As we head full-bore into this holiday season, we’ve seen an unsurprising uptick in online shopping scams and malware. This year cyber criminals have upped their games by using more sophisticated techniques to trick their victims into divulging credentials and payment card information.
The types of attacks we’re seeing this time around are predominantly social-media scams and brand spoofing. Scammers are forging what appear to be limited-time, high-value giveaways or discounts and are requiring victims to share the lure on social media in order to “unlock” the reward. Most of us are on the lookout for a great deal, so as in standard phishing technique, these scams are written to convey a sense of urgency that entices victims to click and share. Do it now or it’s gone forever.
A recent report from social-media risk-management firm ZeroFOX examined 26 different brands that ranged from brick-and-mortar retail to electronics to luxury goods. During a 20-day span in November 2019, ZeroFOX detected more than 61,000 online scams that leveraged these brands. The majority (92%) appeared to be from brick-and-mortar retailors like Walmart, Target, and Costco. These stores have so many customers and sell so many different products that any well-crafted brand-spoofing scam is bound to draw a lot of attention.
In general, this type of scam starts with a social media post with a flashy graphic. The post offers something—often a gift card or item—for free. Clicking the link takes the victim to a landing page on which they are prompted to enter personal information like their name, e-mail address, password, and payment card information in order to be entered to “win.” Scammers are also including hashtags like #giveaway and #CyberMonday so that the posts are indexed and become searchable, which helps to improve their reach. Here’s an example of one such landing page:
It looks legitimate, right? The graphics on these landing pages are typically lifted directly from the manufacturers’ sites the scams are spoofing. So how else can we identify a scam?
- Look at the URL of the landing page. Is it in the manufacturer’s domain (e.g., samsung.com, apple.com, etc.)? If not, it could be a scam.
- Is there urgency? Look for phrases like “exclusive offer” or “limited time only.” These should raise eyebrows.
- Also look for phrases like “login” or “verification.” These are dead giveaways.
To help protect your computers at home, check out our earlier post about using Cisco Umbrella. It’s free, easy to deploy, and blocks access to most of these landing pages.
One of the axioms of using the Internet is that if something seems too good to be true, it probably is. Stay vigilant this holiday season (and beyond). It’s not getting any safer out there.