There may not be crowds of people swarming malls for Black Friday deals like schools of piranha, but there is still plenty of holiday shopping to be done—especially if you’re a last minute shopper. Many stores are extending online and in-store sales well into the weeks before Christmas, but there’s another group that’s eagerly anticipating the increased online traffic: cybercriminals.
With that in mind, let’s review some of the more common tactics of would-be cyber-Grinches.
Be Suspicious of Your Inbox
There are many perks to online shopping that in 2017 are old news: no holiday crowds, home delivery, and email alerts to name a few. Unfortunately, that last one—sales emails—are handy, and cybercriminals know it.
Just as they try to spoof legitimate communications from prospective clients and tax-software vendors, identity thieves create phishing emails designed to look like holiday sales alerts from reputable retailers. When you click embedded links, you may be directed to a fake website designed to collect your private data or download key-logger malware that records everything you type.
Another common tactic is to send a fake password reset email in an attempt to get victims to directly provide sensitive information. Whatever form these phishing emails take—as always—the aim is to get private data that can be used to file fraudulent tax returns or sign up for credit cards.
Long story short: be suspicious of the flood of sales emails in your inbox.
Oh, the Places You Shouldn’t Go
In the endless search for holiday sales, people often scour their Google results well below the fold. Sometimes they find the perfect deal, other times they find a scam page that’s been set up by identity thieves.
Similar to emails spoofing legitimate retailers, cybercriminals create fake retail pages meant to look like legitimate businesses. These sites can run malicious scripts, include malware downloads, or simply request private information when performing a “transaction.” One dead giveaway is a suspicious URL, but identity thieves are getting fairly savvy when it comes to naming their spoof pages.
The IRS recommends only visiting an HTTPS site. Standing for “Hyper Text Transfer Protocol Secure,” HTTPS sites are given a security certificate and, ostensibly, encrypt all communications. Unfortunately, even criminals can get a security certificate, so this isn’t a perfect test for whether any given website is safe.
Avoid Public Wi-Fi
You’re at the mall and need to price check an item to make sure you’re really going to get the best deal. The problem is that your data plan is almost kaput, so you decide to use the store’s free Wi-Fi. That’s a win-win situation, right? Well, maybe not.
Another thing criminals like to spoof are legitimate public Wi-Fi hotspots. Known as an “evil twin attack,” cybercriminals set up a Wi-Fi hotspot with the same name as another public network, like “Coffee Shop.” Once you log into one of these scam hotspots, the cybercriminal can access your device, monitor your activity directly.
