The traditional holiday season is a busy time for many people as they prepare for celebrations and shop for gifts. But it’s also a busy time for scammers as they devise ways to cheat and steal, sometimes through phishing campaigns that try to trick people into divulging personal information. In a blog post published on Thursday, security company GreatHorn warns of four different scams likely to pop up this season and offers advice on how to combat them.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
A typical phishing campaign starts off with an email in which the attacker impersonates a well-known brand, product, organization, or other entity. The goal is to trick the recipient into believing that the email is legitimate and is of great interest or importance.
Anyone who clicks on a link or file attachment in the email is taken to a landing page where they’re asked to sign in with certain account credentials or provide sensitive data, which the attacker then captures.
In one phishing campaign cited by GreatHorn, the attacker impersonated the name and brand of Coca-Cola and informed recipients that they had won a jackpot sponsored by the soda company. To claim the prize, users were instructed to enter their bank account details, which then were compromised by the cybercriminals or sold on the Dark Web.
Many phishing emails and landing pages are amateurishly created, so they’re easier to spot as frauds. But criminals have gotten more sophisticated over time, so some of the latest attacks are harder to detect, especially if the recipient doesn’t scrutinize them for mistakes and other warning signs. As the holiday season comes, here are four types of phishing campaigns to watch out for, according to GreatHorn.
Fraudulent shipping notifications
As most people shop online due to the coronavirus pandemic, cybercriminals are more intent on launching phishing emails that impersonate shipping notifications. In some cases, these emails include links to pages that aim to trick the victim into signing into the impersonated website with their account credentials. In other instances, the emails come with file attachments that masquerade as receipts but actually contain malware designed to capture your keystrokes, install ransomware, or steal data.
To avoid this scam, don’t open attachments from suspicious email IDs and do not click on links for external pages. Legitimate e-commerce sites will provide your shipping details in the body of the email and use a standard email address, such as firstname.lastname@example.org or email@example.com. Malicious emails use a more generic domain such as firstname.lastname@example.org or email@example.com.
This type of scam typically tries to trick the recipient into believing that they’re donating money to a charity. In reality, the scammers are luring people to donate to charities that don’t exist. This year, phishing campaigns are likely to exploit COVID-19 to convince people to donate to coronavirus-related charities.
To avoid this scam, check the charity. Legal and legitimate charities are registered, which means you can cross-check the organization’s credentials with a public database to see if it’s genuine. Also, avoid responding to any strangers who ask for money upfront through an email.
Gift Card/Coupon Scam
Gift cards and coupons are an easy way to get money, one reason this type of fraud is popular among cybercriminals. As more people shop online for the holidays, more scammers are likely to use gifts cards and coupons to steal money from unsuspecting consumers. In this scam, the phishing email typically creates a sense of urgency by offering a great deal on a popular product. But the attackers will ask for payment through gift cards.
To avoid this scam, be wary of any coupons that offer great deals and discounts on popular items. Scammers direct potential victims to spoofed landing pages where they are asked to enter personal data such as their credit card details. Avoid giving any sensitive information through a webpage to someone you don’t know or trust.
Travel Phishing Scams
With most people stuck at home in lockdown mode, a vacation to an exotic location sounds enticing. So you book your trip. But then you receive a notice informing you that due to the pandemic your booking has been canceled. The email notice asks you to fill out a form to claim your refund. Only the external form is a malicious one designed to capture your personal information.
In a related scam, you’re offered free air travel tickets from what seems to be a legitimate airline. The only requirement is that you forward or share a link to the deal on your social media account. But therein lies the catch. The link leads people to a phishing site where scammers try to capture their personal information.
To avoid this scam, check the sender address on any such suspicious emails you receive. Two warning signs: The external site uses http:// instead of https://, and the email domain points to Gmail, AOL, or Yahoo. Don’t enter any information on a third-party app or website. And beware of social media requests. No airline or travel company will ask to sign into your social networking accounts.
“While these four categories of phishing attacks are the most common ones in the current climate, this is certainly not an exhaustive list,” GreatHorn said in its blog post. “Please beware of any communication that requires you to disclose your personal information without giving you enough information needed to verify the institution’s or person’s legitimacy. Always double check sources making unusual requests to collect your personal information.”