Once Thanksgiving has hit the U.S., the holiday season becomes exceptionally profitable for businesses, but also quite the “steal” for consumers…as well as cyber-criminals, especially on Cyber Monday.
Created back in 2005 as the online version of the “brick and mortar” version of Black Friday, Cyber Monday has taken a life of its own, generating over $7.9 billion in sales last year, squashing last year’s Black Friday’s revenue of $6.2 billion, according to Business Insider.
Each year, the technologies readily available to these criminals grow vastly sophisticated and even more complex. There are two new cyber-crimes spreading from home to home this holiday season you should be aware about:
- Password Change Requests and
- “Grinch” Bots
I can attest to the “password change request,” as I received a VERY GENEROUS notification from “Apple” concerning my iTunes account, the night before Cyber Monday. Allegedly coming in from “Apple,” apparently, I “recently requested a password reset or unlock your Apple ID.”
See anything phishy, all pun intended here, with the language in the above statement? Let’s break down this email:
First, the e-mail address, “firstname.lastname@example.org,” is not a legitimate Apple email with respect to Apple ID’s, and you know this. How? Because each and every time you’ve had to change your Apple ID, it’s done through the iTunes Store and/or through an authorized representative (and never through a special Apple ID email).
Second, use common sense. I never requested a password reset because I know my password very well, and very few people have access to my account (unless I have personally given them access to it).
Third, look at the language of the email. The grammatical style of the e-mail wreaks of foreign presence and a lack of understanding of the English language. Sorry to be harsh, but it’s just a fact:
“You recently requested a password reset or unlock your Apple ID.” Grammatically, that makes no sense and the “tense” of the words is off beginning with “…or unlock your Apple ID.“
Fourth, the final paragraph wreaks of phishing and grammatical errors, telling you that if you didn’t make the change, to click…wait for it….these two links:
The first link “iforgot.apple.com,” is a bad link and don’t click it. If you don’t believe me, why don’t you enter that link MANUALLY into your address bar and see what happens.
The second link, don’t even get me started–the “https” is an attempt to get you to believe that is a secure protocol. It is not. Why? Since when does ANY “HTTPS” link not include the “www” immediately after it?
“https://appleid.apple.com” — are you kidding me? Don’t even click this. That link doesn’t exist either.
The minute you click these links, you will be taken to pages that are mirrored to look like Apple while the criminal sits back and watches you freely hand over your account credentials and financial information.
Regardless of whether you are shopping for Black Friday, Cyber Monday, Small Business Saturday, or just the overall holiday season, I have provided 5 tips for you to keep in mind while shopping, taking into account 2019’s latest cyber-security threats:
#1—Don’t Click ANY Links in Emails
As today is Cyber Monday, your e-mail inboxes are probably flooded with a number of online deals from your favorite online and physical retail stores. The problem with these emails, especially around Cyber Monday, is that you can never truly be sure if those emails are actually coming from the stores you think they are.
‘Phishing’ is where hackers send an email that is designed to look exactly like that store you think is sending you the email containing deals. So how does it work?
Let’s say you receive an email from Best Buy or Target—you open the email and almost immediately click one of the links that says “Shop Now.” While you may think you are being redirected to Best Buy’s or Target’s website—in reality, you are being taken to a page that has been mirrored to look exactly like those sites, hoping you go through the process of logging in. What you don’t know is that as you are entering your login credentials, you are essentially “pasting” that information directly into the computer server of the hacker who only set that page up to gain access into your account and go into either a shopping frenzy or hold your personal information hostage.
Now, how do you tell those phishing emails from the actual emails the retailers send? Well, if you have the time to analyze the email—there are PLENTY of give-aways—
- Grammatical spelling of EACH and EVERY word, including the online retailer
- Formatting of the email—remember, the real email will be professionally written and displayed
- Check the e-mail address of the sender—it will almost invariably be some unknown or foreign email address
But at the end of the day, don’t be lazy and just go directly to the online retailer’s website for the deal. Those deals aren’t worth giving up your personal and financial information for.
