The holidays may still be weeks away, but the shopping season has already started. Online sales start to soar in November – and with it, the volume of cybercrime targeting shoppers.
Research by Kaspersky has found that each year around November 11, e-commerce attacks such as phishing sites and scam storefronts spike. Why November 11? The date marks Singles’ Day, a Chinese holiday originally encouraging singlehood that has since ballooned into the year’s biggest shopping day around the world – and it’s followed by Black Friday sales at the end of November, then the final few shopping weeks before Christmas and New Year’s Eve.
“Black Friday, Christmas and New Year’s make up a great time for shoppers, with discounts and promotions at every turn. Many people drop their guard and become easy prey for cybercriminals,” says Tatyana Sidorina, Senior Web Content Analyst at Kaspersky.
The fake payment or login page
With phishing on the rise every year, fraudulent webpages designed to steal personal and financial information are one of the most common forms of cyberattack, says Sidorina.
Fraudsters usually send out mass phishing e-mails leading to fake sites, impersonating stores that currently offer specials. You might also come across such sites through social media, as people share links – perhaps without clicking – to what seem like great deals.
Such sites culminate in a “payment” page presented to shoppers after they’ve filled their basket with hundreds or thousands of dollars’ worth of goods. Once credit card details are entered, they’re sent straight to the crooks, who can then use these details or sell them on the dark web – and buyers might receive knockoff products or nothing at all.
Kaspersky's research uncovered one scam website claiming to sell a brand of expensive winter coats at a fraction of the typical cost. Other fake pages might imitate those of popular, trusted brands such as Amazon or Alibaba, with the aim of capturing users’ real logins or financial information.
“Fake sites follow the typical phishing formula, hooking consumers with an irresistible price on something,” says Sidorina. The golden rule: if something seems too good to be true, it probably is. Here are four ways scammers try to trick you (followed by our 11 Online Shopping Safety Tips)
The special offer
One scam you may have already seen on Facebook involves the discount coupon. Last year, $100 gift cards purportedly from Aldi circulated, offering the discount with any purchase over $120. The catch? Users had to fill in a survey with their personal information, culminating in a request to sign up for a paid subscription or a new credit card. After all that, the gift card never materialized – but some fraudster out there had a bunch of new credit card numbers and profile information to hawk on the dark web.
“Be careful of offers that ask for details you aren't comfortable giving out or make you sign up for a recurring service that you can "cancel later" before you can get started,” says Paul Ducklin, Senior Technologist at Sophos.
Another variant of the special offer survey is the super-discount that requires you to install an app or plugin first. This is a massive red flag, Ducklin says. “These [super discounts that] demand you to install a new browser plugin, or grant special permissions to an app you've never heard of before, thus giving them insider access on your computer that might not be what you intended.” Once access is granted, malware could steal personal or financial information stored on the device.
The fake fashion ad
Spotted an online ad for massively discounted designer goods? It just might be too good to be true. Designer sunglasses are a popular one. Ads for what transpires to be fake Ray-Bans have been circulating on Facebook for years and, more recently, Instagram. Such ads often promote a huge discount and are of limited time – all the better to push viewers into an impulse buy.
Don’t forget ads may be voluntarily shared by social media users who haven’t clicked through, or pushed via hijacked accounts. Either way, just because it comes from a trusted account, doesn’t mean a promotion can be trusted.
Even if you’re shopping at a trusted retailer, there’s a chance that malware may be lurking inside the website, waiting to skim any credit card details you input.
According to the Symantec 2019 Internet Security Threat Report, this type of malware attack, called form jacking, compromised on average over 4,800 websites every month in 2018 – and that number includes major retailers such as Ticketmaster and British Airways, which had 380,000 credit card details swiped last year, which could have netted criminals over $17 million.
The malicious code affects forms where people fill in financial details, sending this information straight to the hackers, while the purchase itself goes through as usual, leaving buyers and retailers none the wiser.
11 Tips for shopping safely
The internet may be a warren of misleading links and potential scams, but these expert-approved tips will help you shop safely this holiday season.
