Busy and distracted online shoppers are prime targets for cyber scams. This season’s stressors include supply chain issues and shipping delays along with low stock and rising prices fueled by increased consumer demand. Predictably, cyber criminals will capitalize on these factors, and their social engineering methods are becoming more sophisticated.
Hybrid Phishing
Cyber criminals are increasingly conducting multi-step phishing scams. Phishing emails or SMiShing texts are being sent as pretexts for vishing.
Avanan
reported scammers are attempting to obtain credit card or banking details by spoofing an Amazon order notification page:
- Scam begins with an email that imitates a legitimate Amazon order confirmation for a high-priced item meant to compel the recipient to act. A contact telephone number is included. The email comes from a Gmail account, which is a clue that it is a scam.
- Clicking the link takes the consumer to the actual Amazon site, but the telephone number listed is not associated with Amazon. When called, a ring-no-answer is encountered.
- Several hours later the target receives a callback from a hacker-controlled call center in India though the caller id likely shows a United States area code.
- The hacker claims they need a credit card and CVV (card verification value) number to cancel the order.
- If successful, the attacker makes some money and harvests the telephone number for future vishing or SMiShing cons.
Krebs On Security
reports that fraudsters are sending text messages regarding suspicious bank transfers as pretexts for vishing:
- Target receives a text from their bank asking if they had authorized a payment from their account and requesting that they reply “Yes” or “No,” or 1 to decline future fraud alerts.
- After the reply is received, hacker immediately places a call to the target using a spoofed caller id of the financial institution. They claim to be from the fraud department and request information to confirm that they are speaking with the account owner not a scammer.
- Presumably, the information collected is being used to set up new financial accounts in the victims’ names for large wire transfers of stolen funds.
If you find yourself in a similar situation, do not respond to unexpected texts and always contact the organization with a telephone number obtained from the actual website.
Holiday Ploys
Threat actors will undoubtedly take advantage of supply chain issues by creating fake websites and selling non-existent merchandise. Inventory issues are being compounded by Grinch bots, software programs that quickly fill out purchase forms and buy up hot holiday items quicker than a human. Many of these items are re-sold at higher prices by third parties.
Fake shipping notifications are an annual holiday tradition. Krebs On Security
reported an elaborate SMiShing scam that spoofs FedEx to steal personal and financial information:
- A text message containing a phishing link is sent indicating a package could not be delivered. On mobile devices the link is directed to an authentic-looking FedEx page with a phishing link button – “Schedule new delivery.”
- When the button is clicked, name address, phone number, and date of birth are requested.
- When the “Next Step” button is clicked, a request for a payment card to cover a redelivery fee appears.
- When the “Pay Now” button is clicked, the visitor is prompted to verify identity by providing SSN, Driver’s License Number, email address, and email password. Scrolling down on the page revealed working links to real FedEx website resources including security and privacy policies.
- After clicking the “Verify” button, the scammers re-direct the target to the real FedEx website.
Be cautious of phishing and SMiShing scams with fake shipping notifications and tracking alerts. Instead of clicking on a link go to the merchant’s website and follow the tracking link or search the tracking number to determine if it’s valid. And carefully inspect “Missed Delivery” tags to ensure they are authentic. Fake tags requesting a telephone call to reschedule delivery may be a ploy to collect personal information.
Proof of Vaccination Attacks
A
survey conducted by Tessian found that 35% of United States citizens had received a proof of vaccination phishing email this year. Email subject lines included “IMPORTANT” or “OFFICIAL” to convey a sense of urgency. Clicking on a link or attachment directed victims to a web page requiring PII (personally identifiable information) along with credit card or banking details to obtain proof of vaccination.
Be Wary of All Unexpected Communications
The Federal Bureau of Investigation (FBI) recently
acknowledged a hacker had exploited a software misconfiguration, and thousands of phony emails warning of a cybersecurity attack were issued directly from its email servers. PII was not accessed or compromised according to the FBI.
Security Best Practices
As you can see, tactics constantly evolve. Good cyber hygiene is critical every day not just during the holidays. Hopefully, many of these basic practices have become habits:
- Be suspicious of all unsolicited emails, text messages, or voice messages. Do not respond to them.
- NEVER click on links in emails or text messages.
- ALWAYS open a browser and hand-type the website address.
- Carefully check app names, website addresses, and email addresses, which may be slightly modified to look legitimate and redirect people to malicious websites.
- Shop online from home, and verify your wireless network is protected.
- Verify your connection is secure when making a purchase by confirming the address bar of your browser begins with https:// (not “http://”). The s stands for secure and indicates the data being transmitted is encrypted. Beware that the small lock icon on your browser does not necessarily mean the site is secure. Cyber criminals are increasingly adding it to scam websites in their efforts to deceive people.
- Confirm retailers are legitimate, shop at websites you trust, and bookmark them.
- Use a credit card instead of a debit card. Most credit cards have built-in fraud protection; however, any suspicious activity should be reported immediately.