With the winter holiday season approaching in the U.S., UK and the rest of the world, so begins the weeks long Black Friday sales and discounts that are no longer a one-day deal. The expansion of these sales for consumers has been buoyed by the ever-growing e-commerce industry and applications that send sales notifications to the devices in our pockets.
Increased time spent online shopping and looking for the best value has opened a widening lane for cyber threat actors to take advantage of the Black Friday pronouncements with spoofing websites and phishing attempts.
Keep an eye out for money request scams
Recently, a PayPal branded scam has been circling utilizing spoofed emails and websites. Through these “money request” scams, the threat actor create a PayPal account and uses PayPal’s “money request” service to send an official PayPal email requesting the victim for funds. This service is generally used by customers to split costs among friends or split bills.
The threat actor then makes the request look like an existing charge for a genuine product or service and then adds a contact phone number into the message offering an easy way to cancel the payment request. Scammers have found a way to abuse the money request service to generate emails that really do come from PayPal.
Additional scams this holiday season
Other things to watch out for during the holiday shopping season as it relates to scams are misleading social media ads and social media gift giving. Some fake social media ads will say they are offering items from small businesses or luxury items at steep discounts, but those items may never come according to the Better Business Bureau.
The BBB has also received an increase in reports on Scam Tracker about a scam claiming your Amazon, Netflix or bank account has been compromised. Victims have been receiving emails, calls or texts explaining that there has been suspicious activity on their accounts and to take immediate action. The Better Business Bureau also recommends that people be wary of any “free” gift cards or holiday job offers, which are easy ways for scammers to retrieve important personal information from you. Further, fake websites, fake charities and fake shipping notifications are pervasive during the holiday season.
Surges in online shopping orders have led threat actors to send phishing emails with links that can allow unwanted access to private information or trick people into paying new shipping fees. Fake charities are similar in that scammers may try to get you to send gifts to fake charities or grab your credit card information.
How to stay safe
To boost your cybersecurity posture over the holiday shopping season, it’s recommended to be cautious of unexpected emails claiming Black Friday deals and research any retailer that you may not have heard of before. Be sure to also pay securely when making online purchases or use a credit card where you can instead of a debit card as credit card companies often come with fraud protection.
“The conversation around consumer cybersecurity is really just getting started,” said Executive VP at HCLTech Amit Jain. “As cyberattack vectors evolve, consumers and businesses alike need to make adjustments to stay ahead.”
Further, you must protect your accounts with a strong password and multi-factor authentication to avoid brute force attacks. And as a general rule, if it’s too good to be true, it likely is. Any Black Friday deals that appear too good, will require a little more research on your part.
How entities can protect the consumer
According to the U.S. Consumer Financial Protection Bureau (CFPB), persons and service providers under the Consumer Financial Protection Act (CFPA) may violate it’s prohibition on unfair acts or practices when failing to safeguard consumer information.
For companies to avoid violating CFPA and protecting consumers during the holiday shopping season, entities should require multifactor authentication for employees or a reasonably secure equivalent to prevent breaches and having processes in place to monitor for breaches at other entities where employees may be re-using logins and passwords.
Further, entities should routinely update systems, software, and code or not updating them when a critical vulnerability is present.