For many people, the festive season is a time for celebration and relaxation, but while we’re taking time away with our families, those of us in the industry know that cybercriminals are working overtime. With the Black Friday and Cyber Monday sales in full swing, and Christmas fast approaching, make sure you’re not letting your guard down online.
Black Friday and Cyber Monday get bigger every year, with shoppers eager for a bargain before the Christmas rush. Taking advantage of the seasonal surge, online retailers run special sales from the start of November, and inboxes are flooded with last minute promotional emails. It can be tough deciphering what’s real and what’s not.
In 2020, 1 in 4 Americans admitted to falling victim to fraud during the festive season. A time of year, when scammers are ready to capitalise on the spike in frantic online sales, exploiting charitable giving, and taking advantage of the lonely.
Below is a selection of scams that target businesses and employees, and also lonely and vulnerable individuals within our community over the festive period. Make sure to share on so that you can protect your friends, family, and colleagues over the festive period.
Online Shopping Scams
Taking advantage of the millions of customers who choose to do their shopping online, scammers set up fake online retail stores, often stealing logos and website assets, names, links and other credentials of genuine brands, and selling trending items, luxury goods, clothing, jewellery, or electronics at a super low price. However, as you’ve been told a thousand times before; if it seems too good to be true, it probably is.
The scams can take many shapes and forms, from traditional phishing and ransomware emails masquerading as a last-minute sale, through to fake shop fronts for goods that never materialize.
In the case of phishing and ransomware, we all know the risks of credential stealing or of malicious downloads that can wreak havoc on a business. While crazy online sales are generally the domain of consumers, that is after all exactly what our employees are, and if they’re working remotely or shopping using a company device, then they are potentially putting the business, it’s systems and networks at risk.
In the case of consumer scams, many items just never show up, and those that do are usually not the quality (or the brand) that you were expecting. Businesses can easily fall prey to these too of course, perhaps purchasing extra stock for the retail peak.
Scammers sell the products through dodgy websites, which are now often promoted through spam emails, or through social media platforms such as Instagram, Facebook and Tik Tok. By paying for an ad on social media, the scammers get their product right in front of their target demographic, and once they’ve got enough sales, the store will disappear without a trace and the customers never receive their goods.
To avoid online shopping scams, we recommend:
- Googling the website or brand for reviews before purchasing (reviews on their own website can easily be faked)
- Check comments on the store’s social media posts or ads
- Only pay via credit card or through secure payment platforms such as PayPal
- Don’t click on offers received via email, instead visit the company’s website directly to ensure it’s legitimate
You can find out more about online shopping scams here.
Parcel Delivery Scams
Knowing that many households and businesses are waiting on packages in the lead up to Christmas, you can also expect an influx of parcel delivery phishing scams which impersonate shipping companies such as DHL or Australia Post. Typically, the message will warn that a package has been held up, and often they’ll add that a small delivery fee needs to be paid. The email or SMS will contain a link to a phishing website where personal details such as name, email, phone number, address, and credit card information will be stolen.
MailGuard is continuously blocking parcel delivery scams. For examples of what they look like, check out the latest DHL scam, and Australia Post scams.
Romance Scams
For many, there’s no lonelier time than the holidays. Scammers are aware of this and throughout the festive season are particularly active on online dating sites, apps and primarily, social media, ready to prey on people’s emotions in an attempt to steal money.
According to ScamWatch, dating and romance scams are the second costliest scam type so far this year.
From January to October, Australians have lost more than $35 million, with one in three reports ending in financial loss. What’s most concerning is that in December 2021, losses to romance scams skyrocketed to almost $9.4 million, a 65% increase on the month prior and a potential indication of what’s still to come this year.
Source: ScamWatch, Scam Statistics – Dating & Romance - 2021
A recent victim to romance scams was a Tasmanian woman who received a friend request on Facebook from a man who claimed to be a crypto trader. Their relationship quickly turned romantic, and they even spoke on video calls to “prove” his identity. After three months, the man suggested she invest in crypto to create a future together, and 12 months in, she had “invested” and lost $120,000 to the elaborate scam which involved not one, but five men.
In the cybersecurity industry, the concept of ‘zero trust’ is commonly discussed and practiced, but those outside of the field may never have even heard the term. As Microsoft so aptly put it, zero trust teaches us to “never trust, always verify”. As humans, this goes against our natural instincts to give people the benefit of the doubt, even when it comes to strangers on the internet. However, adopting a zero trust approach when online, both professionally and personally, is critical to staying safe.
In terms of romance scams, zero trust means:
- Do not share any personal information with someone you have not met
- Never send money to someone you have not met (or receive it)
- Use trusted dating websites or apps
- Proceed with caution when responding to friend requests or messages from people you do not know
You can find out more about zero trust and how to implement it in your business here.
Fake Charity Scams
In 2019, it was revealed that almost half of Australians planned to donate money to charities at Christmas. Scammers exploit this sense of charity and goodwill, and create fake charities, or impersonate genuine ones and ask for donations. They typically use real disasters or emergencies, such as bushfires, floods, disease, or famine to prey on emotions, which can cloud judgement when the scammer reaches out to a victim directly. Most commonly, scammers will contact individuals via phone calls, social networking, or via email, but they can also go door-to-door or do letter drops.
The Australian Charities and Not-for-profits Commission recommends these tips to avoid getting scammed in the lead up to Christmas:
- Look for established, registered charities running verified appeals
- Do a quick check to see if the organisation is on the Charity Register and find details about its main work
- Don’t click on links in unsolicited emails and social media posts which may take you to a fake, scam website. Find the charity’s website in a search engine or on the Charity Register
- Don’t give your credit card and bank account details on social media and be cautious online
- If you get a call claiming to be from a charity, say you’ll call back. Search the Charity Register and call back on the number shown there.
Phishing Kits
A sophisticated new phishing kit has been targeting North Americans since mid-September, using holidays such as Labor Day and Thanksgiving to prey on online shoppers who are looking for special deals. To lure victims in, the phishing emails are sent to prospective victims and claim that they could win a prize from a well-known brand after completing a survey. Everyone's a "winner" when it comes to these scams - all they need to do is provide their credit card details to cover the shipping on the prize, which are promptly stolen by the fraudster.
"The links in the email don't raise any alarms as they lead to the phishing site after a series of redirections, while URL shorteners conceal most URLs." The links are also designed in a way which means they're unique for each individual, and can bypass protection mechanisms.
Keep Your Business Protected
Prevention is always better than a cure, and the best defence is for your businesses to proactively boost its cyber resilience levels to avoid threats landing in inboxes in the first place. The fact that a staggering 94% of malware attacks are delivered by email, makes email an extremely important vector for your business to fortify.
No one vendor can stop all threats, so don’t leave your business exposed. If you are using Microsoft 365 or Google Workspace, you should also have third-party solutions in place to mitigate your risk. For example, using a specialist cloud email security solution like MailGuard to complement Microsoft 365.
For more information about how MailGuard can help defend your inboxes, reach out to our team at expert@mailguard.com.au .
