With Black Friday quickly approaching, now is an ideal time for a refresher on cyber scams and best practices to keep your information secure this holiday season.
As many of us are starting to make our Thanksgiving plans (2021 really went fast, didn’t it?), we are also starting to browse upcoming holiday sales. From traditional Black Friday and Cyber Monday sales to early access deals and store exclusives, advertisements are pushing consumers online through every channel possible.
Add in the increased shift to online shopping due to the pandemic and the convenience of shopping at home, as well as the increase in stores opting to close their physical doors this Thanksgiving, and you have a perfect storm for threat actors searching for personal and financial information due to heightened online activity.
In fact, the National Retail Federation (NRF) reported that holiday sales totaled $789.4 billion in 2020 (an 8.3% increase from 2019), with online and other non-store sales increasing 23.9%. Consumers show no signs of slowing down this year either according to the NRF, who report that the average shopper will spend approximately $1,000 during the holiday season and that 28% of consumers, are planning on shopping more this year.
Unfortunately, with the increased spending came an increase in reported security incidents last year, when Experian reported that one in every four American reported falling victim to fraud during the holidays. And we expect to see more of the same this year.
In an effort to help keep our communities, clients and friends secure this year, the Schneider Downs cybersecurity team is sharing some of the top scams to look out for and best practices for keeping your information secure during the holiday shopping season and beyond.
Top Holiday Shopping Scams
Malicious Websites and Apps
One of the new challenges consumers are set to face in 2021 are stock shortages associated with the supply chain issues of the last year. This means that popular gifts may not be widely or even sporadically available through major retailers. These shortages can cause consumers to look to third-party websites in desperation, setting aside their best judgement in order to do whatever it takes to get the big-ticket items – including using malicious websites.
When shopping online, be sure to only use verified websites and verify URLs, since imposter sites frequently use a similar nomenclature as popular sites in order to fool consumers. Additionally, be sure to go to authorized websites directly and avoid any sort of pop-up advertisements or suspicious social media links, as scammers can purchase advertisements with the intent of directing shoppers to a malicious site.
The same thoughts go for apps. We recognize that many authorized retailers and shopping platforms have mobile apps design to provide a smart device experience, but there are also countless malicious apps out there waiting to be downloaded. While the majority of app stores are good about finding and deleting these quickly, many still slip through the cracks and expose your information.
Remember, not even Turbo-Man is worth providing your financial information to third-party websites, especially when all of your instincts are telling you the site is shady. Verify you are on a secure website by looking for https:// and a padlock icon in the address bar, double-check the full URL to ensure you are on the correct site and keep your guard up against websites of all forms (charities, retailers, etc.).
If you want to verify a website, there are several free online tools that can help, including Google’s Transparency Report tool at https://transparencyreport.google.com.
Imposter Wi-Fi Networks
We know the whole “don’t use public Wi-Fi” message has been around forever, but brick and mortar stores are making it even more difficult to resist connecting to public networks during the holiday season. A majority of stores offer incentives for using their networks including coupons or free items with a minimum spend. In most cases, this just allows the store to collect your data, but it sometimes also provides an opening for threat actors to set up imposter networks to connect to your device.
So next time you see a store offering incentives to use their Wi-Fi, remember a $5 coupon is most likely not worth the risk of having your data stolen.
Shipping Scams
Another scam that is not new, but continues to be used because it succeeds is fraudulent shipping communications. Threat actors send a litany of communications out during the holiday shopping season impersonating major shipping companies (Fedex, UPS, USPS) and retailers. By claiming to report shipping issues, they to get you to click on malicious links or hand over credit card information. While historically these scams come through standard phishing attacks, many still arrive via smishing (texting) and vishing (phone).
Remember, if you have concerns about shipping, you can always contact the shipping company or retailer directly through the contact information listed on their official websites. We also suggest keeping copies of receipts (or taking a photo) which usually have the tracking number and direct customer service number listed. Additionally, Fedex offers a great resource center to help consumers recognize and report fraud at www.fedex.com/en-us/trust-center/report-fraud.html. The resource center shares common warning signs, scams and fraud types.
