Christmas is a time when all of us are online more than usual, whether we’re contacting relatives to get a headcount for Christmas dinner or trying to find new ways of making brussels sprouts palatable.
The biggest time and stress-saver at Christmas has probably been the boom in online shopping. Being able to order turkey, trimmings, and presents from the comfort of your home — what a time to be alive!
According to the Deloitte holiday retail survey, 65% of shoppers in 2020 chose to do their Christmas shopping online rather than in-store to avoid crowds. And according to a similar survey by eMarketer, millennials were likely to do more than half of their holiday shopping online.
Not having to face shopping centre crowds or fight for the last premium Christmas pud is one of the greatest gifts we can give ourselves. However, typing out our credit card details multiple times a day and the sudden influx of confirmation emails can leave us vulnerable to some pretty serious online risks.
We always see an increase of phishing and email scams around the holidays. But what is phishing, and how can we protect ourselves from cyber crime at the busiest time of year?
What is Phishing?
Phishing is one of the tactics cyber criminals use in order to steal sensitive data from people online. Phishing can take the form of emails, text messages, advertisements, or web pages, which encourage users to take actions that will leave them vulnerable to cyber attacks.
Cyber criminals may try to get you to share your identity, bank details, or account passwords. In some cases, they may pose as an organisation to do this, or even trick you into sending them money.
Unfortunately, phishing scams are becoming more sophisticated as internet users are becoming more aware of online threats. We all need to take steps to protect our data, band one way to do this is to keep an eye on the latest phishing emails doing the rounds.
As experts in cyber security, we’ve collected some common examples of phishing scams that tend to rear their ugly heads around the holidays. We hope that you’ll find them helpful and that if you, or a loved one, is targeted by a phishing scam, you’ll be able to recognise them and report the sender right away.
Amazon and PayPal Email Scams
One of the most common phishing emails you’ll see at this time of year, are emails that are designed to look as though they are from reputable companies. With so many of us making purchases from Amazon and completing transactions via PayPal, these are common choices for scammers.
As well as the trustworthy reputation these companies have, we are probably used to seeing their names in our inboxes, making them the perfect cover for a phishing email. Scammers have also become adept at copying the brand marketing, including logos, colour palettes and email templates so that their phishing emails are almost indistinguishable from the real thing.
Imagine a hacker gaining access to your Amazon account, where you may have your card details stored and 1-click ordering activated. In a matter of hours, they could order hundreds of pounds worth of merchandise, as well as changing your password and locking you out.
You should also be suspicious if you receive purchase confirmations for items you haven’t ordered. Sometimes scammers will direct you to fake sites to ‘cancel’ the order, stealing your information in the process. If you receive an email for an item you haven’t ordered, go to your account on the site in question and see whether it appears in your recent orders or purchases. If it doesn’t, simply report the email address for phishing and delete the message.
How to spot a fake branded email:
- Check the sender’s email address. Is it from the company domain that it’s claiming to be, or from a suspect variation of it? For instance, an email ending in @amazon.co.uk is more likely to be legitimate than @amazon-customer-service-uk.com.
- If the email comes from an Outlook, Hotmail or Gmail address (e.g., firstname.lastname@example.org), it is very likely to be a phishing email as it hasn’t come from an address within the company’s domain.
- Although scammers are getting better at imitating a company’s brand, it’s also worth looking out for things like poor grammar, typos and low-res images. Companies like Amazon have entire departments dedicated to making sure their communications are professional and look good. Therefore, it’s very unlikely they’d send an email that was misspelt or didn’t fit their brand marketing.
- Are they asking you for something, such as your password, card details, or any other identifying information that could be used to hack into your other accounts? Is so, don’t send the information they’re asking for. There would be no need for a company to request information that they would already have on-file.
Postage and Custom Fee Scams
As well as people posing as big retailers, you may also receive emails purporting to be from Royal Mail, or well-known delivery companies like Hermes, DHL, or Parcelforce. With hundreds of thousands of packages being shipped throughout the country, this is another way that scammers can exploit the holiday season.
You may receive an email claiming that there are postage fees that must be paid, or a customs charge for an item shipped from abroad. Although these are sometimes legitimate, it’s best to look into the claims more closely before making a payment.
How to spot a postage or customs fee scam:
- Make sure that, before paying any fees, you’re sure that they’re for a parcel you’re expecting. If you receive an invoice, there should be a tracking number, a list of items, or at least some information about the company you ordered from. We’ll all be doing a lot of online shopping this year, but it’s worth taking the time to match up any invoices to a delivery that’s due before making a payment.
