With the high volume of email activity the holiday season brings, we’ve been getting a lot of questions about holiday email scams – what to look for and how to avoid them. So in the spirit of giving…some good advice…our Field CTO John Wilson has published a blog on LinkedIn with suggestions that can help people better protect themselves from online criminals, and help businesses ensure they aren’t aiding and abetting these Grinch-like cyber criminals:
As the holiday season approaches we are bombarded with emails offering great deals on all manner of goods and services. While the shear volume may be overwhelming, by and large the majority of these messages are bona fide offers sent by legitimate businesses hoping for strong December sales results.
Sadly, there are also criminal organizations hoping for a strong December. Just like any legitimate business, these miscreants leverage email for marketing purposes. As consumers, what can we do to protect ourselves from online criminals? What can legitimate businesses do to ensure they aren’t aiding and abetting the unscrupulous purveyors of holiday misery?
Despite a verbal promise of the “best deal in London”, most of us know to avoid the hawker selling jewelry out of a van in Hatton Garden, and opt instead to patronize one of the legitimate shops. A shiny well-lit showroom or a van in the shadows; it’s pretty obvious which is the safer option in the real world. Online it’s a different story altogether. The fraudster’s email and website can look every bit as official as the honest business’, and in some cases might even duplicate a real business’s online presence in an effort to defraud the unsuspecting public.
1. Survey Scams
If you check your spam folder, you will likely find at least one email promising a gift card in exchange for answering just a couple of demographic questions. These offers often appear to come from Tesco, Apple, or some other well-known brand. The questions start off easy enough: What city do you live in? What’s your age? After answering several seemingly innocent questions, you’ll eventually be told the particular gift card offer is no longer available, but not to worry, there’s a different survey with an even better gift card as payment. After several iterations of this, you’ll eventually realize that there really isn’t any gift card. If you’re lucky, your information will only be used to send you lots of spam. Worst case, you may find your identity stolen. If you want a Tesco gift card, buy one from Tesco! While I’m on the topic, always buy your gift cards from reputable sources, keep the receipts, and be sure to confirm that your loved one was able to activate and use the card.
2. Fake shipping notifications
Great news, your package is en route and you can track it by clicking this link! But wait, you didn’t actually order anything, and that link doesn’t lead to the Royal Mail’s package tracking site. If you click the link, you may have just let malicious software take over your computer. Once infected, your computer might be used to send spam. A criminal might be watching everything you type, listening to your microphone even when you think it’s turned off, or taking video of you via your webcam. Another variation of this scam involves a malicious attachment posing as an invoice, customs form, or other document.
3. Donation scams
The holidays are a time for generosity, and many organizations seek donations this time of year. It’s all too easy for a criminal to set up a website that imitates a well-known charity, and then drive well-meaning folks to that website with a cleverly crafted spoofed email. By all means, be generous, but please go directly to your favorite charity’s website to give.
4. Phishing emails
Most of us know better than to click a link in a message that claims the bank is updating their database and needs us to provide all of our personal details including username, password, NI number, etc. But what if you get a message saying your credit card is over your limit right at the end of a long day of shopping? Don’t let your guard down just because the criminals had great timing. When in doubt, call the number on the back of your card, or type the bank’s URL directly into your browser’s address bar.
What can businesses do to reduce the chances of their customers being tricked by email-based scams?
Thanks to a fundamental flaw in the protocol that moves email around the Internet, email addresses can be easily spoofed by criminals. Incidentally, this flaw has existed since 1982. In 2012, some of the Internet’s largest webmail providers launched a new standard known as DMARC. Developed by Google, Yahoo, PayPal, JP Morgan Chase, Agari, and a number of other industry leaders, this standard offers a way for email senders to prevent spoofing of their email addresses. PayPal, Lloyds Banking Group, TSB, and Santander have already adopted this standard, and HSBC and Barclays are in the process of implementing it. I urge any business that sends email to deploy the DMARC standard. In addition to preventing email spoofing, the standard provides businesses with a wealth of threat intelligence whenever somebody attempts to spoof their email addresses.