Cybercriminals love the Christmas season, not only because people are shopping more — spreading their card numbers willy nilly across the World Wide Web and the often insecure networks of physical stores — but also because they are overburdened and stressed out. This latter factor makes them an easier target for “social engineering” holiday scams, ranging from phishing emails to phone fraud.
Just as big-box retailers count on Christmas to keep their companies in the red, so too do many criminal gangs, and they have no shortage of tricks for doing so.
Here are the top holiday scams to watch out for this season:
Formjacking
It is a common assumption that if a website has a tiny padlock symbol in the address bar, it must be safe. True? Well, not exactly.
One attack which you could say exploits this trust is “formjacking” (also known as a digital card skimmer).
Formjacking involves compromising the checkout page of a legitimate retailer by slipping in through the back-end platform or supply chain. A malicious script hides on the page and waits for the visitor to type information into the order form, such as the credit card number. It instantly scoops this information up and sends it back to the hacker — even before the person clicks the ‘complete order’ button to process the transaction.
More criminal groups are now using this attack, according to reports by RiskIQ and Symantec. Dozens of sites are believed to have been compromised, including well-known brands like Ticketmaster, SteinMart, Newegg, British Airways and the widely used rating service Shopper Approved.
Fake e-tailers:
Scammers often spoof well-known retailers to steal their customers’ account logins or to infect them with malware.
Cybercriminals have become very adept at imitating prominent brands, so don’t think you’ll always be able to tell a fake website from a real one. Scammers will also use “keyword stuffing” and other tricks to get a fake site to pop up in search engine results during the holidays, further enhancing its credibility. They will also promote fake sites via social media campaigns, bogus online deals and coupons, and phishing emails.
The best way to tell if a retailer has been spoofed is to look at the URL. Generally speaking, hackers can’t use the retailer’s actual web address, so they will try to imitate it instead. One common trick is to replace certain letters with numbers (the numerals “0” and “1” look very similar to letters “o” and “l”). See how easily this blends in: Kohls(dot)com becomes Koh1s(dot)com.
Another popular tactic is called “combosquatting.” This is when a hacker adds words or punctuation to the retailer’s real web address in order to change the actual domain. For example: Macys(dot)com could be changed to deals-Macys(dot)com, Macysdeals(dot)com or Macys(dot)deals(dot)com, all of which creates a new non-Macy’s domain.
Criminals will also register the misspelled domains of popular websites, in what is known as “typosquatting.” This means that if a person mistypes the URL, they will land on a malicious site instead of an error page. For example: Targrt(dot)com.
Shimming
Just as we’ve all finally gotten wise to card-skimmers, the criminals changed the game again.
While card-skimmers are still seeing plenty of action, there is a newer, stealthier version called the “shimmer.” Whereas a skimmer is fitted over the input of a card reader, the shimmer is a very thin chip that is inserted inside the card reader, making it even harder to catch. To make matters worse, a shimmer can steal information directly from the card’s smart chip, which undermines the security provided by these “chip-and-pin,” or EMV, cards.
Smishing & cardless ATM fraud
Phishing now targets more than just email inboxes.
SMS phishing, or “smishing,” is when criminals use text messages instead of email to trick consumers into sharing sensitive information or clicking on a malicious link.
During the holidays, expect to see a rise in smishing attacks masquerading as urgent bank, retailer or shipping alerts for shoppers, such as account overdrafts or missed deliveries.
One new and especially risky attack is “cardless ATM” fraud. This takes advantage of the cardless ATM services many banks have started rolling out. Ironically, a key reason why banks are offering this service is to help reduce the risk of card-skimming at ATMs. However, the new feature has led to a unique fraud of its own.
Earlier this year, Fifth Third Bank’s customers were scammed out of $100,000 after criminals stole their account credentials through a smishing scheme. The victims were sent fake text alerts which claimed to be from the bank, warning them that their accounts had been locked. The message included a link to unlock the account, but it was actually a fake website run by the criminals. Over 100 customers fell for this trick and logged into the fake site. The criminals then used their credentials to withdraw cash through the bank’s cardless ATM service.
Criminal call centers
Boiler room telemarketing and other phone scams have been around for decades, but the criminal call center is a different game altogether.
Scammers often use this as “air support” for phishing and smishing campaigns. The phishing email or text message may include a toll-free number to call for help, or the call center may contact you directly after a phishing attempt, in order to add legitimacy and a sense of urgency to the request. These calls will increase exponentially over the holidays, as scammers prey upon shoppers’ fears of canceled Amazon orders, missed shipments, overdrafts and more.
Caller ID spoofing is typically used to mask the real phone number and impersonate a legitimate company or agency, like the IRS. Many of these call centers are highly professional, with well-trained staff, and they may even hire people with specific accents to seem more believable.
Virtual money scams
Hackers don’t just want your credit card this holiday season — they’re also increasingly interested in stealing virtual money, like airline miles and rewards points.
A report this fall from Comparitech noted that frequent flyer mile theft is on the rise, with half a dozen criminal online marketplaces selling these stolen virtual goods. Criminals can sell these stolen miles for cash or gift cards, or transfer them to another account.
Hackers are also targeting in-game currencies like Fortnite’s V-Bucks, which will be especially popular over the holidays. The scams are typically fake offers for V-Bucks, in order to trick gamers into sharing their account credentials, personal or financial information, or making online payments.
Security advice for holiday scams
Although cybercriminals are constantly changing their tactics, there are a few basic ways to stay safe.
First, never ever ever share sensitive personal or financial information during an unsolicited phone call. Likewise, no matter how urgent the demand may seem, don’t click on links sent via email or SMS that ask you to confirm account information or credit card numbers. And don’t visit retail websites via shared links, whether these come from email, SMS, or social media.
Additionally, double-check the web address of the site you’re on. Does it look at all suspicious? Furthermore, always shop online with a credit card instead of a debit card, as it will better protect you in the event of fraud.
Consumers should also check out these tip sheets on how to beat the scammers: Federal Trade Commission’s “10 Things You Can Do to Avoid Fraud” and the Better Business Bureau’s “10 Steps to Avoid Scams.” Most holiday scams only work if we fall for me.
Lastly, practice good cyber hygiene all year-round by keeping your computer’s software and antivirus up to date, always using strong passwords, adding two-factor authentication whenever possible, and avoiding unencrypted Internet connections.
Jason Glassberg is co-founder of Casaba Security, a cybersecurity and ethical hacking firm that advises cryptocurrency businesses, traditional financial institutions, technology companies and Fortune 500s. He is a former cybersecurity executive for Ernst & Young and Lehman Brothers.