It's a particularly risky time of the year as shoppers of all ages, including those with less experience recognising digital threats, flock to search engines and online channels to place orders. Opportunistic hackers know just how to create enticing, seasonally appropriate lures — and even some of the simplest scams can fool adept online shoppers.
At Fortinet, we analyse some of the most common cyber threats to prepare for during the holidays — along with a few unique outliers we're expecting to see this season.
Online holiday gift card scams
Gift cards are a common vector for cybercriminals and scammers, since stealing the money loaded onto them is like stealing cash: Once it's taken, there's virtually no way for a victim to get it back (unlike credit card transactions, which allow chargebacks).
Some will go as far as to manipulate gift cards sold in stores, scratching off the layer of protective coating to write down personal identification numbers (PINs), and then "replacing" the coating with a sticker so it looks brand new. Scammers will plug those PINs into software that sends an alert once someone has purchased and activated their gift card and then proceed to drain all its funds.
Cybercriminals may also attempt to scam via e-mail. If you've ever received a strange e-mail urging you to help a friend or family member with an emergency — and that e-mail led you down the path of providing a gift card as payment — that e-mail was most certainly a scam.
The best way to avoid becoming the target of gift card scams is to remain vigilant and follow these four best practices:
1) Set a strong password: For every online account, make sure you're not repeating the same password across any platforms. Use a password management app to keep track of different accounts. Don't forget to use random, non-duplicate user IDs as well if the site allows.
2) Monitor your accounts: Regularly update your login credentials and monitor your payment accounts for signs of unusual activity.
3) Inspect gift cards: If you purchase gift cards in stores, visually inspect them for signs of tampering before loading funds and stick with retailers who keep their gift cards secured behind a checkout counter.
4) Never make purchases via e-mail: Never agree to pay for online purchases in gift cards when prompted via e-mail. In these instances the item you're trying to purchase probably doesn't exist. Instead, stick with retailers you know and trust, and make sure the site's checkout system is secure. Credit cards are the best way to pay since most offer some level of fraud protection.
Videoconferencing phishing scams
For families that are unable to travel to be with one another this holiday season, celebrating virtually is the next best option. But it's important to be on the lookout for certain social interaction-based scams that continue to target those who are letting their guard down.
As we continue to rely on videoconferencing as a tool for social interaction, cybercriminals will continue to execute phishing campaigns that take advantage of these video-based platforms. These phishing attempts involve e-mail containing phony links that prompt the user to download a new version of their videoconferencing software. The link will direct them to a third-party website at which the user can download an installer. In some cases, the program does install the videoconferencing software — but it also loads a remote-access Trojan malware program on the host. This program gives scammers access to the user's sensitive data and information, which is either sold on the black market or leveraged for identity theft.
To avoid videoconferencing scams always follow cybersecurity best practices: Look at the sender's e-mail address before clicking on e-mailed links or downloading attachments, even if they appear to come from a trusted source. In most cases, phishing e-mail are sent from addresses that do not contain the organisation's legitimate web address.
Videoconferencing-themed phishing attempts are only the tip of the iceberg this holiday season. Unfortunately, other forms of phishing are still on the rise, including those that target your phone or mobile devices. The telephone version of phishing is sometimes referred to as "vishing" and text message scams on SMS are called "smishing".
A new method we are starting to see is scammers adding a QR code on popular products and making banners or marketing materials and leaving them at physical stores. If a victim sees a product they like, and a sign telling them they can get the product faster or at a discounted price, they are more than likely to scan the QR code. But this leads them to a scam website or attempts to download malware.
With the right digital safety precautions it's still possible to enjoy your favourite traditions safely. Thanks to digital platforms, we can connect with family and friends from the comfort and safety of our homes, and check off those gift lists without setting foot in crowded malls and shopping centres.
Educate employees, family members, and friends about what to avoid and keep devices updated with the latest security software. It just requires a new level of vigilance that, itself, can become the new normal.
Aamir Lakhani is a global security strategist and researcher at Fortinet