Holiday Background

Security Brief: Five Holiday Scams to Avoid and Safety Tips (Infographic)

Share with your network!

This year’s holiday season will unquestionably be different as our society continues to cope with the ongoing COVID-19 pandemic. We anticipate as many more consumers go online to purchase gifts and send packages to their loved ones; cybercriminals won’t be far behind. According to a recent National Retail Federation survey, the majority (60%) of consumers say they plan to purchase holiday items online this year.

Because cybercriminals always follow the money, we’ve outlined five scams you might encounter along with tips on how to stay safe this holiday season.

#1: Credit Card Credential Theft

As online shopping surges, it’s vital that you protect your credit card details from becoming compromised. First and foremost, avoid storing your payment details when purchasing items online. While it might reduce shopping convenience, it also reduces the chances that a threat actor can steal your details if the site is compromised. Next, activate real-time mobile alerts to receive a text message every time your credit card is used. These alerts will reduce the window between any credit card compromise and ongoing digital theft.

Finally, beware of possible phishing emails and inbound calls regarding your credit card transactions. Never engage in email communication with a financial institution and instead call your bank or credit card company directly. Below is one recent example of a threat actor using a fake credit card transaction phishing email, designed to entice a victim into clicking and ultimately giving up their username and password.

Blog_Holiday_1

#2: Shipping Notification Scams

Be cautious when it comes to email and text message shipping notifications. Threat actors use shipping lures year-round to try and steal user credentials, but this time of year consumers are even more at risk as more and more packages will be delivered. Below is a recent example in which a threat actor has spoofed a trusted brand and is attempting to spur the recipient into opening a fake login page, which asks for a user’s credentials.

Blog_Holiday_2

#3: Hot Holiday Deals

If something appears too good to be true, it probably is—and the same goes for hot holiday deals. Be on alert for phishing emails that promise savings and ask you to urgently act. Below is an example from a previous year, but you’ll see that threat actors are very savvy at spoofing trusted brands to trick busy consumers. When in doubt, visit a retailer’s website directly to investigate possible savings.

Blog_Holiday_3

#4: Holiday-related Mobile SMS Phishing Scams

Cybercriminals have continued to actively take advantage of our new digital reality with an onslaught of mobile/text-message (SMS) phishing (Smishing) attacks that claim to be from reputable companies. In fact, our telemetry reports indicate mobile phishing messages increased by 328% in Q3 2020 when compared to Q2 2020. Overall, the top impersonated brands in Q3 2020 included prominent financial institutions, technology companies, and major ecommerce brands.

In Q4 2020, we’ve seen a significant increase in payday loans and holiday related fake brand spam (below are some recent examples). Bottom line: Be wary of text messages you aren’t expecting that contain links.

Blog_Holiday_4

Figure 4: Payday loan smishing example

 

Blog_Holiday_5

Figure 5: Holiday-related spam example

Blog_Holiday_6

Figure 6: Credit remediation spam example

Blog_Holiday_7

Figure 7: Home buying spam example

 

#5: Safeguard Your Streaming Service

As more and more of us will likely be staying put for the holidays, we also caution consumers to watch for streaming service phishing attempts, which include the use of fake log-in pages. Below are just a few examples from earlier this year which demonstrate just how real these spoofed websites can appear. It’s important that you never act directly from any email communication and instead visit the provider directly to log-in and handle billing. And don’t be fooled by any “locks” that appear on the website (figure 10).

Blog_Holiday_8

Figure 8: Disney+ Credential Phishing Site

Blog_Holiday_9

Figure 9: Netflix Credential Phishing Site

Blog_Holiday_10

Figure 10: Netflix Credit Card Phishing Site

 

Recommendations

Following these tips will help keep you and your family safe from online threats this holiday season. To help drive these points home, we’ve also created the below infographic for easy reference with additional tips. If you are a security professional, please download our 2020 Holiday Security Awareness Kit for articles, awareness posters, and videos with additional tips: https://www.proofpoint.com/us/resources/awareness-materials/2020-holiday-security-awareness-training-kit

Blog_Holiday_Infographic