Every year I dedicate a column to the scams of the holiday season, and every year the roundup gets bounced around the internet — all too often among friends who’ve been scammed. (For a rundown of what’s out there, check out last year’s post.)
So what’s new this year? Unfortunately, not very much.
There’s the latest holiday phishing scam, I guess. But really? It’s about as surprising as the President-elect’s reaction to Alec Baldwin’s impersonation of him on Saturday Night Live.
An email arrives telling you that there’s been a shipping problem with a gift item that you ordered online. In this particular ploy, there’s a link embedded in the email message that takes you to a bogus site that looks exactly like a real one that many people use for their holiday shopping. It doesn’t particularly matter which site. What matters is that the link leads to a page that doesn’t just look like the site. It is a perfect replica.
Sounds like every other phishing scam, right? Well, that’s the point of this year’s holiday scams column, folks. So, why are we still falling for these things?
It’s simple. Most people still don’t consider phishing scams to be a part of everyday life because most people have busy lives. If you live in an area where mosquitos spread the Zika virus, you’re hyper-aware of when they’re around. We all live in a phishing hole, yet we’re not constantly on guard against the various kinds of bait scammers throw out there — even though the damage caused by ransomware and other kinds of malware can be very serious.
It doesn’t matter how many times I say this. Most people don’t think scams are as ubiquitous as they are, and as a result, they tend to forget about them while they are going about their daily business. If only they kept malware and the constantly evolving delivery systems that bring it into our homes and offices top of mind, scam artists would quickly have to come up with a new game.
So let’s go back to this latest holiday phishing scam. How can it be avoided? You just have to look at the web address. But not the way your kids look at you when you ask them to do something. I mean, REALLY look at it. The only thing that’s different on this new scam site is the URL address.
There is a reason people never remember this. Scammers are smart, creative and persistent.
Social Engineering
Social engineering has nothing to do with any sort of “brave new world” scenario. It describes the hacker’s skill in the area of psychological manipulation.
The hacker’s exploits all work on emotion. In some cases, they will have gone on social media and figured out who you’re friends with. The next step is to send an email — either using your friend’s hijacked account, or just their name. You’ve seen these emails before. Your friend is on holiday and lost their wallet, or asks if everything is all right between you and your partner because they saw a picture (click the link and tell me, that IS your husband, right?). Maybe someone from college found a hilarious picture of you. The gambits are clever, playing on various emotions — fear, jealousy, curiosity.
The URL of a bogus site is something you might not notice this time of year because you are completely freaked out that a package is not going to arrive on time and someone’s holiday will be ruined. While you are a still rattled, you are provided with a link and instructed to enter your name, address and credit card information. When you do that and hit send, the page redirects to the real site, and the scammer is given all the ammunition necessary to go on a shopping spree.
Reverse Engineering
The solution here is simple. Social engineering is only possible in a world where people don’t know they’re being targeted.
The first order of business is to remember you live in the phishing hole. You need to get into the mindset that you’re always one click away from getting got. As I write in my book, SWIPED: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves, there are some very good tactics for avoiding scams, like going directly to websites in lieu of clicking urls in emails, calling companies to verify they’re trying to contact you and refraining from over-sharing on social media.
If you believe you’ve been the victim of a scam, don’t brush it off. Monitor your credit report for signs of identity theft — mysterious addresses, unknown accounts opened up in your name. (You can do so by pulling your credit reports for free each year at AnnualCreditReport.com and viewing two of your free credit scores every 14 days on Credit.com.) Report any fraud to your local authorities and the Federal Trade Commission.
Also, help others avoid scams. Talk about the threats out there with your friends and family (even strangers on a bus) because public awareness is the only inoculation against the viruses and malware that are spread through phishing email.