Protecting Your Information
Identify Phishing Scams
The first step to protecting your personal information during the holiday season and beyond, is to learn how to identify scams. Thankfully, phishing (vishing and smishing too) uses the same techniques it has used for years – the holiday season just gives them a different coat of paint. Our article “Six Common Elements of Phishing Scams and How to Spot Them” provides some of the most common warning signs to watch out for, including:
- Too good to be true – Usually the email will include some type of draw that will grab your attention. In the case of the latest scam, a mention of tax savings would be eye-catching.
- Sense of urgency – There is usually an expiration date on the aforementioned draw or a warning that you will be locked out from the online account if the matter is not addressed within a certain period of time.
- Bogus hyperlinks – While they can appear to lead to legitimate websites, bogus hyperlinks contain slight changes or variations that will lead you to visit a fake website or to download a malicious file.
- Phishy “From” addresses – The email address of the sender can easily be spoofed in a similar way as a bogus hyperlink can be. A phishing email can appear to be from someone you know like a colleague or a superior; it is recommended that you hover over the address to check for errors or variations in spelling or formatting. It is also important to consider the tone of the email. If it appears to be from a sender that you know, is their pattern of language and email signature consistent with previous correspondence? If it seems out of the ordinary, don’t open the email.
- Attachments – Any attachment should warrant additional scrutiny. It is prudent to never open unsolicited attachments. Password-protected PDFs have become an increasingly popular tool by which scammers gain access to your personal information. Upon attempting to open a password protected PDF, the recipient is prompted to enter their username and password, which is then collected and can be used to gain access to their other accounts. If you use password-protected PDFs frequently, we highly recommend refrain from including your password in the email message.
- Unusual requests – Many phishing schemes will prompt the reader to send gift cards, cashier’s checks, money orders etc. This should be a red flag that the request is not legitimate.
Secure Your Devices
One of the first steps you can take to protect your information is to ensure the devices you are using are up-to-date. The majority of devices have regularly scheduled updates or send push notifications when new ones are available – so commit to performing the updates for your security. We recommend using automatic update options if possible and restarting your computer on a regular basis.
Device security also includes separating personal activity and work devices, especially during a time when many of us are still remote and shopping online. As we stated last year, activity as simple as shopping or checking personal email can lead to security issues that can compromise the device and your entire organization.
Update Your Passwords
Even if you have secure passwords that meet requirements, chances are your information was exposed over the last year or will be next year. In 2021 alone, major companies including T-Mobile, Volkswagon, Audi, Kroger and Facebook all reported major data breaches that put customer data at risk. This is why the holiday season is a good time to refresh your passwords and monitor your accounts for unusual activity.
Another option to ensure password security is using password management software, which essentially acts as a master lock for all of your passwords. Password managers not only add a layer of convenience to password security, but many help you create strong passwords with stringent requirements. Many password management software providers offer options for personal and enterprise security needs.
Manage Data Privacy Settings
We recommend taking the time to monitor and adjust your data privacy settings so that you fully understand how your data is being collected. Many devices and apps have liberal settings that allow developers to collect your data usage, location and phone data – which can act as a starting point for countless attacks and expose you to unnecessary risk if the app is breached.
Use Credit Cards
While using credit cards is not a security strategy perse, it is a best practice to limit your liability when shopping and can minimize the financial damage if your information is stolen. Many credit cards have 24/7 activity monitoring that flag unusual activity, including large purchases and spending in geographical areas outside the norm.
Plus, credit cards are exactly that: credit. In most cases, you can report fraud with minimal impact to your liquidity. If your debit card is stolen, on the other hand, that is cash out of your account and can involve an extremely long process to remediate. We also recommend reviewing your credit card statements, especially during the holiday season, and notifying your financial institution if you see any fraudulent activity. Another method that you can use is locking cards that aren’t in use, which keeps your account active, just not accessible for purchase until unlocked.
One new feature popping up over the last year has been the virtual credit cards. Virtual credit cards were introduced to help reduce the risk of fraud and work by providing a randomly generated number that allows you to transact on your credit card without exposing the main card number. These can be limited per retailer and locked just like regular cards. There is a ton of upside with virtual cards, but they can make returning items and reoccurring purchases challenging.
CISA Holiday Cybersecurity Resources
- CISA Shop Safely Home Page
- CISA Online Holiday Safety Tip Sheets
- CISA Holiday Scams and Cyber Threats Press Release
About Schneider Downs Cybersecurity
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].
In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.