There is no annual holiday for cybercrime, in fact, this is the time of year that it truly escalates. Scouring the web for the best deals, gifts and rewards could be opening your doors to cyber crooks that put huge amounts of effort to profit from the holiday shopping frenzy. Even the most trusted retailers are experiencing problems, Macy’s breach.

This annual holiday fraud cycle has firmly established itself in recent years, widely supported by cybersecurity researchers. Phishing criminals follow the money and now we have Black Friday and Cyber Monday behind us they aren't easing up. Last-minute shoppers are pouring many thousands of dollars into online shopping channels.

Cybercrime is at its peak during the key holiday shopping period, but the hustle and bustle of transactions continue well after Christmas. Post-Christmas sales and offers provide cybercriminals with opportunities to capture payment data and attempt fraudulent transactions. They are looking for a profit through a number of different attack methods.

Phishing

What is phishing? The word ‘phishing’ pretty much has a similar meaning to ‘fishing’ i.e. a bait to lure victims. It could be an email, telephone call, or a text, which supposedly comes from a trustworthy source. Cybercriminals use banks, payment processors or retailers, at times even by hacking a colleague or friend. The emails or messages are often credible enough to deceive the recipient into clicking on a link which could then release malware in the form of viruses, worms, Trojans or bots onto the recipient’s computer or lead to a fake website.

The use of e-commerce phishing URLs for 2019 has more than doubled since its peak in 2018. The holiday lures are extraordinarily high, with cyber attackers trying everything from order confirmation scams in email and SMS to enticing promotional offers.

How To Protect Against Phishing.

Never Follow Links

• There is no guaranteed way to detect phishing but remember, if there is even the slightest suspicion that the email may not be quite right, do not click on any links within.

• Always check the website address directly in your browser, DO NOT click the link in the email.

Check the Sender

• If the part after the @ in an email address doesn’t match the supposed sender, it's FAKE!

• Let's say you receive a ‘PayPal’ email from paypal@emails.com or the URL is misspelled as www.paypa1.com or similar, it's FAKE!

• Some of the most respected and popular companies in the world have website impersonators including Facebook, Google, DropBox, and PayPal.

Emotional Blackmail

• Phishing emails almost always contain the same kind of content and requests. Sometimes, they ask you to update your user account or password.

• Sometimes they use psychology to get you to react, like notification of a lottery win, or a once-in-a-lifetime business opportunity, or an appeal for a donation to a charity (very popular at Christmas).

Banks Will Never

• Ask for your passwords or PINs to be sent by e-mail or text.

• Ask to authorise the transfer of funds to a new account.

• OR ask you to meet a bank representative at your home to collect cash, bank cards or anything else.

Beware Of Attachments

• If unknown file extensions or a PDF file appear as an e-mail attachment is an indication that something is wrong, especially if you haven’t had any previous dealings with the sender.

• If the email appears as an image, it is very clear it's FAKE!

Email Signature

• Most businesses address their clients by name, if the name is missing, misspelled or if there is no name at all and it just says something like ‘Hey’ or ‘Dear Customer’, it could be an indication that this is a fake email.

Control

• Regularly check your bank statements, looking for any potentially serious consequences of a phishing attack. Any suspicious or unknown transactions should be reported immediately to the bank or credit card company.

• Keep yourself up-to-date with the latest scams.

• Take the time to regularly research ways to protect your digital safety. If you hear that a service provider has been hacked, be sure to follow their instructions and change your password.

Use Only Secure Websites

• For ANY online transactions, go directly to the website, don't click the links. If the special offer is genuine, it will be available on the website.

• Look for a sign that the site is secure, such as the padlock icon on the browser’s status bar or an “https” URL where “s” stands for “secure”, not "http".

• Protect your computer with a firewall, spam filters, anti-virus, and anti-spyware software. Research what's best for you and ensure you have the most up-to-date software. Update them all regularly to ensure that you are blocking new viruses and spyware.

Do Not Click In Haste

• Phishing emails often put pressure on you to act quickly. They may threaten that something bad will happen, state you will miss out on something very important.

• A bogus bank may warn you that your account will be closed unless you act quickly.

• A company might tell you that you have won a major cash prize, but only if you can claim it in the next 24 hours.

• DON'T act in haste, take your time to satisfy yourself that the message is genuine.

Genuine Messages = No Threats

• Many phishing scams will try to trick or persuade people into handing over sensitive information, some use fear and intimidation to scare their victims.

• A threat may appear to send an embarrassing video or photo to contact unless a ransom is paid. Take a breath, calm down and think rationally, DO NOT react immediately to an email.

Be Aware Of;

• Promo Scams - Domain Impersonation: Phishing can be very convincing when it comes to domain impersonation that appears as a real e-commerce site, both big and small brands. Many of them are also tied into social media impersonation offering ‘unbeatable’ deals. After all who doesn't want a diamond ring just for the price of postage?

• Credential Stuffing: Automated bots can try credentials stolen from one site on a bunch of other different sites in case the victim reuses passwords. These bots peak right before Black Friday. Bots usually represent 96.6% of retailer traffic at that time.

• Ad Fraud: After attackers harvest accounts and start to monetize that with card fraud, they transition their bot activity to another lucrative venue. Ad fraud increases by 24% during the Christmas period.

• Magecart Attacks: Online skimming or Magecart attacks have grown very popular. Criminals take advantage of vulnerabilities in payment platforms to collect consumer payment card information, entered into legitimate transactions. The Macy’s breach announced in mid-November came at the hands of Magecart attackers.

• Charity Scams: Taking advantage of open hearts is very profitable for holiday scammers. The sometimes forgotten scams are charity scams. Always verify a charity’s authenticity before making donations.

• Gift and Loyalty Scams: The Dark Web is flooded with stolen gift card account information, and the bad guys are seeking every way they can to siphon off the monetary value stored not only in gift cards but also in retail loyalty accounts.

Although retailers continue to improve customer experience and security, anyone who has been in the security or digital world long enough understands that increased customer interactions will inevitably lead to increased fraud. While convenience is huge, consumers really need to be more security conscious about their online shopping, especially in high volume periods like NOW.

As retailers walk a fine line between security and convenience, consumers are provided with a secure checkout process but also damnd convenience. Retailers are doing all they can to ensure transactions are secure and seamless for all consumers, but you really need to take responsibility for your own security!