- You may also get a notification about a package you’re receiving from abroad, requesting that you pay a customs fee to have it delivered. Again, even if you do sometimes receive gifts from friends or family members abroad, be wary. Make sure that it’s a parcel you are expecting and that the country of origin matches up.
- Be careful about clicking third-party links in emails. Apply the same logic outlined above in the ‘how to spot a fake branded email’ section. If the email address looks suspicious, the wording is strange or there are several typos, don’t click any links or download any attachments.
Bank Account and Debit Card Scams
Unfortunately, even the banks aren’t safe from being impersonated by opportunistic cyber criminals. If you receive a text or email from a bank that you’ve never used talking about unusual activity on your account, the best thing to do is report the email and move on. Phishing is a numbers game, and scammers will target thousands of people at once with the same message, hoping to get a bite.
However, if you receive a message from the bank that you use, it still may not be legitimate — a scammer may just have struck lucky. Check the sending address, the content of the email and if you’re still unsure, contact your bank’s customer service line before doing anything further.
It is extremely unlikely that your bank will ask you to send identifying information in an email or text. Remember: if it seems fishy, it probably is.
Password Reset Scams
Another method cyber criminals may use to gain access to your account is to send an email or text message telling you that your account has been compromised, and that you need to reset your password.
You may be redirected to a scam site, where you must enter your current password in order to ‘reset’ your online banking. Criminals can then harvest this information, using it to gain access to your accounts and steal from you.
If you ever have an unexpected communication from your bank, the safest thing to do is contact them directly and see if they really require you to take action.
Never use the customer service number provided in the suspicious email. Always go to your bank’s official site, so that you know you’re speaking to a real representative and not another scammer.
Viruses and Malware
Viruses and malware are a constant threat online, and by employing some of the sneaky methods above like hiding behind a well-known brand name, cyber criminals can take more than just your data.
Computer viruses are malicious programmes that can ‘infect’ a device, compromising it and leaving you open to various types of cyber attack. Once a single device in your network is infected, the virus could spread to other devices, leaving every member of your household vulnerable.
Viruses exist which can:
- Log keystrokes and monitor your activity online;
- Mine sensitive data such as passwords and bank details;
- Destroy your device from the inside out, deleting files and software;
- And, one of the most frightening, gain access to your webcam so that you can be spied on from your device.
Malware is a catch-all term for malicious software which can be downloaded onto a device. This includes computer viruses, which are often spread via email and scam websites. However, malware can also be sent as an email attachment, posing as a legitimate piece of software (sometimes even an antivirus programme). Once you take the action to download it to your device, it may attack your system right away, or work in the background collecting data without your knowledge.
Always treat attachments with a healthy amount of scepticism, particularly if they request that you download them from an email address you don’t recognise. Invest in some reputable antivirus software ahead of time, and never trust an email which claims your device has already been compromised and offers you a free antivirus download. This is one of the most common, and most successful phishing scams that you’ll encounter online.
Five tips to protect yourself and your loved ones from phishing attacks this Christmas
- Always check emails about unpaid invoices or postage fees being due against your recent purchases before paying them.
- If you receive unusual communications from your bank, online retailers, or delivery services over Christmas, always check the email address to see if it has really come from their company. If the domain name doesn’t match the organisation, this can be a dead giveaway!
- Don’t click on suspicious-looking links in emails, and never use the contact details provided in a suspicious email to contact the company it claims to be from. Find any contact details from their official site.
- Be very wary of attachments, particularly if you’re given instructions to download them. This is one of the main ways that viruses and malware can gain access to your device — and it’s very hard to undo!
- If you are targeted by a phishing email, always take the time to report the address to your email provider. This is normally listed as an option along with forwarding the email or flagging it as spam. Providers are normally very quick to deactivate or delete the phishing account completely, which will prevent you or anybody else from being targeted by the same account.
At this time of year, not only is it more important than ever to be safe online, but we need to look out for one another as well. Phishing scams are most effective when they target vulnerable users like children or the elderly, who tend to be more trusting online.
Start a conversation with your family about staying safe on the web, and how to avoid phishing scams which could leave them out of pocket this Christmas. At Forensic Control, we are passionate about spreading awareness of cyber criminality and keeping our users safe.
Feel free to visit our About Us page if you’d like to learn more about our cyber security expertise, and why we do what we do. We also publish handy guides to help you avoid common online security threats.
If you’d like to learn ten ways to stay secure while working from home or what is meant by computer forensics, feel free to take a look at our other blog posts for more expert insights.