many people who would’ve normally gone to malls to shop online. Rather than hand-delivering gifts, they’re shipping them to family and friends.
Chip shortages and supply chain issues — shorthand for a host of manufacturing and shipping snafus — have only compounded that problem. Gifts are harder to get and slower to send. In fact, a new survey from CNET shows that more than nearly one in five Americans are buying more gifts online this year due to supply chain issues.
The combination of increased online shopping and heightened desperation creates the perfect environment for cybercriminals, who prey on emotions to pry credit card numbers, login credentials and other personally identifiable information from consumers.
Shoppers facing down shipping deadlines for Christmas, Hanukkah and Kwanzaa will be both more apt to shop on questionable websites and less likely to think before they click on holiday themed scam emails, says Josh Yavor, the head of information security at Tessian, a cybersecurity company.
Like a lot of people, Yavor said he’s been struggling to find an Xbox for his child. Phishing emails advertising deals on one of those would be tempting to click on, even for someone like himself, he said.
“We’re going to see more and more of that, especially this year with the ongoing supply chain issues.”
Fortunately, just a few precautions can go a long way toward ensuring your holiday season remains merry and bright. For example, 52% of online holiday shoppers are sticking with reputable retailers, according to CNET’s poll. Nearly 40% said they’d use a credit card, rather than a debit card tied directly to their bank account, for online purchases.
Only 7% said they didn’t plan to do anything to protect their personal information while shopping online.
Here are a few recommendations from experts on how to shop safely for the holidays:
Check your list (and credit card and bank statements) more than twice
Keep an eye on your bank and credit card accounts. It’s good not only for security but also for keeping track of your spending.
You can make this task easier by limiting your holiday shopping to a single credit card and email address. Doing so will also reduce the risk of falling for a phishing scam if one comes to your other email accounts.
Don’t use your debit card for purchases. Your bank will help you recover money if your account is compromised, but it’s a lot easier to get charges reversed when a credit card number is stolen.
“The credit card is the most replaceable part of your identity,” said Chester Wisniewski, principal research scientist for Sophos.
He added that people should be more worried about protecting personal information that can’t be changed, such as their birth date and mother’s maiden name.
Don’t be a feast for the phishermen
Scam emails were once easier to spot because of the overly spammy pitches or English so bad it would embarrass Google Translate. That’s changed.
Low-cost, automated technology can make phishing emails both more natural sounding and contextually relevant. Though security technology has also improved, it can’t do much to stop people from clicking on things they’re convinced are legitimate.
Cybercriminals are also taking a lower-tech approach by hiring native speakers to write email templates for them, says Tonia Dudley, a phishing expert for the security company Cofense. She noted that one Russian cybercrime gang went so far as to hire a native Japanese speaker to target people in that country.
In recent years, some of the most convincing phishing emails have taken the form of shipping notifications complete with barcodes that look like they’re from FedEx or UPS. If you’re worried about authenticity, go directly to the shipper’s website and copy and paste the tracking number into it. Don’t click on links or open attachments, no matter how tempting or urgent they might seem.
According to new research from the cybersecurity company Bitdefender, some of the most popular lures used in phishing emails spotted in early November included Black Friday deals on Ray-Ban and Oakley sunglasses, “26 products that will sell out by Thanksgiving” along with deals for Walmart, Sam’s Club and Amazon shoppers.
Increasingly, fake shipping notifications are coming in the form of texts. According to new research from Proofpoint, which specializes in phishing protection, holiday themed mobile or text (SMS) phishing, also known as smishing, has nearly doubled compared with a year ago. And nearly two thirds of those messages sent worldwide are related in some way to a delivery or a retail brand.
Many people are just less skeptical about texts than emails, said Brian Wrozek, chief information security officer at the cybersecurity firm Optiv.
“For some reason, we’re all more comfortable with what shows up on our phones,” Wrozek said. “It’s like if they’re texting it, it must be legit.”
Is that really Santa? Or just the Grinch in disguise?
Sure, you can Google around if the major retailers don’t have what you want in stock, but make sure you’re dealing with a legitimate business. Be especially skeptical of ads that pop up in your social media feeds touting amazing, limited-time offers.
As the saying goes: If something seems too good to be true, it probably is.
Though we all want to support small businesses, especially during tough times, limit how much of your personal info you give them, Wisniewski advises. A mom-and-pop shop might be well run, but it’s unlikely to have the cybersecurity protection a big-box store has.
The Elf on the Shelf isn’t the only one watching, but does that really matter?
The internet has changed a lot in recent years. Any site worth its salt is now encrypted, which means if someone did intercept your web traffic, for instance by logging on to the same Wi-Fi as you at the neighborhood coffee shop, it would be scrambled and useless.
For that reason, many security experts say a virtual private network, or VPN, which masks people’s location in addition to encrypting their data, is overkill for most folks.
Wisniewski says taking basic cybersecurity precautions, which you should be doing all year round, is all you need to ward off a visit from a cyber Krampus.
Make sure your devices and online accounts — bank and credit cards, emails, social media, shopping-website logins, and so on — are locked down before you start shopping. Update your operating systems, antivirus software and all your apps.
Strong, unique passwords for all online accounts are a must. If you need help, use a password manager. Two-factor authentication, which requires a second identifier like a biometric or push notification sent to your phone, should always be enabled when available.
If you’re worried about the security of the free internet at your local store, use the cellular connection on your smartphone instead. It’s a lot more secure than just about any Wi-Fi connection out there.