Don’t be the Turkey: Beware of Black Friday Scams

Capitalizing on Urgency

With Thanksgiving around the corner, 2 things are certain: the tryptophan will leave you sleepy and too many people will be falling for Black Friday Scams – and perhaps more so on Cyber Monday.

Billions will be spent over the weekend, and increasingly online, meaning there’s big money to be made – both for legitimate businesses and for scammers of all shapes and colors. A survey suggests the average shopper will spend over $700 this year on Black Friday alone, but how much of that will go to the bad guys? A Kaspersky study suggests the holiday season sees a 9% higher than quarterly average in phishing scams – while that doesn’t mean shoppers will lose 9% of their spending to fraud, it still means that more fraud will be perpetrated than at other times of the year.

The challenge for many will be to ignore that “iPhone for $100” or “free $50 gift card” subject line. The feeding frenzy that is Black Friday happens online (in a different format), and the urgency to capitalize on an incredible offer (that is, of course, about to expire) produces a lot of risk.

The Growing Threat of Targeted Phishing

Based on current targeted phishing trends, we expect this year to be especially bad in this regard. Many phishing campaigns will go out, but not only for credential-stealing campaigns – Malicious URLs and Attachments will try to get your open click or download ransomware, spyware or other malicious material, taking advantage of any urge to get a great deal. Unsecured servers from retailers small and large will come under attack.

Why are these attacks especially effective around the holidays?

The 3 Big ingredients are present:

Financial incentives : Might be small items, but the sheer volume of interest and spending is there to take advantage of.
The Frenzy: Buyers in a shopping frenzy are less likely to second-guess what they’re being offered via email.
Lack of Awareness: An unsuspecting (unaware) public that is already prone to fall for fraud, even without the conditions mentioned above

Look For The Clues

Luckily for anyone reading this post, you are likely more vigilant and cyber aware. You can probably spot the clues, but, just to reiterate a few of them (or offer some to share with friends and colleagues):

Speling mistaks

Considering that many of the phishing campaigns will need to establish some legitimacy, building automated email templates, phishing landing pages and other online properties to cover their tracks, they often miss things. Spelling is a one commonly overlooked area. Legitimate e-commerce companies tend to employ content teams, proofreaders and have mechanisms in place to catch errors. Not saying that a spelling mistake should rule out the retailer entirely – I’m sure we’ve made a spelling mistake on this website somewhere (maybe in this post!). But if you are about to give your credit card, and you see something slightly off, dig a little bit deeper – rule out any of your suspicions.

Too good to be true

This is probably the biggest giveaway. Nothing is free, nor is it ridiculously cheap (especially not iPhones). Maybe airline tickets. Either way, if it seems too good to be true assume it isn’t. If you want to believe it, do your research. Google it. Check the Better Business Bureau. Don’t let greediness and urgency get you.

Unsolicited email (from a sender you don’t know)

Never heard of the seller before? Never open the email. Spammers are using more sophisticated methods to bypass filters. Good spam protection should offer a greater than 99.95% catch rate. But that still means 5 spam emails might make it through out of 10,000. “Curiosity kills the cat,” as the expression goes –  one inquiring click on a malicious link and you could lose credentials, credit card numbers or even get your computer infected with a nasty case of ransomware.

Requests for private information

No trustworthy company requests private information in an email – most companies have policies in place that will ensure your data is safe, and that safety precludes all emails except encrypted ones. If an email requests ANY confidential info, don’t trust it – assume guilt until innocence is proven. Use a form of multi-factor authentication and login to your account from the url you regularly use or contact the company (not through the reply all). Or search the “company name” and “email subject” to see if others are experiencing the scam. Usually the company will release official statements when a scam using its name is making the rounds.

(Note: Worth having a look at Amazon’s fact sheet on phishing on how to have a safe Amazon experience.)

General Tips to Protect Yourself

Human error is the top cybersecurity threat. This is well established and continues to rear its ugly head. Here are a few general tips (beyond launching a complete awareness and training program), that will keep you protected this holiday season.

Defer to Your Credit Card When Making Payments: Unlike your debit card, a credit card has better consumer protection and traceability.

Deploy URL Defense: If you’re an admin and worried about your users falling for Black Friday scams, a URL defense solution can protect you from masked redirects that can send you to a phishing site.

Domain and Email Spoofing Protection: Protect yourself from spoofed URLs which might look like an official URL but actually have a slight modification (compare Paypal to PaypaI – see a difference? The second one has a capitalized “i” at the end).

Endpoint Protection: Protect your computer from ransomware, exploits and malicious attachments with an effective anti-virus solution.

Spam Protection: Good spam filtering can stop most serious threats, which for the great majority start as spam. If you don’t even see the unsolicited email, your level of risk quickly approaches zero.

So, stay vigilant, safe and have a happy holiday season…

The post Don’t be the Turkey: Beware of Black Friday Scams appeared first on Vircom | Email Security Experts.

*** This is a Security Bloggers Network syndicated blog from Vircom | Email Security Experts authored by Joey Tanny. Read the original post at: