This story is part of , featuring tips on the best ways to manage the holiday season.
This year’s Black Friday is expected to smash all previous records, with consumers set to spend an estimated $29 billion online over Thanksgiving weekend. All that money means cybercriminals will be busier than ever deploying malware to target both you and the online retailers you trust. Some hackers, like the ones who struck Macy’s last month, attack merchants’ websites directly. Many more scams, however, are designed to lure you away from legitimate sellers and steer you toward malicious sites or apps that often spoof familiar retailers like Amazon, Best Buy or Walmart.
For example, research from RiskIQ, a security company, said it identified almost 1,000 malicious apps using holiday-related terms, and over 6,000 apps using names and slogans from popular retailers to reel in unsuspecting victims. RiskIQ also said it found 65 malicious websites posing as popular retailers in an attempt to fool you into giving up your personal information.
As always, your best armor against these schemes, scams, frauds and cons is the knowledge you need to sniff them out. Here’s everything you need to know about (not) getting duped this holiday season. You can find, and even more .
Avoid the ‘Secret Sister’ gift exchange — it’s a pyramid scheme
Originating on Facebook sometime around 2015, this gift exchange among internet strangers plays off the popular workplace practice of “Secret Santa,” a game where each person buys a present for one other, randomly selected person without anyone sharing their giftee. Instead, it’s a pyramid scheme dressed up in holiday clothes, according to the Better Business Bureau. The “Secret Sister” exchange invitation promises you’ll receive about $360 worth of gifts after purchasing and mailing a $10 gift for someone else.
Unfortunately, such bad math hasn’t stopped this scam from resurfacing year after year. Not only will you probably be out 10 bucks when you don’t receive any gifts in return, but the scheme also involves you forwarding personal details — names, email addresses, phone numbers — to people you’ve never met in person.
The Better Business Bureau recommends you deal with any request to become a Secret Sister by ignoring it — do not give your personal details to online strangers. You can also report the invitation to Facebook or whichever social network you were approached on.
Fake websites and fraudulent apps go ‘phishing’
In a phishing scheme, the victim receives an email or text message directing them to enter payment information or other personal details on a fraudulent website, which is often designed to look just like a legitimate site.
A recent survey by cybersecurity company McAfee reports that 41% of Americans fell victim to email phishing schemes in 2019. Unsurprisingly, a similar number — 39% — reported that they don’t check email senders or retailer websites for authenticity.
To top it all off, 30% of respondents reporting losses of $500 or more just in the last year alone.
If the data from RiskIQ is any indication, expect a surge in messages claiming to be from Amazon, Best Buy, Walmart, Target or other large retailers over the next few months. If you receive an email asking you to update your payment method or requesting other personal information, contact the company’s help desk to make sure the email is legit before you do anything else.
- The sender’s email address looks almost right but contains extra characters or misspellings.
- Misspellings and/or bad grammar either in the subject line or anywhere in the message.
- Addresses you with generic terms (“Mr.” or “Ms.” or “Dear Customer”) instead of by name.
- The message warns that you need to take immediate action and asks you to click a link and enter personal details, especially payment information.
- The messages promise a refund, coupons or other freebies.
Credit card skimming goes all-digital
Credit card skimmers that steal your personal information when you swipe a credit or debit card at the ATM gas pump, or other payment kiosk have been around for well over a decade, but October’s attack on Macy’s is an example of that same technology deployed digitally.
Essentially, instead of using physical hardware to steal payment card numbers, hackers inserted malicious code directly on Macy’s website to do the same thing with online payment information.
Regarding online credit card skimming, Tim Mackey, principal security strategist for Synopsis, a digital security company, warns, “There isn’t an obvious way for the average person will be able to identify if or when a website has been compromised. The only potential tell-tale sign might be that the website itself doesn’t quite look ‘right.”http://www.cnet.com/”
Mackey suggests a few strategies consumers can use to protect themselves:
- Don’t save your credit card information on retail sites.
- If possible use a third-party payment method like Apple Pay, Google Wallet or PayPal.
- Enable purchase alerts on all your credit cards.
- Disable international purchases on all credit cards.
- Only make purchases from your home or cellular network, never on public Wi-Fi where your payment could be intercepted.
‘Juice-jacking’ fears may be overblown
The Los Angeles County District Attorney’s office published a blog post earlier this month advising citizens not to use USB charging ports in public places like airports and shopping malls, warning hackers could install “juice-jacking” software that downloads malicious code on connected phones and tablets, granting the thieves access to your personal information.
Although that is theoretically possible, as the urban-myth-busting website Snopes.com points out in a recent post, the likelihood of that actually happening to you is incredibly slim.
When TechCrunch contacted the LA County DA to ask how widespread the problem really is, the chief prosecutor’s office could not confirm any actual “juice-jacking” cases on the books. One reason could be that most smartphones and tablets currently in use now have software in place to prevent exactly these kinds of attacks — that’s why your phone asks if you trust the connection when you plug it into a laptop or desktop to charge.
As long as shopping still exists, scammers and thieves will continue to try and rip you off. In the meantime, the best you can do is to stay ahead of their trickery and protect yourself with knowledge. For more strategies for getting through this fun but stressful season, check out our Holiday Survival Guide. We’ve compiled the best tips and tricks for de-stressing after marathon shopping sessions, how to leverage your smart assistant to help manage holiday get-togethers whether you use Google Home or Amazon’s Alexa, as well as how to eat healthfully without skipping dessert.
Originally published earlier this month.