Cybersecurity experts' guide to outwitting Black Friday and Cyber Monday scammers
Flex your fingers. Find a comfortable place to sit. We're heading into one of the biggest shopping weekends of the year.
Americans say they're planning to partake in Black Friday, Small Business Saturday, and Cyber Monday, and , according to the National Retail Federation, are expected to make purchases online.听But before you begin mashing "checkout" buttons, consider security.
by criminologists at the University of South Florida, people who use the Internet at home are more likely to be victims of online crime. That's because the study found that people engage in riskier online activities in private as opposed to when they are online outside the home and in the office. The researchers theorize that people conflate the safety of their home with that of their online behaviors, opening them up to various types of attacks.
This holiday season, phishing schemes, mobile threats, and social engineering attacks are among the most common types of threats.听But greater vigilance can help everyone be safer online, especially when handing over personal information and banking details to online retailers.听Here's what security experts recommend for outsmarting the online crooks:
Phishing and spear-phishing e-mails
Phishing e-mails and their more targeted incarnation, spear-phishing e-mails, are likely to make their way into your inbox at some point,听said Greg Mancusi-Ungaro, chief marketing officer of security firm BrandProtect.
Many of them are disguised听as offers from听trusted brands and large retailers, and are often sent from a known contact's compromised e-mail address, he said. It isn't just a threat for those who aren't particularly Internet-savvy 鈥 even Mancusi-Ungaro fell victim to a phishing attack this year. "We鈥檙e all susceptible, we鈥檙e all busy," he said.听
Mr. Mancusi-Ungaro recommends taking a few extra seconds to assess an e-mail. If it says you can get a great deal on a new Nikon camera, for instance, check the official Nikon site to see if that鈥檚 really true, and buy from the official site. If you don't recognize the name of the company, he said, don't buy from them.
Be wary of copycat sites, which are pages that look similar to a familiar companies' sites. Adam Levin, chief executive officer of identity threat detection firm IDT911, said many people take a good first step by checking for the lock icon in the URL bar, indicating a secure connection between the user and the site. But even copycat sites can have that lock.
Mr. Levin recommends going a step further to check the address bar to make sure the URL is correct. Many phishing sites, he said, use a slightly misspelled variation of an official site to trick users.
Someone calling to 'verify' personal information
Another threat to be on the lookout for, Levin said, is someone calling for an urgent situation to get personal information. Ironically, he said, they say they are calling because you may be a victim of identify theft, and they'll ask to verify听personal information.
His company often gets reports of attackers attempting to trick people into believing they are identity theft victims, and then getting those victims to reveal personal information such as Social Security numbers. "Once you do that, you鈥檙e doomed," he said.
Levin said IDT911听is seeing an uptick in this kind of scam when it comes to smart chip cards. Known as EMV cards, the credit and debit cards are considered听听to signature and pin cards, and are widely used across Europe. As banks are rolling out the new cards, Levin said criminals are targeting consumers with "verification" scam calls, capitalizing on consumers' unfamiliarity with the new cards in an attempt to steal personal information.
In this case, protecting yourself is as easy as hanging up, Levin said. Should someone call you with a similar scenario, don鈥檛 let the urgency of the situation overwhelm you. If the person says they are from your bank, hang up and call the number your bank lists on the back of your card or on their website.
Mobile threats
According to the National Retail Federation's survey of online shopping, polled last month said they intended to do some holiday shopping with their smartphone. Mobile shopping brings its own pool of threats, said Paul Henry, mobile forensics consultant for Blancco Technology Group.
Many people use public WiFi on their mobile devices, opening themselves up to man-in-the-middle attacks, in which a third party intercepts someone鈥檚 internet traffic, such as credit card information.
Apps are another inherent area of concern for mobile, Mr. Henry said, because of the amount of information they collect. That means when downloading any new apps, notice the permissions they ask for, including whether or not they require access to your contacts. And make sure the apps you鈥檙e downloading are from the official app store 鈥 Google鈥檚 Play Store or Apple鈥檚 App Store.
In Henry鈥檚 perfect world, he would tell consumers, "Don鈥檛 use your mobile device, use your desktop." But if you do decide to use a mobile device for holiday purchases, he recommends taking screenshots of the checkout page as an extra record of what was purchased and at what price.听
Check your bank statements daily
All three experts emphasized that the only way to get ahead of any suspicious bank activity is to check your bank statements daily to look for discrepancies.
BrandProtect鈥檚 Mancusi-Ungaro recommends signing up for purchase alerts from your bank or credit card provider to be notified whenever a purchase is made. It might seem like overkill, he said, but it can help detect small phishing amounts attackers often use to test whether or not they can put a larger amount on.
Even after the holidays end, they said, consider keeping up some of these security practices for year-round vigilance. "It鈥檚 not just being on your toes for two weeks in November and December," Mancusi-Ungaro said. 鈥淚t鈥檚 being on your toes all year round."
听
