The holiday season is here, and now is when we take time off, travel, gather with friends and family, and reflect and relax. However, as with all things cyber-related, it is also time for criminals to lean on their most reliable weak link in any cyber-defense chain, the people.
It has often been said that the best way to secure a network is to remove it from the Internet and remove the users. With that in mind, there is a predictable increase in cyber-attacks and scams throughout the holidays and into the new year. According to the FBI Internet Crime Complaint Center (IC3), social media, online shopping, charity, gift cards, and smartphone apps are the most common scams in 2022. The remedies to these scams remain constant even though the attacks may take different forms.
It is now common for sophisticated scams to leverage the data gathered from social media; this is the key to online fraud success. Criminals will harvest your shopping and buying habits, interests, and preferred sites. With little effort, this information can be obtained from any number of legitimate marketing sites, or otherwise. With this information, criminals can establish profiles or classes of online shoppers, then develop marketing campaigns directed toward these types of shoppers. This is similar to legitimate marketing efforts. The difference is that criminals use this information, combined with a call for immediate action, to defraud the shoppers. The scenario is generally based on a shopper profile that is used to highlight an interest. This is translated into an email that lists a hard-to-find item now available at a discount for a limited time only. Because the site looks like the real one, many will fall for this and enter their credit card data to purchase something that will never be delivered or is a poor-quality fake.
Of course, the credit card data entered is used to apply for additional cards, request a new card, etc. These scams include fake shipping notices; these begin with an email and an attachment letting you know a package is on its way; this is for a package you did not order. There is a good chance the attachment contains malware, or it is a bill for the shipping cost.
Another scam is requesting non-credit card payments. This begins with an advertisement for a really good deal on this year's most popular gift. But to take advantage of this once-in-a-lifetime offer requires payment by something other than a credit card. By using prepaid debit cards, gift cards and wire transfers, once the transaction is completed, the money is gone. Unlike credit cards, you have no recourse. Not using a credit card puts you at risk, and the sites requiring these other payment methods are a sign that they are not legitimate.
Charity scams are not specific to the holiday season; these also pop up during natural disasters and other unfortunate events. As described, criminals can classify a person based on social media and target different people with a message for each class. This is not an exact science; they will get some things wrong; this is focused on quantity rather than the quality of the message. When the broadcast goes out to millions, and the return is less than a percent, it is pretty good. Here the plea is to help save someone by sending money. The criminal will then take the money, or set up a charity that collects and spends most of the money on fees, salaries, and overhead.
Gift cards are another great scam. Often criminals will steal credit cards and run up the bill by buying stuff, including gift cards; they will sell a $100 gift card for $75 to $80, something less than face value. Another scam is offering free gift cards; if you register at a fake website, here, you will enter your personal information for a gift card that is worthless. Or they will make and sell a gift card, again with no value. The AARP 2022 Holiday Shopping and Scams Survey listed 26 percent of the survey participants received a gift card with no value. Meaning someone along the gift chain most likely bought a gift card for less than face value, thinking they were getting a great deal.
Another fraud strategy is smartphone apps. In the season, thousands of websites are created, and apps are developed for the sole purpose of defrauding people. Again, the strategy is the same: Here are hard-to-find items, and there is an immediate call to action. The goal is to harvest your personal information to be used against you, deliver cheap knock-off goods, or collect money from one of the gift cards you used and deliver nothing.
One of the simple things you can do is check the email address and verify it is coming from a legitimate domain. Usually, there is something off in the email text; if the words are misspelled, the English syntax needs to be corrected, the images need to be clearer, it is most likely fake. If they ask for login information, passwords, it is absolutely fake. Use your credit card; legitimate credit card banks will work with you in combating fraud. There is no good reason why a company will require alternative means of payment. The world of charities is truly where the donor must be aware, look up the charity, and validate before you send your money.
The best advice remains: "If it is too good to be true, then it is not."
With 30 years of experience in information technology, Mike Olivier brings his expertise to small-business System Security Planning with San Diego-based 171Comply. As a small business owner working in the federal space both as a prime contractor and as a subcontractor, he understands the realities of running a small business. Contact Mike at mikeo@171comply.com.