.The key to staying protected is staying alert.
James Martin/CNET
This year’s Black Friday is expected to smash all previous records, with consumers set to spend an estimated $29 billion online over Thanksgiving weekend. All that money means cybercriminals will be busier than ever deploying malware to target both you and the online retailers you trust. Some hackers, like the ones who struck Macy’s last month, attack merchants’ websites directly. Many more scams, however, are designed to lure you away from legitimate sellers and steer you toward malicious sites or apps that often spoof familiar retailers like Amazon, Best Buy or Walmart.
For example, research from RiskIQ, a security company, said it identified almost 1,000 malicious apps using holiday-related terms, and over 6,000 apps using names and slogans from popular retailers to reel in unsuspecting victims. RiskIQ also said it found 65 malicious websites posing as popular retailers in an attempt to fool you into giving up your personal information.
As always, your best armor against these schemes, scams, frauds and cons is the knowledge you need to sniff them out. Here’s everything you need to know about (not) getting duped this holiday season. You can find legitimate Black Friday deals here, and even more tips for surviving the Thanksgiving weekend.
The “Secret Sister” gift exchange, which originated on Facebook in 2015, is little more than a pyramid scheme.
Angela Lang/CNET
Avoid the ‘Secret Sister’ gift exchange — it’s a pyramid scheme
Originating on Facebook sometime around 2015, this gift exchange among internet strangers plays off the popular workplace practice of “Secret Santa,” a game where each person buys a present for one other, randomly selected person without anyone sharing their giftee. Instead, it’s a pyramid scheme dressed up in holiday clothes, according to the Better Business Bureau. The “Secret Sister” exchange invitation promises you’ll receive about $360 worth of gifts after purchasing and mailing a $10 gift for someone else.
Unfortunately, such bad math hasn’t stopped this scam from resurfacing year after year. Not only will you probably be out 10 bucks when you don’t receive any gifts in return, but the scheme also involves you forwarding personal details — names, email addresses, phone numbers — to people you’ve never met in person.
The Better Business Bureau recommends you deal with any request to become a Secret Sister by ignoring it — do not give your personal details to online strangers. You can also report the invitation to Facebook or whichever social network you were approached on.
Fake websites and fraudulent apps go ‘phishing’
In a phishing scheme, the victim receives an email or text message directing them to enter payment information or other personal details on a fraudulent website, which is often designed to look just like a legitimate site.
According to cybersecurity company McAfee, over a third of all Americans have fallen victim to phishing schemes in the last year.
McAfee
A recent survey by cybersecurity company McAfee reports that 41% of Americans fell victim to email phishing schemes in 2019. Unsurprisingly, a similar number — 39% — reported that they don’t check email senders or retailer websites for authenticity.
To top it all off, 30% of respondents reporting losses of $500 or more just in the last year alone.
If the data from RiskIQ is any indication, expect a surge in messages claiming to be from Amazon, Best Buy, Walmart, Target or other large retailers over the next few months. If you receive an email asking you to update your payment method or requesting other personal information, contact the company’s help desk to make sure the email is legit before you do anything else.
Other ways to identify a phishing email, according to the Federal Trade Commission and StaySafeOnline.org, include:
- The sender’s email address looks almost right but contains extra characters or misspellings.
- Misspellings and/or bad grammar either in the subject line or anywhere in the message.
- Addresses you with generic terms (“Mr.” or “Ms.” or “Dear Customer”) instead of by name.
- The message warns that you need to take immediate action and asks you to click a link and enter personal details, especially payment information.
- The messages promise a refund, coupons or other freebies.
Credit card skimming goes all-digital
Credit card skimmers that steal your personal information when you swipe a credit or debit card at the ATM gas pump, or other payment kiosk have been around for well over a decade, but October’s attack on Macy’s is an example of that same technology deployed digitally.
Credit card skimming used to require physical hardware, but now hackers are inserting malicious code directly on retailers’ Websites to steal customers’ credit card information.
James Martin/CNET
Essentially, instead of using physical hardware to steal payment card numbers, hackers inserted malicious code directly on Macy’s website to do the same thing with online payment information.
Regarding online credit card skimming, Tim Mackey, principal security strategist for Synopsis, a digital security company, warns, “There isn’t an obvious way for the average person will be able to identify if or when a website has been compromised. The only potential tell-tale sign might be that the website itself doesn’t quite look ‘right.”http://www.cnet.com/”
Mackey suggests a few strategies consumers can use to protect themselves:
- Don’t save your credit card information on retail sites.
- If possible use a third-party payment method like Apple Pay, Google Wallet or PayPal.
- Enable purchase alerts on all your credit cards.
- Disable international purchases on all credit cards.
- Only make purchases from your home or cellular network, never on public Wi-Fi where your payment could be intercepted.
‘Juice-jacking’ fears may be overblown
The Los Angeles County District Attorney’s office published a blog post earlier this month advising citizens not to use USB charging ports in public places like airports and shopping malls, warning hackers could install “juice-jacking” software that downloads malicious code on connected phones and tablets, granting the thieves access to your personal information.
The Los Angeles County District Attorney’s Office posted a video warning residents of so-called “juice-jacking” malware on public USB charging stations despite having no such cases on the books.
Screenshot by Dale Smith/CNET
Although that is theoretically possible, as the urban-myth-busting website Snopes.com points out in a recent post, the likelihood of that actually happening to you is incredibly slim.
When TechCrunch contacted the LA County DA to ask how widespread the problem really is, the chief prosecutor’s office could not confirm any actual “juice-jacking” cases on the books. One reason could be that most smartphones and tablets currently in use now have software in place to prevent exactly these kinds of attacks — that’s why your phone asks if you trust the connection when you plug it into a laptop or desktop to charge.
As long as shopping still exists, scammers and thieves will continue to try and rip you off. In the meantime, the best you can do is to stay ahead of their trickery and protect yourself with knowledge. For more strategies for getting through this fun but stressful season, check out our Holiday Survival Guide. We’ve compiled the best tips and tricks for de-stressing after marathon shopping sessions, how to leverage your smart assistant to help manage holiday get-togethers whether you use Google Home or Amazon’s Alexa, as well as how to eat healthfully without skipping dessert.
Originally published earlier this month.
