With the U.S. economy much improved, this year’s Christmas season is expected to be one of the best in years, and with the advance of digital technology, smartphones will be a key buying method for many consumers.
Put those elements together and you have the latest “off the press” scam – the use of phony text messages and Whatsapp messages to spread malware, ransomware, and general misery. According to one study, one in every 25 apps supposedly issued by retailers especially for Black Friday were fraudulent – researchers found no fewer than 32,000 phony apps — delivering not news of a special “secret sale” but malware that could steal your credit card information, lock up your device in a ransomware scam, or unleash a malware agent on a corporate server if your device connects to the company’s network.
Cybercriminals are set up make up to $1 billion this year using an array of phony deals and online scams, according to the BI; a report from ACI Worldwide, meanwhile, predicts that online fraud attempts will rise 43 percent during this year’s holiday season.
Here are some of the most common scams that can trick even the smartest of us at this time of year:
1. The online secret shopper: The old “secret shopper” scam is back this year with a new online variation. As a secret shopper, victims are supplied with gift cards they can use to go shopping “on assignment,” evaluating a site’s customer service, delivery, and the like. As a reward, you get to keep the items you order, and/or actually get paid for your work.
Of course, if there is such as thing as an “online secret shopper,” you can bet companies are not recruiting shoppers via random email or Twitter messages. To participate you have to hand over personal details, including bank account info, in order to allow for the transfer of your “salary.” Needless to say, once you’ve handed that information over, the scammers cut off communication and use your details to apply for loans or credit cards – or sell it to other scammers who do that.
What to do: Unless you’re an employee of an organization that does this on a regular basis and/or the web site in question, just ignore any secret shopper missives.
2. Amazon/iTunes/Wal-Mart/Costco gift cards: Microsoft’s Bill Gates once gave away thousands of dollars to random email addresses, but in these tough economic times, scammers have downgraded to just a gift card, worth maybe $100. Times are tough enough, however, that even that paltry sum is enough to get the juices flowing among many victims as they click on the offered link in order to apply. Part of the genius of this scam is that the user may actually believe they have a gift card coming, because they are such good customers of Amazon/Apple etc.
Once you click on a link, you’ll likely be taken to what appears to be an empty web site – except it isn’t empty. The site will have already connected with your device long enough to dump a piece of malware on it that will eventually open up a communication channel with a remote command and control server. The hackers behind this site can then scan your device for useful information, credit card numbers, or other valuable data.
What to do: Although it’s tempting to believe you are a “special” customer being rewarded for your loyalty, the chances of any of these companies offering a reward in this manner is minimal. If Amazon wants to give its customers a bonus, it has many other ways to do it.
3. Fake charities: After spending hundreds, if not thousands of dollars on gifts, meals, theater tickets, and the other appurtenances of the holiday season, it would take a particularly stone-hearted individual to resist giving to those in need — especially if the organization asking for the money rings a bell, with a name sounding like one that advertises on TV. Who, for example, wouldn’t want to help kids suffering from terminal cancer to visit Disney World or the Superbowl? That’s what the Make-A-Wish Foundation does. But there are many other charities with very similar names yet different motives. Instead of Make-A-Wish, a phony charity email scam would feature an appeal for the Children’s National Wish Foundation, with a link for donors to click on. Once clicked, the link may distribute malware and/or collect personal or credit card information.
What to do: It takes a tough bird to resist heart-wrenching pleas for help, so for donors who are motivated to pony up, the best move is to avoid clicking on a link altogether and move your surfing to the site of the charity in question. By typing the verified address into a browser’s address bar, you’ll know you’re getting to the right site.
4. “Classic” Phishing/Spear-phishing: Black Friday/Cyber Monday online sales exceeded $12 billion last year, and eight e-commerce sites were responsible for nearly 60 percent of those sales, so the chances are pretty good that anyone who bought something online made purchases at Amazon, Wal-Mart, Target, Macy’s, and the others that topped e-commerce sales lists.
That concentration is good news for hackers running a spear-phishing campaign. All they have to do is flood email boxes with messages telling customers there is a problem with their order at one of these sites and that they need to log in and provide credit card data, shipping information, etc. If you didn’t shop at Macys.com, you probably wouldn’t click on a link or open an attachment in an email. But if you get one from Target.com, a site you did shop at, chances are much greater you will click — and submit your information, as requested.
What to do: If there really is a problem with your purchase, the message should include some information about the order in question (order number, item purchased, amount paid, etc.) instead of “you must click on this link and submit information in order to resolve this.” If the message does not contain that personalized information, be assured it’s part of a spear-phishing scam. Send it to the trash, where it belongs.
5. Holiday screensavers: A relatively new – and very successful – scam is the holiday screen saver scam. Hackers of mobile apps or computer screensavers have developed a malware that can be used to rip off data and invade a device or recruit it to become part of a botnet to send spam or attack other devices.
Again, blame it on the holiday spirit. Rife with good cheer, who could resist a cute screensaver that shows Norman Rockwell holiday-themed images? Like many of these scams, hackers here rely on email, providing links or attachments that for all the world look authentic but actually transmit malware to computers or devices.
What to do: iPhone users, of course, can trust the fact that anything they download from the App Store has been vetted; not so for Android users, who should do an exhaustive online search for information about any app they install. Ditto for desktop computers. Bottom line: Don’t touch anything — an attachment, a screensaver sent by message or mail, an app, or a link — that hasn’t been vetted.
Most of these attacks originate in an email sent to a victim, putting not only the victim at risk but also their place of employment, since so many people access their personal accounts at work – which makes vigilance and proper defense all the more important.
All these scams are based on taking unfair advantage of victims who are trying to make the most of the holiday period. It’s unfair and unjust, but with a little extra caution, you can keep yourself — and your company — safe from attack.
Itay Glick is CEO and cofounder of Votiro.