Cybersecurity reports paint a dreadful end-of-the year picture for 2020: one filled with some typical holiday cybercrime traditions — phishing and digital scams — that threaten payment mechanisms. Except this year, holiday fraud has been magnified by a global pandemic.
Last year, Americans spent about $730 billion on holiday purchases, according to the National Retail Federation. Online and other remote sales amounted to over $167 billion, or about 23% of the total retail sales. This year, social distancing and home quarantines created a new digital shopping dynamic. Digital Commerce 360 estimated the pandemic will lead to an additional $40 billion in online holiday revenue in 2020. And for the first time ever, more than a quarter of holiday sales will occur online.
Unfortunately, cybercriminals expect the upsurge towards digital shopping and aim to take advantage.
Here are Five Scams on This Year’s Holiday List to Avoid
1. Fake retail deals.
To exploit shortages, scammers set up bogus web merchants or online auction sellers offering the in-demand product. After collecting payment, the scammers shut down their “stores” and disappear. Follow-up phishing scams, use stolen card information to charge more products and services and/or sell the information to identity thieves. Criminals also steal source code from retail brands’ e-commerce sites to create sham brand sites to which they add credential harvesting forms or malware download links. According to cryptocurrency security firm Gemini, transactions at several Chinese sham merchants not only stole customer data but provided the dark web market with almost 63,000 card-not-present (CNP) records. For more on CNP fraud trends, read the Beating BIN Attacks report.
2. Charity rip-offs.
Scammers pose as representatives of charitable organizations supporting well-known causes, problems closer to home, or help for victims of COVID-19 or the California wildfires. Whether approached by email, telephone or in person, consumers must protect themselves from high-pressure pitches. Above all, never contribute cash, supply credit card information via email or phone, or write checks payable to an individual solicitor.
3. Holiday e-card scams.
Cybercriminals send holiday e-cards, aimed at enticing unsuspecting targets to click a link. Individuals may also receive emails from unnamed relatives, neighbors, or friends with a clickable e-card. However, clicking on that connection may unleash anything from spyware and pop-up ads to viruses and personally identifiable information and card-credential stealing Trojans or other malware.
4. Spoofed websites and bogus advertisements.
Fraudsters tempt consumers to click ads on major social media sites, or links from an email or SMS, which claim limited-time offers or large discounts from seemingly legitimate sites. Before clicking on any ad — whether on a smartphone, desktop or laptop — consumers should verify the source is not a spoofed website. Double check the URL to make sure the spelling is correct, begins with “https,” and look for the small lock icon confirming it is a secure site. Do not provide credit card numbers, bank account numbers or other financial information directly to sellers that are not validated. Recently holiday-time phishing scams launched from emails or SMS messages also pretend to confirm online orders with bogus links to more information.
5. Snoopers and eavesdroppers.
When doing online shopping from a phone, make sure not to leave any personal information easily visible from someone else’s (or a hidden camera’s) line of sight. Try to complete purchases in secure areas, such as a car, rather than an open coffee shop, for example. Obscure the credit card number with a hand or use a mobile wallet. Beware of skimmers, which cybercriminals can quickly install, on USB charging stations, ATMs, and point-of sales devices including self-serve gas pumps. Skimmers can copy data and other files, load malware or ransomware, and capture card information. E-skimming lets criminals break into third-party software providers to inject malicious code designed to steal customer payment data from thousands of websites instantaneously.
To download the AFS infographic, click here.