UpGuard Blog

Grinches Out in Full Force Scamming Online Holiday Shoppers

Written by UpGuard | Jan 3, 2017 9:23:56 PM

Retailers aren’t the only ones benefiting from increased sales around the holidays — scammers and hackers are seeing their own bump in business.

Holiday shopping is crucial to the bottom lines of retailers, and more than ever consumers are choosing to browse for and spend their money on gifts online rather than in stores. While identity thieves have no shortage of targets among brick-and-mortar holiday purchases, the migration of shopping to the Internet has created a new frontier for scams and fraud.

Operating beyond the reach of any victims—often even from foreign countries—scammers are deploying a host of yuletide cons to steal financial and personal data.

Just ask the many recipients of a helpful email apparently sent from Amazon.com over the past few weeks, alerting people that their holiday package could not be successfully delivered. Similar emails have been circulating purporting to be from shipping services like Fedex and DHL, or from popular online payment processing system PayPal, to the tune of millions of such messages. So, what’s going on here? Could millions of your relatives’ treasured gifts be going undelivered?

Some of these emails look convincing enough, but they were, of course, phishing scams. These scams involve victims willingly providing their personal information to crooks posing as a trusted source—in this case, the number one name in Internet shopping, or a major delivery company.

In the Amazon case, once consumers clicked on the spoof site set up by the bad guys, they then were prompted to enter their information and were redirected back to the real Amazon site,  perhaps never even knowing they’d been had hacked. These delivery emails are merely the crest in a wave of spam that the cybersecurity analysts of IBM X-Force have been tracking over the past months, originating in a deluge of emails around Thanksgiving alerting the recipients to Black Friday and Cyber Monday deals some including a link to redeem a free gift card.

"Operating beyond the reach of any victims—often even from foreign countries—scammers are deploying a host of yuletide cons to steal financial and personal data."

In fact, the FBI recently issued a warning to be aware of cyber criminals this holiday season and be wary of deals that appear too good to be true, offers of gift cards or other incentives to purchase a product, or quick money making schemes.

A phishing scam such as the one involving Amazon is hardly a reinvention of the wheel. But why abandon a formula for success that still works against many victims? By throwing millions of such emails into the wind, scammers widely disperse their efforts, in the hopes of snaring some percentage of recipients.  

While emails that spoof legitimate sites to trick customers, others take the approach of containing malware attachments. Most ominous among this class is the presence of ransomware, detected in at least some of these emails over the past months, including the MarsJoke program. This scam targeted schools this past September, seizing control of systems and threatening data erasure unless a bitcoin ransom was paid, and was packaged inside emails using the pretext of an undeliverable package.

Ransomware is a growing threat. According to cybersecurity firm Proofpoint, the number of ransomware program families in use has increased ten times since the 2015 holiday season. With the burgeoning threat of freelance ransomware hackers, selling their talents to any interested customers for what amounts to a pittance, this is a tactic that will persist beyond this holiday season, and which can only be combatted with top-to-bottom cyber resiliency - the practices of cybersecurity necessary to function as safely as possible in the internet of 2016.

The pure inventiveness of hackers remains a constant each holiday season; no matter how high the wall is built each year, it seems like at least a few figure out how to build a higher ladder. And while intelligent cybersecurity practices can sharply reduce the risks of data breaches or theft occurring, hackers have also determined how to combine a cyber angle with tried-and-true methods of fraud for a freshly effective attack. Return fraud is a classic staple of organized shoplifting; simply walk out of the store with a big ticket item, forge a receipt or story, and walk back in to return the item and receive the cost of the item. The fastest-growing variant of this scam employs the use of counterfeit e-receipts for online purchases, supposedly being returned in-store after the scammer had it delivered at home; in 2015, this accounted for 31% of such cons, a percentage that is only likely to skyrocket this holiday season.

While many of these holiday scams employ a few basic tacks—scam emails promising sharply discounted or hotly sought after gifts or soliciting charitable giving — both have merely repackaged phishing or malware in a new approach. It is testament to the heartlessness of cyber criminals that the holiday season merely offers new ways to exploit the general public. It seems comically evil to send out emails soliciting credit card information so that the recipient’s child can receive a personalized “Letter from Santa,” but then, it worked in 2014. If nothing is beneath such online fraudsters, then the good news is that some sensible precautions can foil most of their cons.

Fortunately, with proper education, casual Internet browsers can detect many of the most egregious of these phishing scams. If an email appears questionable, it’s best to visit the website in question directly and avoid clicking on any links in the email. Resist any cries of “urgency,” or demands that you must enter your personal information—companies like Amazon will never ask via email for banking information, such as a credit card number and CVV code.

Even with the best education, however, phishing scams depend to at least some degree upon social engineering. The victim believes they are transmitting sensitive data for a good reason to an authoritative recipient. Given the sophistication of many phishing scams, it may be impossible for an email user to conclude with absolute certainty whether a suspect email is fraudulent or not. The best solution rests upon the use of free and easy to install cybersecurity protocols such as SPF, DKIM, and DMARC to detect irregularities in phishing emails, and prevent them from being seen at all.

As with phishing, stopping return fraud in retail outlets depends on knowledge; by combining best practices and education, this trend can be arrested. Where simply knowing what a valid e-receipt looks like won’t help, basic verification procedures can reduce the costs inflicted upon commercial enterprises and tax authorities. Trustworthy watchdogs like the Consumer Financial Protection Bureau, the AARP, and Better Business Bureau can further inform as to prevalent trends in fraud, especially if you are confronted with a questionable situation yourself. There are a lot of Grinches and Scrooges out there, but employing some basic cybersecurity measures can help ensure a happy holiday free of humbug.