Phishing

Overview of phishing techniques: Urgent/limited supplies

Fakhar Imam
April 30, 2020 by
Fakhar Imam

Introduction

The internet has made online shopping possible for all different types of suppliers and consumers. Online shopping is everywhere, whether it comes to social media-based “stores” or retailing apps. As a result, scammers also poke their nose into online shopping to carry out supplier imposter scams by promising consumers perks like big discounts, overnight delivery, free shipping, urgent offers, or limited supplies. According to the Better Business Bureau (BBB)’s Scam Tracker Risk Report, online purchasing was the most common scam of 2019.

What type of shopping is incorporated in online shopping scams? The BBB discovered that the most common categories of products in shopping scams include jewelry, clothing, home décor, furniture, pets, health and nutrition, cosmetics and electronics.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Scammers launch phishing campaigns in order to trick you into clicking a malicious link. They do this by offering a good deal or trying to get you to go to a fake website that pretends to be a known retailer and trick you into entering your credentials.

In this article, we will delve into the ways that supplier imposter scams work, point out some potential red flags and explain the most effective remedial measures to prevent supplier imposter scams.

How do supplier imposter scams work?

Whenever there are potential big discounts ahead in the market (such as during holiday seasons), scammers get ready to defraud consumers. This often involves using fake websites where they ask victims to enter credentials or sending victims malicious links that contain a piece of malware.

An attack typically starts with a mobile app or a bogus website. Scammers impersonate trusted retailers, using similar URLs, slogans and logos to trick buyers into believing that they are purchasing a real brand. Once they win the trust of the victim, he or she will be entering personal details into the so-called login form. They use the sense of urgency, the availability of limited supply, countdown timers and the promise of perks like fake discounts, overnight shipping, and/or free shipping to lure users to buy fake products. 

Some use faux e-stores to get credentials. “Thousands of fake online stores are rushing to cash in,” according to the Washington Post.

Fraudsters will even launch a spam email campaign containing links to new websites that are just created for defrauding consumers. They are deceiving shoppers with fake bargains and a variety of too-good-to-be-true offers on top brands as well as gift cards, coupons and other enticements.

Scammers rely on the fact that shoppers are in a hurry to get the best bargain, so they keep offering fake limited-time deals via emails, SMS and real phone calls! Victims are encouraged to get this extraordinary deal before someone else. Attackers also ask users to forward messages and share social media posts with their friends and contacts. This poses a real threat to your friends who have you as a trusted friend or contact within their social media accounts.

In addition, threat actors may also seed phony links, apps or sites in email coupons and popup ads infected with malware. As soon as the victim visits a malicious website or opens a malicious popup, their computer would be infected and personal information would be harvested to further use for malpractices.

What are the most common red flags for urgent/limited supply phishing attacks?

  • Big discounts and limited supply should always be viewed with skepticism. Low prices are offered by sellers who then claim to be unavailable (e.g., they have moved to another country or are traveling). Plus, they insist on payment before the delivery of goods. The Norton information security firm suggests purchasers be on guard if the discount on goods exceeds 55%
  • Scammers start by mimicking a trusted retailer and send a phishing email that contains a malicious attachment that looks like a receipt. According to the Federal Trade Commission (FTC), scammers impersonate well-known tech or financial companies and send fake invoices with a claim that you have recently purchased an item and must pay. They offer you a short time to respond and ask you in the email to either cancel or dispute the product. No sooner does the victim click on the link within the email than his personal information is compromised
  • Suspicious deals are often offered by using sloppy English or/and shoddy design of the website. Spelling or strange wording and grammar mistakes are common for these sites, which are often run out of countries where English is not the first language. URLs can also be counterfeited. For example, don’t enter your credential if the site is www.ebayy.com instead of www.ebay.com
  • Be wary if contact information is also suspicious or limited. For example, instead of using the corporate email address, scammers establish contact through Gmail, Yahoo or even more esoteric addresses
  • The biggest scam of all is a deal that seems too good to be true. You receive a message to purchase a time-limited offer, but you get an error when you click on the link showing that the transaction wasn’t completed due to missing login credentials and/or credit card details. If you fall for it, your confidential data will be exposed

Remedies: What is the cure for supplier imposter scams?

Needless to say, supplier imposter scams that offer urgent or limited supplies are dangerous and can inflict financial or information loss. However, some security measures can help avoid supplier imposter scams:

  • Avoid searching supplier websites through a search engine because scammers can lead you astray by gaming search results
  • The mantra of “too good to be true” must be verified. To this end, compare the price of your desired goods with the same goods offered by other multiple retailers
  • You should always steer clear of emails that request login credentials or billing information. Ignore any links included in such emails, as they are likely scams
  • Beware of spelling/grammar mistakes, which in most cases are from unprofessional scammers
  • Always read supplier’s exchange, delivery, privacy and refund policies
  • Always keep abreast of the latest anti-phishing best practices to avoid phishing attacks
  • Always keep an eye on your online accounts and financial statements to spot any weird activity
  • Norton recommends not to buy from new websites. Copyright date must be checked and the time of the domain creation should also be checked through WHOIS
  • It is unwise to use suppliers’ sites that ask you to enter private information or download any software to get discount codes or coupons
  • If there is urgency in the supplier’s request, always question why
  • Before making payments, make sure the URL begins with “https://” rather than “http://”
  • Installing reputable antivirus software on your devices, using firewalls and keeping your operating system and browser updated regularly is essential to protect your data
  • Use spam filters on your web browser and block all unsolicited and spam emails
  • If you are a company or supplier, give your consumers training about the supplier imposter scams

Conclusion

Even in non-holiday seasons, supplier imposter scams are always trending heavily. More often, scammers offer urgent or limited supplies to trick users into taking quick actions, such as making transactions or providing personal information. They promise perks like free shipping or big discounts to win the trust of the victim. 

However, some security measures can help avoid supplier imposter scams. This includes remembering the principle of “too good to be true.” Use spam filters and antivirus programs and security training for consumers. Doing so can help prevent supplier imposter scams.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

 

Sources

  1. 11 red flags Black Friday shoppers should watch out for, Business Insider
  2. Beware of Black Friday Phishing Scams and Malware Attacks!, WebTitan
  3. ‘I feel cheated’: Thousands of fake online stores are rushing to cash in, The Washington Post
  4. Online Shopping Scams, AARP
  5. Tips for Avoiding Online Shopping Scams & What to Do If You’re a Victim of One, GlobalSign
  6. Supplier Scams, Blink
  7. Phishing scam targets fake receipt emails, 3KMTV News Now
Fakhar Imam
Fakhar Imam

Fakhar Imam is a professional writer with a master’s program in Masters of Sciences in Information Technology (MIT). To date, he has produced articles on a variety of topics including on Computer Forensics, CISSP, and on various other IT related tasks.