Consumer

/

Home & Leisure

Susan Tompor: Cyber scams tempt holiday shoppers

Susan Tompor, Detroit Free Press on

Published in Home and Consumer News

Cyber Monday is the Monday after Thanksgiving. But many holiday shoppers hunt for deals via their smartphones and laptops long before the family cook preps the turkey for the oven or deep fryer.

Why wait for Black Friday -- or Cyber Monday -- to shop? After all, holiday shopping deals are all over the place already. But if you think you're too smart to get caught by a scammer, think again.

Two in five U.S. consumers have fallen victim to an online phishing attack, according to a 2017 Cyber Monday Phishing Survey by DomainTools.

It still happens even though 91 percent of consumers are aware that crooks will create spoofed websites or send phishing emails that impersonate trusted, big name retailers or brands, according to the Seattle-based company that helps organizations and security analysts map criminal activity and prevent cyber attacks.

So it's not overkill to warn shoppers once again to be a little paranoid when they spot a too-good-to-be-true deal online.

Here's how to avoid getting scammed during the holiday shopping frenzy:

–– Stop chasing any and all deals.

"We live in an age where we have all these push notifications and emails," said Steve Koenig, senior director of market research at the Consumer Technology Association, a trade group in Arlington, Va.

The volume of such activity during the holidays, he said, makes consumers even more vulnerable to clicking on a $100 coupon before thinking twice.

"We're all moving super fast, we get distracted," said Tim Helming, director of product management at DomainTools.

When we're rushing, we might not notice that the website in an email has an odd name.

Brands that continue to be spoofed include Amazon, Wal-Mart and Target. Other brands that are commonly targeted include PayPal, Yahoo and Apple.

Helming told me that consumers need to be wary of fake sites that play up the "Black Friday" frenzy. Dozens of malicious domain registrations that touted a Black Friday connection cropped up last year beginning around Nov. 20, and he expects the same this year, too.

–– Learn how to spot a fake.

Watch out for a domain decorated with a few extra, possibly even reassuring, words or odd spellings. DomainTools listed some brand-abusing domains that have a dot-com at the end but they're still frauds, such as Amazonsecure-shop, Target-officialsite or Walmartkt.

Other fakes include: Amazonshop.gq or Targethome.today or Walmart-outlet.ga.

Helming said domains that include a hyphen and words such as shop or secure can be good clues to a phony site, as many brand names use their names alone for their sites.

Other words in a fake URL site that appears to be connected to a well-known name might be something like outlet, discounts or deals.

Many times, the fraudsters use words like "official site" to make their fake sites look legitimate. Or there might be extra letters, such as Yahooo or Walmaart.

Take care on social media. Phishers can use "URL shortening" services to obfuscate phishing URLs. As a result, a very short URL can be used in tweets, which automatically redirect the visitor to a longer "hidden" URL, according to the Anti-Phishing Working Group's research.

–– Recognize the risks of rushing.

Consumers who click on the links or visit malicious sites are typically unknowingly handing over their names, addresses and credit card information.

Never click on links in emails or social media to go to a retailer's website. A better bet: Take a few extra seconds to go directly to the site yourself. Be sure to take a second look at all URLs.

–– Ask yourself why would Amazon be sending you a free gift card? Really?

Yes, one of those free $50 Amazon gift cards popped up in my email the other day. Of course, it's a spoofed email. So I just hit delete.

Amazon is warning consumers that phishing emails will direct you to a "false website that looks similar to the Amazon website, where you might be asked to provide account information such as your email address and password combination."

The fake sites can steal sensitive information that can be used without your knowledge to commit fraud, according to Amazon.

Phishers can steal user names and passwords from one site to engage in fraud on other sites. Too many consumers carelessly use the exact same usernames and passwords across different sites.

 

Amazon doesn't send emails that ask for your Social Security number, bank account information, PIN or your Amazon.com password.

Amazon offers shoppers a way to report suspicious emails and web pages. You can forward the email or send suspicious email as an attachment to stop-spoofing@amazon.com.

–– As you order gifts online, don't get tripped up by fake email alerts.

As holiday shipping goes up in November and December, the frequency of phishing emails relating to orders or shipments goes up, too.

Wal-Mart warns that if you received an order confirmation email from Wal-Mart but never placed such an order, it may be a "phishing scam attempting to gather information, or in some cases, spread malware."

FedEx warns consumers about a "delivery failure" scam email.

Fraudulent emails claim to be from FedEx or the U.S. Postal Service "regarding a package that could not be delivered."

The consumer is then asked to open an attachment in order to obtain the invoice needed to pick up their package. The attachment in the email may contain a virus.

Don't just rush and assume there's trouble with something that you ordered.

"Be suspicious of incoming email from unknown or unsolicited sources, especially those that have attachments as well as hyperlinks," said Jeremy Stempien, a detective for the City of Novi, Mich., and a special federal deputy marshal for the Southeast Michigan Financial Crimes Task Force.

"The same should apply to incoming phone calls," he said.

–– Every deal you find online is not a bargain.

Con artists tempt consumers with great deals on hard-to-find items or hot gifts. Maybe you'll spot some extraordinary deal on an Apple iPhone X or find a crazy bargain price on an L.O.L. Surprise! Big Surprise toy.

Or you think you've found a great deal on jewelry. The Better Business Bureau and others warned in 2017, for example, about fake sites that offer up to 70 percent off on Pandora charms.

Charisse Ford, chief marketing officer for Pandora Americas, said shoppers should be aware that counterfeit sites have some clear indicators, including the "About Us" page that can be very generic without descriptions of the business, company mission or current Pandora images or promotions.

Another clue: Try calling and talking with someone in customer service first before placing an order to ask about return policies and the like. Shoppers are less likely to connect with a real person if going through a fraudulent site.

Companies such as Pandora note that they work hard to help identify and shut down counterfeit sites, including those on social media channels.

Con artists use phony websites to sell counterfeit goods -- or engage in cybercrime.

It's no bargain if, when you click on the link, you download malware.

"You think you are getting the discount of a lifetime or an exclusive offer, but this is a phishing attack," said Adam Levin, author of "Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves."

Remember, bargains abound throughout the holiday season, so there's no reason to think you absolutely must get all that shopping done right now.

About The Writer

Susan Tompor is the personal finance columnist for the Detroit Free Press. She can be reached at stompor@freepress.com.

(c)2017 Detroit Free Press

Visit Detroit Free Press at www.freep.com

Distributed by Tribune Content Agency, LLC.

 

Comments

blog comments powered by Disqus