The holiday season is one of the busiest times of the year for scammers and hackers.
Shoppers and philanthropists are both easier targets during the busy holiday season. The Covid-19 pandemic has meant increased virtual visits with loved ones, and of course remote work. The number of people willing to use their personal devices for holiday shopping has also increased as a result of the pandemic.
It’s a good idea to prepare for cybercrime, and whenever possible avoid becoming a victim of it.
Additionally, the political season gave rise to phishing campaigns, a phenomenon that is likely to continue through the end of the year.
Individuals, businesses and organizations alike need to tread carefully. The incidence of ransomware attacks has continued to climb, over 700% by some estimates in 2020 in comparison to 2019, with phishing emails being the primary vector. A personal device that has been compromised by a careless click on a phishing email or a download from a phony e-commerce site is capable of spreading ransomware across a business’s network, sometimes within seconds.
Even discounting the significant increase during the Covid-19 pandemic, many employees opt to work remotely over the holidays to avoid using vacation days or falling behind on communication. This presents a set of challenges for IT professionals, with 36.6% of those surveyed listing poorly secured personal and network devices as being their primary concern with a remote workforce.
None of this is to suggest that falling prey to holiday cybercrime is unavoidable or that the potential damage can’t be mitigated, but it is important to educate yourself, friends and family to safeguard the holiday season.
Protecting Against Malware and Scams While Shopping Online During the Holiday Season
Pre-Covid online shopping was already expected to continue its increase in 2020, but with more customers avoiding the typical Black Friday crowds, this holiday season is set to break online sales records.
A recent survey, commissioned by Cyberscout and conducted online by The Harris Poll among over 2,000 U.S. adults, found that 84 percent of consumers plan to shop online for the holidays this year, with 23 percent of them reporting that they are likely to shop through a social media platform.
“An enormous number of people are footloose and fancy free when it comes to their interactions with retailers over the holiday season,” says Cyberscout founder and chairman Adam Levin.
Follow these tips to keep your online holiday shopping secure:
Avoid clicking on links in marketing emails and social media posts.
Many online retailers depend heavily on outreach and advertising via email and social media networks to bolster their sales through the holiday season. Unfortunately, it’s also extremely easy for scammers to create convincing-looking phishing emails and ads to redirect their targets to pixel-perfect replicas of familiar e-commerce sites, or to download malicious files to their computers.
“Keep in mind that links in emails, social media posts and text messages are often how cybercriminals try to steal your information or infect your devices,” says Levin.
If you get an email or see an ad from an online store that you’ve visited in the past, go to the site directly, rather than clicking on a promotional email. If you don’t recognize the sender of an email, don’t open it.
Don’t shop at unfamiliar sites offering unrealistically low prices.
While some holiday sales offer steep discounts, online shoppers should be on high alert for phony e-commerce sites selling popular items at unrealistically cheap prices. Cyberscout’s recent survey found that roughly one third, or 32 percent, of online holiday shoppers are likely to purchase through new or unfamiliar retailers/small businesses when buying gifts online this holiday season, and another 14 percent state they are likely to buy from a seller in a foreign country.
Scammers have taken advantage of this potentially risky behavior on the part of buyers looking for a bargain. In one common scheme, consumers are served an ad promoting extreme discounts on popular items. The ads link to phony stores, typically hosted on content management systems such as Shopify, Wix, or Squarespace, platforms that make it relatively easy to build convincing e-commerce sites.
“The majority of ads are automatically approved and run until they are detected or flagged by multiple members of the Facebook (or Instagram) community,” said tech CEO Larissa Lowthorp in an interview with Forbes. “Shopify offers a quick and easy way for legitimate vendors and scammers alike to create beautiful, sophisticated online shopping platforms in a relatively short period of time.”
“Amazing prices on things that should cost a lot more than they are asking on a fake online shop is alluring, which is why people fall for them all the time,” says Levin. “Look at the About Us page and call the designated contact number. If there is no number, think twice before making a purchase. Also pay attention to detail. Are there spelling errors in the copy? Bad-looking stock photos? Look for trouble.”
Once a scammer has their victim’s payment and personal information, they can charge them for products that never arrive, ask a visitor to set up an account and use the login and password for credential stuffing attacks, or send a malware-laden file as a “receipt.”
Beware of fake or misleading shopping apps.
As mobile devices have become more ubiquitous, retailers and customers alike have come to rely on apps rather than websites for holiday and day-to-day shopping. While this may offer greater convenience for customers and better insights for businesses into their behavior, it also opens the door for hackers and scammers to compromise devices with malware, exfiltrate data, and make unauthorized or misleading charges.
“Watch out for clone apps that may look like they are from your favorite retailer, but are really infected with malware and designed to steal your personal and financial data,” says Levin. “Avoid third party apps, read reviews, and download apps from the official app store.”
How to Be Cybersecure in Virtual Family Gatherings
The 2020 holiday season is coinciding with a major spike in Covid-19 cases and fatalities and many families are opting to avoid travel and potentially exposing elderly and / or vulnerable relatives. Hosting gatherings on video conferencing platforms such as Zoom or Google Meet may help to keep families physically safer, but it can introduce a number of cybersecurity and privacy-related threats.
While the rash of Zoombombing and related hacking incidents taught many remote workers and students about the importance of securing online meetings the hard way in the early weeks and months of the Covid-19 pandemic, it’s important to make sure friends and family especially the less cyber-savvy ones are also aware of the potential risks involved.
Follow these best practices to keep your family gatherings secure and private:
Don’t publicly post your meeting URLs and keep your gatherings invite-only.
Facebook can make it easy to keep in touch, but can be difficult to keep communications private. Posting a public link to a private meeting on social media can open the virtual door to uninvited guests. Send the meeting link directly to guests and be sure that your meeting is set to be invitation-only.
Be careful with emails containing invitations.
As platforms like Zoom exploded in popularity earlier this year, so too did phishing scams disguised as meeting invitations appearing to originate from known associates and email addresses. The goal was usually tricking a target into providing login credentials in the hope the same information was used on other accounts owned by that person.
To avoid trouble, you might want to call or text to verify the authenticity of an invitation before clicking on links sent via email, and be sure to double-check the URL; many meeting-related phishing scams use typosquatting, where hackers use similar versions of domain names to fool their targets, such as zooom.us, or goooglemeet.co. If possible, go directly to the URL listed on an email rather than clicking on inline links.
Use end-to-end encryption
Although holiday conversations with friends and family are unlikely to divulge data with the same level of sensitivity as an internal boardroom meeting, no one wants their communications intercepted by hackers or catalogued by video conferencing providers. Fortunately, there is a security setting that some platforms offer that provides greater privacy.
End-to-end encryption, or E2EE, is a security feature that prevents third parties from being able to access content or communications, similar to how SSL connections help protect payment data during e-commerce transactions. While meeting platforms such as Google Meet offer a limited form of encryption, Zoom has just released it as a feature to both free and paying customers.
*This survey was conducted online within the United States by The Harris Poll on behalf of Cyberscout from November 10-12, 2020 among 2,050 U.S. adults ages 18 and older, among whom 1,745 plan to shop online for the holidays this year. This online survey is not based on a probability sample and therefore no estimate of theoretical sampling error can be calculated. For complete survey methodology, including weighting variables and subgroup sample sizes, please contact firstname.lastname@example.org.