#2—Do NOT Click Pop-Ups and Ads
Surely as your shopping around online, you have the occasional (or frequent) pop-up ad asking you to visit its deal on that particular advertised site.
DON’T CLICK IT.
These types of ads, known as “malvertising” or malicious advertising, can send you to sites, again that either are mirrored to look like a retailer you are familiar with, or straight up send you to a location which will infect your device with a wide variety of harmful programming, including adware, spyware, and ransomware. Again, it’s not worth having your personal and financial information compromised simply because you’re too lazy to go directly to the site itself.
If the deal is legitimate, the pop-up will be on the ACTUAL retailer’s site—not some other website. Remember, these retailer’s don’t need to place ads on other competitor’s websites. Think about it.
#3—Beware of “Grinch Bots”
Up to 97 percent of all online traffic to retailer login pages this holiday season are coming from “bots,” according to the cybersecurity firm Radware. These “grinch bots” as they are commonly referred to, are largely operated by organized gangs of cyber-criminals.
And now, they are utilizing artificial intelligence (A.I.) to defeat image-based CAPTCHAs. You know, those ridiculously annoying pop-ups that ask you to choose all the pictures that have a stoplight or car in them, before allowing you to proceed with your order?
Using A.I., these bots are attempting to mimic human user activity by adding in random mouse movements and other “human-like” browsing behaviors. They fill out online forms and navigate retail sites faster than a real person can, and try to swiftly purchase limited supply gifts before you’ve even filled up your cart. The items are then sold for a higher price on third-party sites. On the days leading up to Black Friday and today’s Cyber Monday, bots outnumber humans 20 to 1.
The cyber thieves also crack into accounts, drain accounts of rewards and other digital currency, conduct credit card fraud, and more, said Ron Winward, a Radware spokesman.
#4— Use a Credit Card (Not a Debit Card)
Most importantly, when you’re shopping, please for the love of god, use a CREDIT CARD and not a debit card. I promise you, this is for YOUR BENEFIT.
Under the Fair Credit Billing Act, consumers are only liable or responsible for up to $50 in fraudulent charges—meaning, with most major credit card companies such as American Express, Discover, Mastercard, and VISA, you won’t be held responsible for the fraud, pursuant to their “zero liability” policies.
If you’re hellbent on using your debit card this holiday season, use it just to take out cash—not to spend money, because once the money is gone, it’s gone and you’re shit out luck.
But if you’re visiting an ATM, please make sure you’re on the lookout for skimmers, which are “covers” over the actual card input that are designed to scan your entire card so that you just gave away your entire credit card number and associated information.
#5—Use ENCRYPTED WiFi Networks
Nothing is more exciting for cyber criminals than using the free public WiFi to install malware or compromise your device.
According to one survey, 45% of Americans use public Wi-Fi to access sensitive information, which is absolutely the stupidest thing you can do, especially around the holidays. Why?
Everyone you and I know is sitting and inputting sensitive financial information into these “online retailers,” –including that cyber criminal sitting a few spots down from you at the coffee shop who has now snuck into your device and watching you as you input your credit card information.
So, when you’re shopping, make sure you use an encrypted or private Wi-Fi network to browse the internet, and most importantly, placing your order.
#6—There is NO SUCH THING AS “FREE” DURING THE HOLIDAYS
Don’t fool yourself into thinking that these online retailers are being THAT generous. There’s no such thing as a “free” offer—unless you mean you’re freely inviting criminals into your network and device.
Don’t engage with any online surveys that ask you to fill out information so you can claim that free gift card or reward. No such thing.
At the end of the day, the holiday time is a six-figure salary for cyber-criminals. Don’t contribute to their end of the year profit.
And in case you’re wondering, no, I was not fooled by that “Apple” email I got yesterday at 4:23 p.m. from the lovely “Apple ID” team.
Stay safe folks!