Digital Safety in the New Normal: Holiday Edition
This holiday season, due to the ongoing global pandemic, checking off that gift list will look a little different than in past years. Many shoppers are planning to rely on e-commerce for most—if not all—of their holiday shopping rather than perusing the aisles in big box stores and shopping malls. Digital gift card sales are also likely to increase.
However, given the spike in digital activity predicted over the holidays, cybercriminals, too, will be making their lists and checking them twice. It’s a particularly risky time of the year as shoppers of all ages (including some with less experience recognizing digital threats) flock to search engines and online channels to place orders before holiday delivery date cutoffs. And opportunistic hackers know just how to create enticing, seasonally-appropriate lures—and even some of the simplest scams can fool adept online shoppers.
Here are some of the most common cyber threats to prepare for during the holidays—along with a few unique outliers we’re expecting to see this season as a result of the pandemic.
Online Gift Scams
If you ever received a strange email urging you to help a friend or family member with an emergency—and that email led you down the path of providing a gift card as payment—that email was almost certainly a scam. Gift cards are a common vector for cyber criminals and scammers, since stealing the money loaded onto them is like stealing cash: Once it’s taken, there’s virtually no way for a victim to get it back (unlike credit card transactions, which allow chargebacks).
Around the holiday season, when gift card purchases spike, thieves are on the lookout for easy ways to take advantage. Some will go as far as to manipulate gift cards sold in stores, scratching off the layer of protective coating to write down pin numbers, and then “replacing” the coating with a sticker so it looks brand new. Scammers will plug those PINs into software that sends an alert once someone has purchased and activated their gift card—and then proceed to drain all its funds.
Another common gift card-related ploy is the account takeover attack (ATO). These attacks tend to spike around the holidays. A cybercriminal first uses credential stuffing or password spraying tactics to obtain account credentials for a particular e-commerce platform. They then use this information to make purchases on using that account information, often buying high-value electronic gift cards in bulk before promptly spending those gift cards to avoid being tracked down.
The best way to avoid becoming the target of gift card scams is to remain vigilant and follow the best practices listed below:
• Set a strong password for every online account, making sure not to repeat the same password across any two platforms. Use a password management app to keep track of different accounts.
• Regularly update your login credentials and monitor your payment accounts for signs of unusual activity.
• If you purchase gift cards in stores, visually inspect them for signs of tampering before loading funds and stick with retailers who keep their gift cards secured behind a checkout counter.
• Never agree to pay for online purchases in gift cards when prompted via email—in these instances, the item you’re trying to “purchase” probably doesn’t exist. Stick with retailers you know and trust, and make sure the site’s checkout system is secure. Credit cards are the best way to pay since most offer some level of fraud protection.
Video Conferencing Phishing Scams
Increased reliance on online shopping isn’t the only thing changing this holiday season. If your family, like many around the globe, is celebrating holidays virtually rather than in person, be on the lookout for certain social interaction-based scams. Since the onset of COVID-19, businesses were forced to transition the majority of their employees to remote work, resulting in an increased reliance on video conferencing. And cybercriminals have been all over popular video conferencing platforms since the pandemic first took hold in the first few months of 2020.
As a result, cybercriminals have begun to execute phishing campaigns that take advantage of these video-based platforms. These phishing attempts involve emails containing phony links that prompt the user to download a new version of their video conferencing software. The link directs them to a third-party website where the user can download an installer. In some cases, the program does install the video conferencing software—but whether it does or doesn’t, it also loads a remote-access Trojan malware program on the host. This program gives scammers access to the user’s sensitive data and information, which is either sold on the Black Market or leveraged for identity theft.
Other phishing attempts prey on remote employees waiting to receive emailed invitations with links to video calls. In these instances, scammers send out links that bring the user to a fake login page (that looks much like the real thing) in an attempt to steal login credentials. If successful, these attackers will attempt to use these credentials to gain access to corporate accounts and networks.
To avoid video conferencing scams, always follow cybersecurity best practices: Look at the sender’s email address before clicking on emailed links or downloading attachments, even if they appear to come from a trusted source. In most cases, phishing emails are sent from addresses that do not contain the supposed sender’s organization’s legitimate web address. Educate employees, family members, and friends about what to avoid and keep devices updated with the latest security software.
Phishing, Smishing, Vishing: Threats Aren’t Limited to the Desktop
Video conferencing-themed phishing attempts are only the tip of the iceberg this holiday season. Unfortunately, other forms of phishing are still on the rise, including those that target your phone or mobile devices. The telephone version of phishing is sometimes referred to as “vishing,” and text message scams are called “smishing” – a play on SMS.
Mobile phishing attempts are especially common for e-commerce shoppers. More users than ever rely on their smartphones to make purchases. While these devices may seem less vulnerable to threats, that is actually not the case. Online shoppers may receive fraudulent text messages that appear to come from retailers they’re familiar with, for instance. These messages typically contain a link that, once clicked, redirects to a fraudulent website that looks like the retailer’s legitimate site but is designed to extract your personally identifiable information (PII). Malicious apps, particularly for Android devices, can also be used to skim financial data and credentials.
With vishing, cyber criminals use phone calls to solicit PII, relying on “social engineering” tactics (i.e., an urgent message about your recent order) to trick you into providing information such as login credentials or bank account information. Paradoxically, vishers often leverage our innate fear of cyber scams and attacks to pull off these attacks. For example, a voicemail message may state, “URGENT: Your bank account has been locked due to suspicious activity. Call us back immediately to restore access.” Then, when the victim calls back, they are asked to provide sensitive information that is then stolen and used maliciously.
Avoid vishing and smishing by confirming that the phone number from which you received a call or text message does, in fact, belong to the organization claiming to have sent it—before you provide any information. And remember that banks and government agencies almost never contact customers of individuals on this way. Instead, it would be wise to call your bank directly to inquire about the message you received. They’ll be able to tell you whether or not it was legitimate, and will report the incident to the appropriate authorities if it turns out to have been a scam.
Final Thoughts
While COVID-19 has transformed the holiday season this year in more ways than one, it’s still possible to enjoy your favorite traditions safely. Thanks to digital platforms, we can connect with family and friends from the comfort and safety of our homes – and check off those gift lists without setting foot in crowded malls and shopping centers. It just requires a new level of vigilance that, itself, can become the new normal.
Stay safe online this season by remaining vigilant: Never blindly trust an email, text message, or phone call, especially those that come from unfamiliar numbers or sources. Use common sense to look out for signs of phishing. Update login credentials regularly. And, of course, pass along this information to anyone you believe could benefit from it. Education, after all, is the best weapon in fighting back against cybercrime.
Find out more about Fortinet’s NSE Training Institute programs, including the Certification Program, Security Academy Program and Veterans Program, which provide critical cybersecurity training and education to help solve the cyber skills gap and prepare the cybersecurity workforce of tomorrow. Through the Information Security Awareness Training service, Fortinet also provides organizations with free training for their employees to be cyber aware to identify and prevent threats.