Holiday Shopping Safety Series
Avoid Holiday Scams and Hoaxes
By Joe Gray
Because the cash flow is on the rise, the activity of cyber criminals are increasing as well. The purpose of this blog series is to educate you, the reader, about how to be safe through this season including Black Friday, Small Business Saturday, and Cyber Monday. While I try to be thorough, I cannot possibly cover everything, but I try.
In continuing from the last blog post, the purpose of this blog post is to educate readers about common hoaxes, scams, and *ishing (spishing, vishing, and phishing) campaigns that they may encounter. While this list is intended to be thorough, it is not exhaustive and you may encounter different scenarios.
THINGS TO EXPECT
We know that the holidays are upon us. Watching television or scanning radio stations will not let us forget. Going inside at big box retailers are more “reminders.” As we’re being “reminded” often, so are the cyber criminals.
The sections below provide anecdotal scenarios you may encounter for various scams and social engineering campaigns that you may be subjected to:
SCAMS AND HOAXES
These happen year round. They happen online, in-person, and on the phone and some even by mail. Around this time of year, expect hoaxes to revolve around things to relay Dr. Robert Cialdini’s six psychological principles of persuasion, which is a staple of social engineering (some more than others):
- Authority: (Insert Celebrity Here) is doing this. (Insert Government Body Here) said that doing this is mandatory.
- Urgency/Scarcity: This is only available for x hours or there are only three left.
- Reciprocity: I do something for you, you do something for me.
- Commitment and Consistency: sending or saying the same thing repetitively.
- Social Proof: Come on! Everyone is doing it. Don’t you want to fit in?
- Likeability: Becoming a ‘friend’ and getting the victim to like the attacker.
While the line between hoaxes/scams and phishing is vague and blurry, I will isolate this example to Facebook to differentiate. I wish that Facebook had better detection algorithms, but their security team is likely overwhelmed 24/7.
For this scenario, you are casually browsing Facebook on your phone on your lunch break at work. A friend either shares a post with a link or tags you in it. The post claims to be a coupon for something at a ridiculous mark-down. A common item for this year-round is Ray-Ban or Oakley sunglasses. This could be a photo with the web address in it that you have to manually type or an actual link. Either way, if it is too good to be true, avoid it. Talk to your friend and explain that it is malicious and it will spread like wildfire. I also recommend reporting the post to Facebook as a sound precaution.
EXAMPLE OF PHISHING
We discussed phishing in the last installment, so I won’t go too deep. Phishing, again, is the act of sending fraudulent emails to try to get the recipient to either perform an action or provide information. The quality in terms of how believable these emails are varies greatly, but there are sure fire ways (in the advice section) to attempt to determine the validity.
A good example would be an email claiming to be from Walmart, Target, or (Insert Store Here) telling you that they have this item on sale for 75, 80, 95 percent off. The catch, it’s online only and there are only three left. You click the link, which will likely take you to their website that closely (if not identically) mirrors who they claim to be. You can hover over the links and see where they’re going. Some of the more malicious ones may be shortened (like bit.ly) or contain a lot of special characters (part of encoding) like %, &, ?, and .. to name a few. As you’ll read below, watch the language and how it is used. I have been observing phone numbers written as xxx.xxxxxxx in almost all the phishing emails that I have analyzed lately.
In case you fall for the phish and click the link, here are some steps to check before you take the plunge and enter information. Note: You should immediately trigger a malware scan if at home and, if at work, promptly notify your information or cybersecurity staff. Most often, they will be missing the Green Lock and SSL certificate, but if they have one, you can see who it was issued to by clicking the lock and selecting “details” then “view certificate.” You will see who the certificate was issued to, which should help you in your determination of the validity.
EXAMPLE OF VISHING (VOICE PHISHING)
Like phishing, I covered this in the previous post in the series but here, I will dive in with a scenario:
You receive a call. They claim to be a credit card company or a charity. If it is the “credit card company,” they’ll either be trying to lower your interest rates or tell you there is a “problem” with your account. You’ll be prompted for your card number. If this was legitimate, they would already know your card number, so ask them which card. If they do not know, hang up and report the incident time, source number, and context to the authorities.
For the charity call scam, the attacker will claim to be from a charity. They will play hard to your emotions and try to pull on your heartstrings. It will be for the kids, veterans, or something that you’ll come across as cold and heartless if you say no to. Ask for a call back number and, if they give you one, check Google for scam reports. (Note: If you are looking for a reputable charity, I personally recommend I Will NOT be #22, a veteran suicide awareness non-profit geared at eliminating veteran suicide.)
WHAT IS SPISHING (TEXT OR INSTANT MESSAGE PHISHING)
Almost identically to phishing and vishing is spishing. The attack is the same, the only difference is that it is over instant message (i.e. Facebook, Twitter, etc.) or text message. The target here is typically your mobile device, your contacts, and either your iCloud or Google account information. This will further enable the attackers to deliver payloads from sources that people trust.
RECOMMENDATIONS ON HOW TO AVOID ONLINE SHOPPING SCAMS
My advice to you in staying secure during this time of year is to remain vigilant (not that you don’t year round) and to follow these tidbits of wisdom:
- If it seems too good to be true – it probably is.
- If it claims to give inside information, special sales, free stuff, or spoilers – it will probably spoil your system (with malware) or bank account (with a $0 balance or lower).
- Only view reputable sites for e-commerce and online shopping.
- When clicking links on social media platforms, hover over the link and observe the website that it’s sending you to.
- Ensure the site you’re using has HTTPS and a Green Lock. This is not fool-proof but better than nothing.
- Ensure that the site you’re using is what it claims to be.
- For example you are on ABCNews.com vice ABCNews.com.co or ABCNwes.com.
- If you must use public wi-fi consider using a VPN service for an encrypted connection.
- Turn Wi-Fi and Blue Tooth off by default. Enable it only when you need it.
- If the website is a shortened or obscure URL like bit.ly (nothing against them, but this is a popular attack method), right click “Copy Link Address” and go to Virus Total (A Google Project) and select URL then paste it and “Scan It!”
- This will tell you if the URL is known to be malicious. Just because it says no does not mean that the site is safe, it may have not been reported enough yet.
- You can also use this site for uploading software to check it for malware as well.
- Do not respond to or click links within phishing emails or spishing messages.
- Ask someone like me or another information security professional.
- Contact Sword and Shield with any additional questions. Call us at 865-244-3500 or email us at email@example.com or fill out a consultation request.
Joe Gray is an enterprise security consultant with Sword & Shield Enterprise Security, Inc. He has worked as a systems engineer, information systems auditor, senior UNIX administrator, information systems security officer and director of IT security. He holds the (ISC)² CISSP-ISSMP, GIAC GSNA, GCIH, CompTIA Security+, CompTIA Network+, and CompTIA A+ certifications.