How scammers use Black Friday to target consumers

Holiday shopping scams try to bait consumers with special giveaways, giftcards, discounts, and coupons, according to a new report from cyber security company ZeroFOX.

Strong Black Friday and Cyber Monday sales crush fears of retail apocalypse but not cyber security concerns

The holiday shopping season is a busy time for consumers as they search for sales and promotions on the right presents to give to family and friends. But it's also a busy time for cybercriminals who take advantage of the season and the shopping frenzy to scam unsuspecting victims. A report released today by ZeroFOX describes how cybercriminals use holidays such as Black Friday to defraud and attack Internet users.

SEE: Phishing and spearphishing: An IT pro's guide (free PDF) (TechRepublic) 

To conduct its research, the team at ZeroFOX collected hundreds of thousands of posts, pages, domains, certificate transparency logs, websites, and chatter related to Black Friday. Looking at information gathered between November 1 and November 20, 2019, ZeroFOX found 61,305 potential scams referencing 26 different retail brands. Most of the scams were targeted at customers of brick and mortar stores, with a small percentage aimed at electronics brands. Brick and mortar retailers are prime targets because they sell a range of items in great quantity, thereby hitting a large pool of consumers.

Deployed through email, social media, and other avenues, the scams uncovered by ZeroFOX typically try to bait people with giveaways, giftcards, or coupons, essentially promising "something for nothing." To enter a contest to win a giveaway or giftcard, recipients are asked to share certain personal information such as an email address and a physical address. The scams leverage the holiday shopping season by expressing a sense of urgency.

ZeroFOX also found specific words and terms employed by scammers. Among the scams discovered, 11,741 contained language related to gift-giving, 4,593 contained the word "holiday," 637 were related to Black Friday or Cyber Monday, 353 mentioned "Christmas" or "Thanksgiving," and 554 included the word "donate." Scammers also have taken advantage of certain hashtags in their social media posts, such as #blackfriday, #cybermonday, and #giveaway.

Online shoppers are equally at risk as scammers set up fake and malicious domains. Analyzing a list of 124,000 domains that contained one of 26 brand names selected for its report, ZeroFOX found that Apple, Amazon, and Target were the top impersonated domains. Other retailers for whom fake domains were discovered included Tiffany & Co., Sony, Samsung, Microsoft, and Hermes. Many of the phony domains contained keywords that could be used for phishing attacks that try to trick users into signing in with their login credentials.

Delving further into the suspicious domains, ZeroFOX discovered phishing websites, giveaway scams, coupon scams, and some suspicious Google Chrome extensions. One particular Chrome extension was installed more than 60,000 times, eliciting dozens of negative reviews citing malware, data theft, and even one alleged attempt at extortion by the developer.

To better protect yourself against scammers, especially during the holiday shopping season, ZeroFOX offers a few pieces of advice:

  • Verify the URL of any site you make purchases from. Phishing and counterfeit goods sites often imitate the websites of legitimate brands in order to appear more credible.
  • Use caution when interacting with promotional sites, especially when asked to provide sensitive personal information. If a promotion sounds too good to be true, it probably is. Consider using a separate email for promotional entries.

"ZeroFOX recommends exercising a level of caution whenever you consider giving away valuable personal information for promotions or giveaways," the report further advises. "Legitimate giveaways rarely ask for anything more than an email address. A promotion requesting anything further is likely a scam. Additionally, as you make online purchases this holiday season, be sure to verify that the domain you are making a purchase from is the one you intend to interact with. Attackers often mimic reputable brands to peddle their own scams and phishing sites."

Also see

computer security


Image: Getty Images/iStockphoto