As part of this year’s Scams Awareness Week, MailGuard has partnered with the Australian Competition & Consumer Commission (ACCC) to help shine a spotlight on identity theft and scams. This year’s theme is “Be yourself. Don’t let a scammer be you.”
Today’s key message focuses on staying protected from scams related to online shopping. According to ACCC’s Targeting Scams Report 2019, online shopping scams were among the top five scams reported last year, leading to losses totalling $4.8 million. Online shopping scams involve scammers pretending to be legitimate online sellers, by using a fake website or setting up a fake profile on a genuine website or social media platform. The ACCC warns these scams are not limited to online retailers, scammers often set up fake ads on classified websites and trick you into thinking you’re dealing with a legitimate contact. Scammers also pretend to be genuine buyers, so it’s just as important to be careful when selling on classifieds websites.
Spike in online shopping makes us more susceptible
With more retailers are closing their physical stores in light of the COVID-19 pandemic, more people are turning to the Internet to shop for goods, including essentials. Online grocery sales in Australia have shot up by more than 45% since the advent of the pandemic, ACNielsenHomescan reports.
Unfortunately, many cybercriminals are exploiting this trend, and are peddling fraudulent goods, ranging from luxury items to groceries to pandemic-related merchandise like sanitisers and face masks. Here’s a malicious email that we recently intercepted:
As you’re probably aware, face masks are in high demand and in many places, may be in limited supply. Preying on people’s fear & desperation, cybercriminals hope that recipients will be too distracted to check the legitimacy of the email before clicking on it, potentially being directed to a fraudulent shopping website that harvests credentials.
Additionally, it’s not just fake retailers that can trick consumers. There are other businesses involved in this chain that can also be mimicked – such as parcel delivery, tracking notifications, and banking services. We intercept many malicious messages across the course of the year - so it’s important to be able to weed the legitimate from the illegitimate, especially as more of us are relying on home deliveries during the COVID-19 lockdown.
The consequences of falling for an online shopping scam can vary, and often include:
- Users receiving “fake” items instead of the real ones they expected
- Users receiving no items at all
- Fraudulent shopping websites activating a hidden payload that spreads malware
- Users’ details and sensitive credentials being stolen for identity theft
That last consequence can be particularly damaging, because online shopping scams often harvest details related to financial payments (like your credit card number, or login details of your banking accounts), allowing scammers to drain your accounts and impersonating your identity for future scams. In addition, scams sometimes also attempt to gain access to your personal information by encouraging you to sign up for a loyalty program or creating an online shopping account which often require fields like “your mother’s maiden name”. In these cases, the ACCC recommends to consider “checking out your shopping as a guest or leaving non-mandatory data fields blank”.
Here at MailGuard, we also often see a rise in online shopping scams during the holiday season, or during pressure times like Click Frenzy or Black Friday. Online cybercriminals capitalise on the same time-limited sale tactics that retailers use—encouraging consumers not to think before they click. Consumers in bargain mode might see a one-day sale in their Inbox or on socials and simply click, click, click - because they’re already in that shopping groove - throwing regular security measures out the window.
While it can be a great time to pick up a good deal before festivities kick off (or to buy yourself a pressie), it’s also a great time for phishing emails to circulate. If you’re running a business and staff are online shopping from their work devices, then it’s not only their problem, but your problem too.
This is the time to stop and do some reconnaissance. Ask these questions:
- Are they a legitimate business? (Check reviews)
- Is this email coming from a legitimate address? (Check the email domain/ sender address)
- Are the links in the email going to the actual retailer’s website? (Compare with a Google search)
The Australian Cyber Security Centre also warns to look out for these tell-tale signs:
- Strange methods of payment. This is often the biggest tip-off. Scammers may request payment using electronic funds transfer (e.g. Western Union, Money Gram), money order, pre-loaded money card or wire service. They might also ask for payment by gift card or in cryptocurrency like Bitcoin. Paying with these methods means you’re unlikely to get your money back, and you probably won’t receive your items.
- Too good to be true. These scams often advertise benefits or items at unbelievably low prices.
- Strange web address. The link from the advertisement appears genuine but when you click on it, the link takes you to a different address away from the seller’s website address.
- No customer reviews. Be wary of social media shopping pages that are very new, selling products at very low prices and don’t have any customer reviews. Sometimes the conversation on social media about the company is one-way and comments are made by the page owner only and not from customers. After making a number of sales, social media scam stores will disappear.
- No contact details or store policies. Be wary of companies whose websites provide no contact details or information about their privacy and returns policies, or their terms and conditions of use.
We also recommend ensuring your business email security is up to scratch to prevent being duped by online shopping scams perpetrated via email. Nine out of 10 cyber-attacks occur via email, so we encourage companies to adopt a strategic, multi-layered approach when it comes to their email security. It’s sometimes referred to as a ‘defence in depth’ approach, designed to defend a system against attacks using several different methods and solutions, in the event that if one fails, the others will stop the threat.
You may already have native security from your email hosting provider, like Google or Microsoft, but it’s key to remember that no one vendor can stop all attacks. If you are using Microsoft 365 or G Suite, you should also have third-party solutions in place to mitigate your risk. For example, using a specialist third-party cloud email solution like MailGuard to complement Microsoft 365.
We recommend that you report any scam that you see or hear to the relevant authorities. Let this also be a good opportunity to re-evaluate your business’ cyber readiness and take proactive measures to help your teams become more cyber resilient. If you need more support in protecting your business from email scams, feel free to reach out to us at firstname.lastname@example.org.
As part of Scams Awareness Week, we will be focusing on scams related to social media tomorrow. Watch our blog for more updates.
One email is all that it takes
All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.
For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.
Talk to a solution consultant at MailGuard today about securing your company's network.
Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.