How to Avoid Cyber Scams this Holiday Shopping Season

Online shopping is rife with security issues, but you can outsmart the risks.

Today kicks off the 10-day countdown to Christmas. (If you’re like the millions who haven’t even started shopping yet, do what you can to suppress your panic.) With holiday commerce projected to take place online this year more than any before it, there’s an issue that isn’t being picked up by enough people’s radar: a new era of rampant cybersecurity threats targeting everyone from the casual holiday shopper, to the small local accounting firm, to major corporations and even the government

Even before the weather turned colder, 2020 has brought out the worst in opportunistic bad actors who seized upon the pandemic as a chance to exploit people. In the early months of the Covid-19 spread, IT security experts saw a 37 percent increase in phishing attempts. Most of these scams utilized Covid explicitly by luring people to click on phony pandemic updates, medical relief funds, or links to entertainment as we faced life in isolation. 

Now that the Year of Covid is coming to a close with the chaotic holiday shopping season, it makes sense that cybercriminals are trying to wrap their lucrative year up with a bang. Threat actors are acutely aware that the retail season is taking place on people’s smartphones and tablets, and they’re capitalizing off the ability to blend in fairly seamlessly with the deluge of promotional messages and shipping updates in our inboxes. SMS and social media platforms are all URL hotspots for holiday shoppers, and scammers know precisely how to imitate those communications. 

So what can be done to avoid being a victim of cyber scams this holiday season (and always)? Well, broadly, the Cybersecurity and Infrastructure Security Agency (CISA) reminds individuals and businesses to be especially cautious of fraudulent sites spoofing reputable businesses, unsolicited emails claiming to be from charities, and unencrypted financial transactions.

But while most of us have gotten good at spotting the obvious fakes, scammers have gotten equally good at masquerading as authentic. For example, one prevalent phishing campaign utilizes SMS messages pretending to be Amazon or one of the popular package delivery services. The texts usually reference an impending delivery and encourage the user to click a link to verify their address or the contents of the package. Users are then asked for personal/financial information. So the key is to learn to second-guess yourself on what initially looks legitimate.

Here are a few things to think about.

Scrutinize messages

  • We’ve become programmed to respond to notifications almost immediately and with quick taps. It can be much harder to notice red flags on the small screens of mobile devices in particular. With these points in mind, make it a habit to stop and take the time to read all messages thoroughly, with scrutiny.

Inspect URLs

  • Don’t ever click links from numbers or senders you don’t recognize. If it looks important, try contacting the sender to validate the message instead of interacting with the link. 
  • If for some reason you do want to interact with a link, copy it into a browser and inspect the full URL before actually following it. Phishing campaigns tend to use URL spoofing, which allows it to look like an authentic website at first, but viewing the full URL reveals something very different. 

Be dubious about deals

  • As Managed IT Service / IT security providers we say this pretty often, but it always bears repeating the old adage about if something seems too good to be true. Messages containing links to deals, discounts, opportunities or giveaways that should’ve given users “too good to be true” vibes are probably the leading cause of holiday cybersecurity issues.
  • Looking for deals on gifts? Of course you are. But stay away from the third party websites claiming to have them. If you’re attracted to an advertised special, go directly to the retailer’s website. The place to find the best deals on buys from Amazon, Best Buy, Target, etc is Amazon, Best Buy, Target, etc. 
  • Remember that apps can be spoofed just as websites can, so always get your shopping apps from reputable sources and check its verification in the official app stores. You should also be exceedingly careful about what information you share with apps. 

Guard your info

  • Though most shopping will take place at home in your PJs this year, if you’re venturing out to the stores or even to a corner cafe to grab a coffee while perusing Amazon, remember that free Wifi really isn’t your friend. Cyberthieves are often eavesdropping on the shared public networks, just waiting for an unsuspecting user to pop in their credit card numbers. Save the shopping for home, when you’re on a secure private network. 
  • Never use your bank account as a payment method. Most credit card companies offer fraud protection, so take advantage of that. Debit cards are generally protected, but it can take a long time to recover your money. And it should go without saying that requests for payment via pre-paid gifts cards, money wiring, or bank-to-bank transfers should NEVER be complied with. 
  • Create unique passwords for every site, or try to checkout as a guest when possible. A single fraud incident that sets off a domino effect across all your accounts can usually be traced back to the repetitive use of passwords across websites. 

Despite the wishes for good cheer, the holidays are stressful even in the best of circumstances — but this has been an exceptionally tough year for everybody. Remember that cybercriminals prey on vulnerability and impulse. They are experts in social engineering and have made a multibillion dollar industry out of luring victims into the comfort or benefit promised by a simple, seemingly-benign click. Even a momentary lapse in vigilance can set off a malicious infection of malware that could empty your bank accounts and take over your identity. Nobody needs that for the holidays. Let’s be honest — 2020 has been complicated enough.