The annual chaos of Black Friday and Cyber Monday sales is nearly upon us, as evidenced by the blizzard of emails from favorite retailers and others that have already hit our inboxes.
While you might be tempted to jump on what looks like an amazing deal on a must-buy holiday gift, security experts warn that there are dangers lurking in that storm, with scammers and other online Grinches looking to take advantage of people who don’t think before they click.
Just about everyone is shopping online now. According to a survey done by the cybersecurity company McAfee, 76% of Americans plan to shop online this holiday season, and 30% say they plan to do more online shopping than in previous years.
Shoppers also have come to expect ridiculously good deals over the Black Friday weekend, and they’re well aware that with every day that passes, there’s one fewer deal to help get everyone crossed off their holiday lists. Couple that mentality with tough economic conditions, including high inflation, and you get a large number of people ready to pounce on anything that looks like a good deal.
Michael Jabbara, vice president and global head of fraud services for Visa, says cybercriminals understand that and want to capitalize on that behavior, as they look to steal credit card numbers, login credentials and other personally identifiable information from consumers.
“You have this perfect confluence of events that make the holiday season a perfect time for fraudsters to strike,” he said.
That can have dire consequences. Thirty-six percent of Americans polled in the McAfee survey reported being the victim of an online scam during a previous holiday season, and three-quarters of those victims lost money as a result.
That may seem daunting. But just as Rudolph’s bright red nose lit the way for Santa Claus, a few basic precautions will help keep you safe as you weather the digital scam storm. Here are a few recommendations from experts on how to shop safely for the holidays.
Check your list (and credit card and bank statements) more than twice
Keep an eye on your bank and credit card accounts. It’s good not only for security but also for keeping track of your spending.
You can make this task easier by limiting your holiday shopping to a single credit card and email address. Doing so will also reduce the risk of falling for a phishing scam if one comes to your other email accounts.
Don’t use your debit card for purchases. Your bank will help you recover money if your account is compromised, but it’s a lot easier to quickly get charges reversed when a credit card number is stolen.
Don’t be tempted to pay for your purchase with cryptocurrency. By design, crypto is intended to be anonymous and extremely hard to track. If someone steals it, it’s probably gone.
Requests for payment with retail gift cards should also be looked at with suspicion. They also can’t be tracked and can be easily converted into cash or merchandise by cybercriminals.
Don’t be a feast for the phishers
Just like in past years, volumes of spam and scam emails are already on the rise. Experts at the cybersecurity company Bitdefender say they’ve seen steady increases since the start of November, and they expect rates to continue to increase through the Black Friday week.
While the majority of the Black Friday themed junk emails picked up by the company’s filters between Oct. 26 and Nov. 13 were classified as just spam emails from legitimate companies, 46% were deemed to be scam related, Bitdefender researchers said.
The fear is that shoppers could click on a link in a malicious email that would take them to a fake website that would then collect their personal or financial information, putting them at risk of financial fraud or identity theft.
Big jumps in phishing emails during the holiday shopping season aren’t a new thing. What concerns experts most is that they’ve become much more sophisticated and customized in recent years. As consumers have shifted more toward online shopping, they have become aware of the risks it involves, which has forced scammers to up their game, Jabbara said.
Low-cost, automated technology can make phishing emails both more natural sounding and more contextually relevant. On top of that, experts worry that the rise of increasingly powerful and available generative artificial intelligence tools will supercharge both the scale and the perceived legitimacy of those emails.
Meanwhile, while security technology has also improved, it can’t do much to stop people from clicking on things they’re convinced are legitimate.
As in past years, many of the scam email campaigns spotted by Bitdefender so far this year impersonated big players in retail, including Amazon, Walmart, Target, Kohl’s and Lowe’s. Researchers from both Bitdefender and fellow cybersecurity company Check Point also pointed to an uptick in scam emails promising shoppers amazing deals on luxury bags and accessories from brands like Louis Vuitton, Ray Ban and Rolex.
Others have taken the form of shipping notifications complete with barcodes that look like they’re from FedEx or UPS, something that online shoppers are very used to receiving this time of year.
When it comes to all of those shipping notifications, if you’re worried about authenticity, go directly to the shipper’s website and copy and paste the tracking number into it. Don’t click on links or open attachments, no matter how tempting or urgent they might seem.
Just a heads-up: Phishing isn’t limited to email these days. It also increasingly comes in the forms of text messages, social media posts, phone calls and even QR codes. If they’re unsolicited, ignore those too.
Is that Santa? Or just the Grinch in disguise?
Sure, you can Google around if the major retailers don’t have what you want in stock, but make sure you’re dealing with a legitimate business. Be especially skeptical of ads that pop up in your social media feeds touting amazing, limited-time offers.
Like the saying goes: If something seems too good to be true, it probably is.
“It’s a bit cliche, but I think many of these crimes would be prevented if people just kept that in their heads,” said Iskander Sanchez-Rola, director of privacy innovation for Gen, the company behind the Norton consumer security software.
An offer of a $200 iPhone, for example, may seem enticing, but shoppers need to stop and consider the possible legitimacy of that kind of deal before they hand over their personal information or credit card number, he said.
Elf on the Shelf isn’t the only one watching, but does that really matter?
The internet has changed a lot in recent years. Any site worth its salt is now encrypted, which means if someone did intercept your web traffic, for instance by logging on to the same Wi-Fi as you at the neighborhood coffee shop, it would be scrambled and useless.
For that reason, many security experts say a virtual private network, or VPN, which masks people’s location in addition to encrypting their data, is overkill for most folks.
But both Jabbara and Sanchez-Rola say that while the chance of the average person being attacked online by a cybercriminal is remote, there’s always the chance that they could accidentally connect to a malicious Wi-Fi network, especially in busy places like a shopping mall or airport, which could put their data at risk of being captured. A VPN would prevent that in that kind of situation.
Regardless, basic cybersecurity precautions, which you should be doing all year round, are a must if you want to ward off a visit from a cyber Krampus.
Make sure your devices and online accounts — bank and credit cards, emails, social media, shopping-website logins, and so on — are locked down before you start shopping. Update your operating systems, antivirus software and all your apps.
All of your online accounts need strong, unique passwords. If you need help, use a password manager. Two-factor authentication, which requires a second identifier like a biometric or push notification sent to your phone, should always be enabled when available.
If you’re still worried about the security of the free internet at your local store, use the cellular connection on your smartphone instead. It’s a lot more secure than just about any Wi-Fi connection out there.