November brings two of the busiest shopping days of the year, plus some potential security risks, even if you never leave the comfort of your home. The annual Black Friday and Cyber Monday (BF/CM) events that originated in the United States have increasingly become a global phenomenon. With huge sales and “doorbuster” deals to kick off the holiday shopping season, they see a massive number of transactions. For this reason, you should expect cybercriminals to take advantage of frenzied consumers hoping to find the best BF/CM deals, matching the seemingly non-stop advertising by retailers with an increase in their malicious campaigns.
Whether you plan to shop online or in person at a store, follow these quick tips to help protect your personal information and make shopping safer this season:
- Package delivery scams – More than likely, you’ve got one of these fake delivery notifications in your email inbox or text messaging apps before. They come in many varieties, purporting to be legitimate correspondence from FedEx, UPS, or other well-known shippers, saying a package couldn’t be delivered or claiming to have new information on the status or estimated arrival time of an order in transit. Of course, there is no such parcel, nor will there ever be a delivery. In reality, the messages are from opportunistic attackers preying on the fact that many of us see an increase in package deliveries during the holiday shopping season. They’re hoping that you’ll be too busy or excited by the prospect of a gift to notice the bad grammar, spelling mistakes, and the sender’s unusual email address before you click on the malicious link in the email. Please don’t do it! This is how they try to steal your credentials and other sensitive data.
- Bogus orders – Similar to fake deliveries, you might get emails that appear to come from known vendors talking about an order you don’t even remember making. If you didn’t place an order, don’t click that email or text message link. Instead, go directly to the vendor’s website or call them to verify for yourself.
- Gift card scams – I often recommend that people make online purchases with alternate forms of payment other than their debit and credit cards… but solicited gift cards are NOT one of them! If any seller asks you to pay with a gift card, instructing you to buy one and then use its assigned number to complete your purchase with them, run ‒ don’t walk ‒ from that seller. It may be surprising that this scam still works, but it’s a great way for someone wanting to steal money from you to accomplish just that while staying under law enforcement’s radar.
- Fake charities – Many people up their charitable giving during the holidays, whether you’re a philanthropist, sporadic donor, or just want a nice antidote to heightened consumerism. What’s not so lovely, however, are the disgraceful crooks who try to take advantage of this by asking for money from well-intentioned individuals via fake charity emails. To ensure you’re giving to a legitimate and worthy cause, be sure to double-check donation links and verify that any non-profit of interest is a valid organization before making your contributions.
- Counterfeit websites – Keep an eye out for the fake and/or look-alike eCommerce sites that pop up during this time of year – especially those with deals that seem to be “way too good to pass up.” It’s not hard for a cybercriminal to spin up a website disguised as an online store, even one secured by SSL/TLS (the little lock that appears in your web browser to indicate a secure site). It might look “official,” but it doesn’t guarantee that you will be able to make a legitimate purchase. If you find yourself on an unfamiliar website, use the Better Business Bureau (BBB) or another online reputation checker to verify that it’s a legitimate and trusted merchant before buying anything there.
- Run-of-the-mill phishing – In addition to online shopping-related scams, you can expect a deluge of phishing emails to inundate your inbox around BF/CM. While you will receive plenty of legitimate vendor correspondence among the holiday sale alerts during this time, watch out for the fake ones that are trying to phish you using the usual, evergreen tactics.
Scams like these might make some people afraid to shop online, but you don’t have to be. With some common-sense tips and best practices, you can recognize and avoid the maliciousness and take advantage of all the real deals out there as you get a head start on the holiday season. Here are some of my top security pointers for avoiding BF/CM cyber scams:
- Beware of suspicious links – If you are sent or referred to a link in a weird, one-off email, always check it before clicking. On a typical computer, you can hover your mouse over the link to preview the URL it directs to and ensure it’s the actual – and, more importantly, legitimate – domain it advertises. For instance, if the email is from Amazon, you should see “amazon.com” in the domain preview, not some strangely spelled variant of it. Mobile phones don’t allow you to hover over links in this manner, so to verify links on these devices, you can often long-press a link to preview the domain it will send you to before tapping through. Just make sure your phone's preview option is enabled first, or else it will visit the link before you want it to. Better yet, don’t click the link in the message at all. Visit the eCommerce site manually. The sale is likely to be front-page news on the merchant’s site.
- Use alternate online payment methods – Don’t use your normal credit or debit card to make purchases online. If you accidentally enter those details in a shady place, the cyber scammer behind it might well make off with more than you expect. Services like Apple Pay, PayPal, Venmo, and Zelle enable safe transactions between buyers and sellers by abstracting consumers’ actual financial account details from online payments. Getting a temporary credit card to make purchases online can be a safer option as well, but be wary of anyone that requires you to pay with, say, a Visa gift card...
- Only buy from secure websites – Look for the lock in the upper left corner of your web browser. This means all your transactions to and from that website are encrypted. Do not make payments to any site that doesn’t have that lock. That said, know that criminals can make secure web pages too. So don’t treat the lock as a guarantee of a legitimate site – only use it to dismiss sites you shouldn’t transact with because they don’t encrypt.
- Password managers – Many of these shopping scams still try to steal users’ login credentials. If you use a password manager, credential theft has less impact because the same password isn’t being used for all your accounts, and, when you do have a credential stolen from a site, you can easily update it much faster.
- Enable multi- or two-factor authentication (MFA/2FA), where supported – While we are talking about credential theft, MFA is the best way to protect against it and saves you even if an attacker gets your password. Not all eCommerce sites support MFA, but all the major ones, like Amazon, do. If the site supports 2FA or MFA, you should turn it on and continue using it.
- If it sounds too good to be true, it probably is – You know this tip. If the deal seems too good even to be possible, you’re probably right. It could be a scam. Avoid it.
- Check new sites using the BBB or other consumer protection resources – I mentioned this above, but it’s worth noting again that fake sites do pop up during seasonal shopping events. If you’re about to buy something from a brand-new site you haven’t visited before, at least spend a minute to check its reputation before you proceed. In the US, the Better Business Bureau is a good place to start, but you can find other online reputation-checking services and reference user-review sites, too.
- Watch out for malvertising – A tougher cyber-scam nut to crack is malvertising. This is when an attacker leverages completely legitimate advertising services and frameworks to lure people to malicious or scammy links. Sometimes the top ten results for popular product search terms can return malvertising-generated links directing to sites that might try to phish you or install malicious software on your device. In short, just remain skeptical of weird ads, and try to stick with vendors you know. If there you spot what seems to be an overly hot deal for a well-known product, check the actual vendor’s product page to verify its legitimacy. If that deal doesn’t appear to exist anywhere else, you should probably just avoid the ad trying to take you to that site altogether.
At the end of the day, a lot of the most effective cyber security defense comes down to just wearing a skeptical, questioning hat and verifying things before you trust them. If you follow these simple defense tips, you should have no problem saving big on the real hot deals around Black Friday / Cyber Monday without succumbing to any tricky cons.