Holiday Season Cybersecurity Scams and How to Avoid Them
Holiday Season Cybersecurity Scam Awareness
The holiday season has arrived, and in this period, cybercriminals intensify their operations in order to monetize shoppers’ exposure to online fraud and scams.
The Department of Homeland Security (DHS) recently issued a security alert to warn U.S. consumers about malicious campaigns and scams that are common during the holiday season.
See Infosec IQ in action
"As this holiday season approaches, the Cybersecurity and Infrastructure Security Agency (CISA) encourages users to be aware of potential holiday scams and malicious cyber campaigns, particularly when browsing or shopping online," reads the alert published by the CISA agency.
"Cyber actors may send emails and ecards containing malicious links or attachments infected with malware or may send spoofed emails requesting support for fraudulent charities or causes."
Europol has also issued a warning about holiday-themed fraud, focused on ticket scams.
In this period of the year, it’s quite easy to fall victim to criminals that take advantage of the holiday season by using themed scams in online advertisements, phishing emails, misleading sales calls and text messages.
In many cases, scammers use holiday-themed phishing messages while pretending to be from popular brands or online stores like Amazon. Scammers may send victims fake order confirmations via email with malicious attachments or share links to phishing messages that promise special discounts to users that provide their personal data via a specially designed online form.
Law enforcement agencies and security firms recommend that consumers be cautious while shopping online during the holiday season. Fraudsters can attack them by intercepting insecure transactions, targeting unpatched systems, creating cloned sites and using scam email messages to harvest their financial and personal info.
Which are the most common holiday scams?
The types of holiday scams are only limited by the criminal’s imagination. However, some fraud patterns are well known, and it is important to share information with customers to recognize them. Here are just a few examples of holiday scams:
Bogus shipping notifications
During the holidays, users tends to be more active online. The number of gifts and products bought online spikes in this period of the year and people receive many more shipments. Criminals are aware of this and send out phishing emails that pose as shipment notifications.
The fake shipping notifications may use a malicious attachment or include links to a phishing page designed to trick victims into providing their personal information (e.g., login credentials for a fake login page). The malicious attachments are weaponized Office documents that pretend to be order details.
Bogus gift cards and coupons
Another popular scam consists of sending victims fake coupons and gift cars and tricking them into providing personal and financial information. Lure emails could include links to malware downloaders or redirect victims to phishing pages.
Charity fraud consists of getting money from people who believe they are making donations to charities. Attackers send messages to people, or make unsolicited phone calls, posing as members of a charity organization and asking donors for contributions to charities that don't exist.
During this period, groups of criminals adopt high-pressure tactics to trick victims into making immediate donations. Scammers send phishing emails that include links pointing to fake charity organization websites. Other attack scenarios see the criminals calling the victims and tricking them into providing financial information to complete a donation.
Below a list of signs that could be associated with a scam:
- The organization refuses to give clear details about its mission, identity, associated costs or how the donations are used
- The organization doesn’t provide proof of its tax-deductible status
- The organization uses a name that is very similar to a reputable, better-known organization
- Users receive thanks for donations that you don’t remember giving
- The organization uses high-pressure methods to urge recipients to donate immediately without giving you ample time to research
- The organization asks for cash-only donations or a money wire
Fake accommodation listings and fake plane tickets purchased online
The number of travel-related scams increases during the holiday season, from fake discounted prices for flight tickets to fake ads for private residences and luxury villas for rent.
In the latter case, the criminals offer properties that don’t exist or that are owned by unaware people that never offered them for rent. These properties are also offered on popular platforms such as Airbnb; for this reason, Airbnb prohibits hosts from asking users to pay them using something other than the site's built-in payment page. In some cases, scammers asked users to wire them money outside the Airbnb platform.
Cybercriminals also attempt to monetize their efforts by offering discounted flight tickets that were purchased with stolen payment card data.
Recently, an international operation conducted by law enforcement to fight fraudulent online purchases of flight tickets resulted in the arrest of 79 people as part of the Global Airline Action Days (GAAD).
“Fraudsters use fake online adverts, bogus sales calls, emails, text messages and instant messaging offering incredibly cheap rates to tempt you into booking a holiday or purchasing a service. If the price is too good to be true, it probably is,” reads a post published by Europol.
The website may be suspicious if:
- There are only a few details and pictures of the property or hotel
- Online reviews aren’t favorable or don’t exist at all
- You are requested to pay in cash; via bank transfer, such as with MoneyWise or Western Union; or even virtual currencies like Bitcoin
According to Europol, “These payment methods are difficult to trace and are not refundable (remember: criminals need to monetize the stolen card details of other victims and you could be part of this plan).”
How to stay safe online during the holiday season
Below a list of measures users can take to defend against holiday scams:
- Be careful when opening attachments or clicking links in unsolicited email messages
- Use caution when shopping online
- Verify a charity by contacting organizations like Charity Navigator or CharityWatch
- Be careful when clicking on any emails, instant messages or social media posts that claim to be offering tickets
- Only buy tickets from the venue’s box office, the promoter, an official agent or a well-known and reputable ticket exchange site
- Buy gifts only from official and trusted websites and check that they use a secure payment system and the secure communication protocol (HTTPS)
- Pay special attention to the website name and domain. Small changes in the name or domain can direct you to a completely different company
- Always pay by credit card. Other payment methods such as debit card, cash or money transfer services are not secure
Shopping Safely Online, CISA
Phishing simulations & training
Protect Your Identity From Holiday Charity Scams, The Balance