blog-logo.png

A BLOG ABOUT CYBER SECURITY

Wombat Security is a leader in security awareness and training. Our blog covers the latest cyber security news, insights, and best practices. We arm infosec professionals with the knowledge and tools they need to improve end-user behaviors and reduce organizational risk.

Holiday Shopping Tips: Stay Alert to These Types of Scams

Posted by Gretel Egan on 11/15/17

Topics: Social Networks, Phishing, Social Engineering, Security Spotlight, Keys to Success, All Posts, Cyber Security Alert

Examples-of-Holiday-Shopping-Scams.jpgHoliday shopping mania seems to be in full swing already this year, with Black Friday and Cyber Monday previews and preseason deals popping up in inboxes and social feeds everywhere. And it’s not just happening in the US, despite the fact that these shopping specials are triggered by the Thanksgiving holiday. In the UK, retailers are already offering heavy discounts — some as high as 25% to 30% — which normally doesn’t happen until Black Friday and beyond. Though the offers in the UK are likely in response to rising inflation, a dip in annual sales figures, and a hike in interest rates, the aggressive sales by legitimate retailers on both sides of the pond present a golden opportunity for cybercriminals — an environment in which online shoppers are seeking (and expecting) better-than-average deals.

As such, it’s perhaps more important than ever for consumers to brush up on online shopping tips and cybersecurity best practices. But it’s also helpful for online shoppers to see what phishing attacks, social media scams, and other tricks and traps look like in practice. It’s similar to the idea of “putting a face to a name”; visual cues can lead to a stronger connection and, in the case of security awareness, give users a better sense of how to put best practices into action.

Following are some real-world examples of fraudulent emails and social posts that are designed to trick unsuspecting consumers. Though the attacks you come across may be different in some ways, many con artists use common techniques to fool online shoppers into being careless with their personal information and their financial data.

 

Examples: Amazon Phishing Emails

Unfortunately for large retailers like Amazon, their size and reach make their brands the perfect vehicles for social engineers. Because consumers frequently get emails from a company like Amazon, they can mistakenly assume that any email that looks like it’s from Amazon is legitimate.

Here is an example of an email that played on a customer’s fear that he had been locked out of his Amazon account. Judging by the structure of the email — and the fact that the From address is clearly not a legitimate Amazon address — the ultimate goal of this message was to steal this user’s login credentials:

HolidayScams_AmazonEmail.png

Source: Better Business Bureau


Following is an example of a widespread phishing attack that happened after this summer’s Prime Day shopping event. Instead of using fear, the social engineers made recipients an offer that many couldn’t refuse: free money.

HolidayScams_Primeday.png

 Source: Komando.com

 

That said, phishing isn’t just linked to big businesses. During the holidays and all year round, it’s important to carefully read and consider any email that asks you to click a link, download a file, or confirm login credentials or payment information.

color_bar.png

Find more holiday shopping tips that can help you avoid phishing emails, phony charities, delivery fraud, and other scams.

Security Spotlight: Avoiding Holiday Shopping Scams

color_bar.png

Examples: Phony Shipping Notifications

Phishing emails that fraudulently represent home and commercial shipping services aren’t anything new — but that doesn’t mean they aren’t still successful. These types of attacks are perennial favorites for attackers, and they become more frequent during the holidays. We again see social engineers tapping into fear; after all, nobody wants there to be a problem with merchandise they’ve ordered or packages they’ve shipped.

Below is a phishing email that UPS shared on its website to help keep its customers informed of the kinds of fraudulent messages that are being reported by alert recipients. In addition to an invalid embedded link, the email address in the From field clearly shows that the message did not originate from UPS.com.

HolidayScams_UPS.png

Source: UPS.com


But as the example shared by FedEx below shows, phishing emails target senders and recipients alike. In these types of attacks, the content is paired with a malicious attachment that infects the user’s device when downloaded.

HolidayScams_FedEx.png Source: FedEx.com

 

Examples: Fake Social Media Ads

In the survey that was the basis for our 2017 User Risk Report, we asked 2,000 working adults — 1,000 in the US and 1,000 in the UK — a range of questions about cybersecurity best practices, including those used on social media. One thing we found was that US adults tend to put too much trust in business pages on sites like Facebook and Twitter; in fact, 57% of these respondents said they believe that business pages are approved by the hosting social media application prior to being posted. 

Cybercriminals are certainly benefitting from this misplaced trust. I didn’t need to look any further than my own Facebook feed to find examples of scammers who are exploiting known brand names to trick users. In the first example, the ad seems to be affiliated with Amazon and promises NHL fan gear at incredible prices. However, on closer examination, the link shown at the bottom of the ad — OfficialNHLShop.com — is not an Amazon link, nor is it the “official” NHL shop (a visit to NHL.com and a click on that page’s “Shop” tab confirms that the legitimate link is shop.nhl.com). Given these clues, it’s clear that making a purchase through this site is risky at best and downright dangerous at worst.

HolidayScams_FacebookAd.png

Following is another example of a common social media ploy: free money. Whether it comes in the form of a promised gift card or a voucher (like what we see below), users are tempted to roll the dice and take a chance. The problem is that they don’t realize how big of a chance they are taking.

In this version, which I saw shared by multiple people, the website listed at the bottom of the ad is again a telling clue. The graphic makes abundant use of the Macy’s logo and, at first glance, the weblink appears to confirm that affiliation. However, a closer look shows that the link doesn’t go to Macys.com; instead, it goes to Thanksgiving-90off.com — which is unlikely to offer anything other than trouble to trusting consumers.

HolidayScams_MacysFacebook.png

 

Stay Cyber Safe and Keep Your Holidays Jolly

As you can see from the examples we’ve shared, good decision-making is key to keeping your personal and financial information secure when shopping online. Don’t prioritize deals over your data and stay alert to holiday shopping scams. Be sure that the emails and ads you engage with this holiday season are on the nice list — and report those that are on the naughty list.

 

icon-book.png

Try Our Interactive Security Awareness Training Modules

Our 25+ interactive training modules in topics like Email Security, URL Training, Mobile App Security, and more are proven to change the behavior of end users and reduce risk.

Try Our Modules

   Educate Yourself: Protect Against Security Vulnerabilities