Holiday shopping mania seems to kick off earlier and earlier each year, with Black Friday and Cyber Monday previews and preseason deals popping up in inboxes and social feeds weeks in advance. And it doesn't just happen in the US, despite the fact that these shopping "holidays" are triggered by Thanksgiving. Aggressive sales by legitimate retailers on both sides of the pond present a golden opportunity for cybercriminals — an environment in which online shoppers are seeking (and expecting) better-than-average deals.
But it’s also helpful for online shoppers to see what phishing attacks, social media scams, and other tricks and traps look like in practice. It’s similar to the idea of “putting a face to a name”; visual cues can lead to a stronger connection and, in the case of security awareness, give users a better sense of how to put best practices into action.
Though the attacks you come across may be different in some ways, many con artists use common techniques to fool online shoppers into being careless with their personal information and their financial data. So keep these in mind as you navigate your inboxes and social feeds during the holiday shopping season—and beyond.
Unfortunately for large retailers like Amazon, their size and reach make their brands the perfect vehicles for social engineers. Because consumers frequently get emails from a company like Amazon, they can mistakenly assume that any email that looks like it’s from Amazon is legitimate.
Here is an example of an email that played on a customer’s fear that he had been locked out of his Amazon account. Judging by the structure of the email—and the fact that the From address is clearly not a legitimate Amazon address—the ultimate goal of this message was to steal this user’s account login credentials:
Following is an example of a widespread phishing attack that happened after an Amazon “Prime Day” shopping event. Instead of using fear, the social engineers made recipients an offer that many couldn’t refuse: free money.
That said, phishing isn’t just linked to big businesses. During the holidays and all year round, it’s important to carefully read and consider any email that asks you to click a link, download a file, or confirm login credentials or payment information. And offers that seem too good to be true often bring more than you bargained for—namely, stolen money or information.
Examples: Phony Shipping Notifications
Phishing emails that fraudulently represent home and commercial shipping services aren’t anything new—but they continue to be used by fraudsters because they continue to be successful. Phony shipping emails are perennial favorites for attackers, and they become more frequent during the holidays. We again see social engineers tapping into fear; after all, nobody wants there to be a problem with merchandise they’ve ordered or packages they’ve shipped.
Below is a phishing email that UPS shared on its website to help keep its customers informed of the kinds of fraudulent messages that are being reported by alert recipients. In addition to an invalid embedded link, the email address in the From field clearly shows that the message did not originate from UPS.com.
Source: UPS.com
But as the example shared by FedEx below shows, phishing emails target senders and recipients alike. In these types of attacks, the content is paired with a malicious attachment that infects the user’s device when downloade..
Source: FedEx.com
Examples: Fake Social Media Ads
Cybercriminals benefit from consumers’ misplaced trust in social media channels. In surveys we conducted for our User Risk Report, we found that many social users mistakenly believe that outlets like Facebook, Twitter, and Instagram approve business pages before they go live on the platform. Unfortunately, many fraudsters get away with creating lookalike accounts and ads that fool users into making risky decisions.
We didn’t need to look any further than one of our own employee’s Facebook feed to find examples of scammers who are exploiting known brand names to trick users. In the first example, the ad seems to be affiliated with Amazon and promises NHL fan gear at incredible prices. However, on closer examination, the link shown at the bottom of the ad is not an Amazon link, nor is it the “official” NHL shop (a visit to NHL.com and a click on that page’s “Shop” tab confirms that the legitimate link is shop.nhl.com). Given these clues, it’s clear that making a purchase through this site is risky at best and downright dangerous at worst.
Following is another example of a common social media ploy: free money. Whether it comes in the form of a promised gift card or a voucher (like what we see below), users are tempted to roll the dice and take a chance. The problem is that they don’t realize how big of a chance they are taking.
In this version, which was shared by multiple people, the website listed at the bottom of the ad is again a telling clue. The graphic makes abundant use of the Macy’s logo and, at first glance, the weblink appears to confirm that affiliation. However, a closer look shows that the link doesn’t go to Macys.com; instead, it goes to a site called Thanksgiving-90off—which is unlikely to offer anything other than trouble to trusting consumers.
Stay Cyber Safe and Keep Your Holidays Jolly
As you can see from the holiday shopping safety tips we've shared, good decision-making is key to keeping your personal and financial information secure when shopping online. Don’t prioritize deals over your data and stay alert to holiday shopping scams. Be sure that the emails and ads you engage with this holiday season are on the nice list — and report those that are on the naughty list.