‘Tis the season for shopping scams — and this year could see more retail scams than ever as people stay home and shop for deals online as a result of COVID-19 lockdown measures. In fact, recent research shows that nearly half of U.S. consumers (47 percent) have done more online shopping in 2020 than in 2019.
The problem is that this change in consumer behavior, combined with a frenzy of holiday shopping deals and mega online shopping days like Black Friday and Cyber Monday, have created an optimal environment for cybercriminals and phishing attacks.
Why? Because consumers expect to receive more emails from brands during this time, touting deals, sharing updates about orders, and sending updates on deliveries. Inboxes are noisier than usual, making it much easier for hackers to disguise their malicious messages.
Attackers will also leverage the not-to-be-missed deals as lures to trick their victims. People are often advised to avoid clicking on emails that include seemingly too-good-to-be-true deals, but this rule of thumb is somewhat redundant at a time when retailers are lowering prices to attract bargain hunters.
It’s when the email looks like it has been sent by a legitimate brand and email address that people are also more likely to fall for scams, which could lead them to click on harmful attachments or links to fake websites that harvest financial information or account credentials.
This isn't trivial. McAfee revealed that over 2 billion account details were stolen and circulated on the dark web following last year's holiday shopping season.
Impersonating a trusted brand via email is a tried and tested technique that cybercriminals use to successfully deceive and hack humans. It’s so effective that 53 percent of IT decision makers at U.S. retailers are worried that their brand will be spoofed during the holiday shopping season.
Despite these concerns, however, Tessian researchers found that 75 percent of the top 100 retailers in the U.S. do not have Domain-based Message Authentication, Reporting & Conformance (DMARC) records in place. DMARC is an email authentication protocol that prevents companies’ domains from misuse. Without DMARC records in place, hackers can directly spoof a company’s email domain in phishing campaigns, convincing consumers they're opening an email from a trusted or legitimate sender.
As more people shop online, retailers need to do everything they can to protect their customers and employees from phishing scams. Ensuring their entire email ecosystem is secured is a necessary first step. Educating people on the threats and how to avoid falling for the scams is also incredibly important. Therefore, if you detect something “phishy” in your inbox this shopping season, here are our tips:
- Always check the sender and email address, especially if you’re on a mobile device. Scammers will take advantage of the fact that mobile email only shows a display name, which means that a hacker could send a message from an unknown email address, but change the display name to “the brand” to make it appear legitimate.
- Cross-check to confirm that the too-good-to-be-true deals have been mentioned elsewhere on the retailer's website and official social media channels.
- Pause and ask yourself, "Does this request make sense?" If you receive an email or text message from a retailer or logistics company that asks you to share sensitive information with a sense of urgency or deadline, it’s most likely a scam.
- Check for spelling or grammar mistakes. Legitimate messages from large companies will rarely have errors.
- When you’re on a website, look for the padlock in the URL bar. The padlock symbol means the website you're visiting is secure. If the page you've been led to doesn't have this, then close it.
Tim Sadler is CEO and co-founder of Tessian, a company that uses machine learning technology to automatically predict and eliminate advanced threats on email caused by human error.