1. Be extra-vigilant when you click on any link in an email
An email may be branded to look like it comes from a trusted retailer, and contain links that lead you to a fraudulent version of a legitimate website. The same goes for clicking on banner ads, especially if they’re on a site you’re not sure of.
2. Avoid clicking on shopping links from social media and chat apps
Even if you trust the person whose account is posting the link, remember that social media accounts can be hijacked. “In general, don’t click on links coming from unknown sources, be it in e-mails, messaging apps, or social networks,” says Sidorina.
3. Check the URL of any page where you’re entering logins or financial details
Check the URL of any page where you’re entering logins or financial details -- especially if you land there from clicking on a link from email, social media, or banner ad. On a mobile device, you may need to tap and hold on the address bar to scroll through and view the full address.
“Crooks often put comforting text, such as ‘visa dot com’ at the left-hand end of the website name, hoping that's all you'll notice. But if you scroll to the right, you may find [a longer string of characters containing a random site name] rounding out the web server's full name,” says Ducklin.
4. Do a background check when you’re purchasing from a retailer for the first time
Paying at a new online retailer? Even if the site is full of logos that imply it has been vetted by security vendors or trusted brands, check that it’s legitimate by looking it up on Trustpilot – it could reveal whether others have been burned. WhoIs is also helpful for checking how long the domain has been registered, says Sidorina – if it’s very new and registered to a mysteriously named entity, it could be prudent to take your business elsewhere.
5. Shop on apps rather than sites
This guarantees you’re at your usual shopping haunts, rather than having clicked on a phishing link to a cleverly mocked up website.
6. Don’t use the same password across multiple sites
If you need to sign up for an account at a new shop, be sure to pick a unique – and strong – password, because a breach of just one account can easily lead to others. “If one site gets cracked, and the passwords breached, crooks immediately try your known password on all your other accounts, in case they get lucky,” says Ducklin.
Once an account is breached, crooks may also be able to collect enough personal information about you to hack important accounts like email or social media by requesting a password reset.
7. Use a password manager to pick complex passwords for you
Password managers can also flag weak passwords and notify you if any old shopping logins have been compromised in a data breach. Our top-rated password managers include both free and paid-for options with more features.
8. Install and regularly update your antivirus solution
You most likely won’t be able to spot that a retailer has been infected by malware, but a good antivirus program will have a feature that alerts of potential phishing links or websites that may be compromised by malicious code. Kaspersky Total Security and Norton 360 both offer anti-phishing, financial transaction protection and the ability to detect potentially dangerous sites.
9. Use credit cards, not debit cards
Credit cards normally come with more protection against fraud, including faulty products, including the ability to reverse payments before your account is impacted. They also monitor your spending and often stop transactions that seem unusual.
10. Consider getting a low-value prepaid credit card solely for online shopping
“Don't hook up every site to your main credit card account,” advises Ducklin. “A prepaid credit card means that your exposure is limited if crooks get hold of it.”
11. Avoid public Wi-Fi hotspots for shopping
But if you must, be sure you use a VPN, or virtual proxy network, that encrypts your traffic so that anyone snooping on that handy cafe Wi-Fi can’t see your logins or credit card details.
In case of fraud, raise the alarm
For the most part, shopping online – especially at trusted retailers and familiar brands – is a safe activity. But if you ever find yourself the victim of online fraud, be sure to cancel your payment cards and call your financial providers to freeze your accounts in order to reduce the risk of identity fraud.
You can also complain to consumer-rights groups who may be able to help you with a refund or compensation. The Federal Trade Commission deals with domestic complaints, or if you’ve bought at a foreign site, you can try eConsumer.gov, which deals with international scams, including e-commerce.
And go ahead and post that negative review at the seller’s platform and across third-party sites. At the very least, this could help prevent others from falling prey to the same scam.
[Image credit: safe shopping concept via BigStockPhoto, discount-fake-payment’ screenshot via Kaspersky, ‘fake-RayBans’ screenshot via Sophos]