Be cautious of the 'order confirmation' email. It could be a malware attack
We all indulge in a bit of online shopping in preparation for the holidays, so getting an order confirmation for an in-store pick up with a link below might tempt you to open that link. If you do, you'll be playing right into the hands of the scammers. Do not click on it.
Joe Abbey, Arxan Technologies' director of software engineering, displays on his computer how he hacked into a phone app during a demonstration at the Black Hat USA 2014 cyber security conference, in Las Vegas. Experts say systems grow more susceptible to attack with more user-friendly websites and apps.
AP Photo/David Becker/File
You've no doubt been doing a bit of online shopping in preparation for the holidays, so getting an order confirmation email聽from a store like Target, Home Depot, Walmart or Costco聽most likely聽wont set off any alarm bells for you.聽聽After all,聽you聽probably think you know how to聽spot an email scam from a mile away:聽there are the misspelled appeals for cash, the promises of future riches and, of course, the desperate signatures of unjustly usurped Nigerian princes. But those seemingly innocent order confirmations may be just as sinister as the grammatically incorrect ramblings of your Nigerian pen-pal.
As noted in a recent post on聽, phishing聽scams, where cyber-criminals craft fake but authentic-looking emails from trusted companies in order to steal your personal information, are becoming increasingly common--especially during the holiday season. Here's how it works: You get an email with the聽subject line "Thank you for聽shopping at聽Target!" You click on it, and the body of the email looks something like this: 聽
This probably strikes you as a little odd-- maybe you聽don't remember buying anything from Target, or maybe you did order something, but didn't opt for in-store pickup. Either way, you're gonna be tempted to click on that link to get to the bottom of this, and if you do, you'll be playing right into the hands of the scammers. See, that link won't lead you to Target.com. Instead, you'll be redirected to a foreign site that will automatically download a .ZIP聽file filled with malware designed to hack your computer and steal things like your credit card numbers, your banking information, and your sensitive personal data. Sometimes this malware聽will be disguised as an attachment聽which the email text will implore you to open, but no matter how it's presented, you should NEVER click on it!
Luckily,聽it's easy to spot a phishing scam once you know what to look for.
If you're a frequent online shopper, you'll know that you聽usually receive an order confirmation immediately after you make a purchase online. If you're getting emails with subject lines like "Order Confirmation" "Acknowledgment of Order" "Order Status" or "Thank You for Your Order"聽and you haven't bought something within the last 15 minutes, it's safe to say they're not legit. Also,聽look out for misspellings, poor grammar and weird send-offs.聽For example, the above email is riddled with red flags, like: "You may pick it in any store of Target.com closest to you within four days." It is highly improbable that a company like Target would ever聽include such a glaringly incorrect sentence in what is supposedly an auto-confirmation email. Scammers often purposely include typos, as聽people who don't notice them are more likely to fall for their tricks. If you get an email that looks like it's from a store you DID recently order from, make sure you聽double check the address of the sender.
If you get an email from Target but the sender's address is no-reply@youngblood.net, it's a scam. Also,聽take care to聽hover over all the links in the body of the email. If they seem to be directing you somewhere other than the official store website, don't risk it.聽Most retailers let you check your order status and history on their store pages, so go there first if you get a fishy (or phishy) looking email. Finally, phishing scams don't only happen during the holidays. Here are聽a few things to look out for if you want to聽stay聽safe from scammers year-round:
- Password reset requests from Facebook, Twitter, Tumbler and other social networks聽-- Facebook says it clearly in its security policy: "Facebook will never request your password over email, and we advise against providing your login information to anyone under any circumstances." Don't fall for this!
- "Urgent" messages from banks, health insurance companies or government agencies asking you to provide聽personal information聽-- IT'S A TRAP! Sophisticated hackers often use this trick, and聽link to聽a form for you to fill out on聽website that looks just like your bank's.聽But entering your info here will almost certainly result in identify theft down the road.
- Messages from contests or lotteries you've never heard of聽-- Sadly,聽you can't win a contest you didn't enter. Mark these million-dollar emails as junk and don't look back.聽