As holiday shopping takes off, hackers cash in with Black Friday scams. Nothing ruins holiday cheer like being phished, clicking on a malicious link, or entering your credit card information into a spoofed website.
The holidays can be a busy time for shoppers and hackers alike. Black Friday and its newer cousin, Cyber Monday, are major economic events. Just last year, Americans spent roughly $5 billion in the 24 hours that make up Black Friday. Cyber Monday was even bigger: Americans spent over $6 billion in online purchases. Naturally, numbers like these attract the attention of all kinds of hackers, eager to take advantage of shoppers trying to get an early jump on their Christmas shopping.
We will discuss some of the hackers’ favorite techniques to seize your financial information — and what you can do to protect your online data.
Phishing is a popular method of defrauding users because it only requires some social engineering knowledge and the ability to make a convincing email. Given that people are already primed to spend money during the holidays, their work is already half done.
Phishing attacks can range from emails offering incredible Black Friday sales, to offering free gift cards if you fill out a survey, to fake support emails claiming that you missed a delivery. Generally, these fakes try to impersonate well-known brands to gain your trust. In the past, Amazon, Walmart, and Kohl’s have been used in phishing scams.
While more technically demanding than crafting a phishing email, creating a convincing clone of an official retailer’s site is still fairly simple. Hackers will create websites that look just like Amazon and tempt you with incredible deals to enter your credit card information.
While the quality of the spoofs varies, from fake sites being littered with grammatical errors to clones that are nearly indistinguishable from the real site, the easiest way to spot a spoof is to check the URL. Check for .com rather than .net or .co, and watch out for similar characters, like “0” instead of “o”.
Another common tactic to stay alert for is malicious ads. Creating convincing ads is even easier than creating a genuine-looking website. Particularly skilled scammers can even get their ads placed on major platforms such as Google. The holidays see a surge in fake ads and, unfortunately, they can be hard to verify.
The best advice to give regarding fake ads is to simply avoid clicking on ads in general. If you are interested in a deal in an ad, the safest thing to do is to navigate to the retailer’s website yourself and find it there.
How to protect your data against Black Friday scams:
- Inspect all links before clicking: When evaluating promotional emails or ads this holiday season, be sure to inspect the hyperlinks before clicking on them. You can do this by hovering your cursor over the hyperlink without clicking on it. The URL for the link will pop up, usually in your browser’s bottom left corner. If the URL is not for the same company that sent you the email or if it looks suspicious, do not click on it. Also be very suspicious of any links you find via social media, especially shortened URLs that are much harder to evaluate yourself.
- Do not share your data unnecessarily: If an email is requesting that you respond with personal or financial information, treat that as a red flag. Never share sensitive data with corporations via email. Furthermore, you should never need to share more than your name, address, and phone number when shopping online. There should never be privacy or security questions when you are checking out.
- Find the deal yourself: If you are interested in one of the promotions in an ad or an email, it is much safer if you go directly to the retailer’s website in your browser and search for your desired product rather than clicking on the ad or the link in the email itself.
- Make sure the website you are on is secure: Before entering any sensitive information — name, address, or credit card numbers — into a website, ensure that the website is using encryption and verify its certificate. A website is encrypted if its URL begins with “https:” rather than “http:” and there is a green padlock next to the URL. By clicking on this padlock you will bring up the website’s certificate. Verify that the certificate: comes from a trusted source, such as VeriSign, Symantec, or Entrust; has been issued for the organization who owns the website you are on; and that it is only valid for a year or two.
- Use verified apps: If you are shopping on your mobile device, be sure to only make purchases via apps downloaded from the official app marketplaces, such as Google Play or the Apple App Store. Even then, be skeptical of new or recently released apps that claim to be from a major brands. Each holiday season sees a new batch of fake apps flood the market while most major retailers have had their apps out for several years now.
- Protect your Internet connection: The best way to do this is to use a VPN service. This prevents a malicious WiFi hotspot or DNS server from redirecting you to a phishing page if you are on an untrusted network. By using a VPN, you prevent any hackers from monitoring your online activity, especially when using public WiFi.
- Set up credit card alerts: Given the additional risk of a hacker stealing your credit card data, it is not a bad idea to set up a purchase alert with your credit card company. They can send you an email or SMS every time your card is charged. Be sure to set the limit as low as possible so that hackers cannot rack up hundreds of $19.99 charges undetected.
- Have some healthy skepticism: If you find an incredible deal or if an unbelievable offer is emailed to you unsolicited, there is a good chance you are being scammed. If an ad offers an outrageous deal, do not click on it. Try to find it at that company’s site yourself. Remember, if a deal looks too good to be true it probably is.
Take some additional time while shopping to remember the eight tips above and have a happy holiday season!
The ProtonVPN Team
To get a free ProtonMail encrypted email account, visit: protonmail.com