Holiday Hacker. PHOTO: Cybercrime Magazine.

‘Tis The Season To Get Scammed

Cybercriminals want to take the partridge and the pear tree

David Braue

Melbourne, Australia – Dec. 2, 2021

It’s an annual ritual that has become as inevitable as overdone light displays and regifting presents from last year — yet as cybercriminals ramp up their malware and scam campaigns in the runup to the end-of-year holidays, far too many people will get caught out and suffer the loss of their data, money, or even their identity. 

Cybercriminals took more than $53 million from the more than 17,000 victims who reported scams and malicious hacking the 2020 holiday shopping season, according to the FBI Internet Crime Complaint Center (IC3) — which posted this year’s warning the day before Thanksgiving, apparently aiming to remind shoppers gearing up for a long weekend of online shopping overindulgence.

Organizations like the Better Business Bureau (BBB), government agencies like the Federal Trade Commission, security firms like Trend Micro and retailers like Amazon have published reports and warnings highlighting the risks of holiday scams — and offering advice on how to avoid traps like fake online shops, high-pressure announcements of “flash” sales, popups showing purchase records that invite clicks, and sites requiring unusual payment methods like cryptocurrency or prepaid gift cards.

Recently updated for 2021, the BBB’s annual “Naughty List” includes 12 common scam methodologies that shoppers should familiarize themselves with — and avoid at all costs.

Cybercrime Radio: Safe shopping during the holidays

“I’m not being mean, I’m not being hacked.”

Yet for all the warnings, once the dust has settled on this year’s shopping season, it’s inevitable that too many enthusiastic shoppers will be counting the cost of a holiday season that cost them in more ways than one.

Even well-meaning shoppers expose themselves to compromise when they are enticed by online and retail shops to hand over contact details with promises of discounts and other rewards.

“You walk into a retailer, but who are they — a retailer, or a big data company?” Steve Morgan, founder of Cybersecurity Ventures and editor-in-chief at Cybercrime Magazine, recently pointed out.

“They are both,” he continued, “and they’re building up their data mine. They want your contact information, and they make you feel guilty if you don’t give it to them — even though not giving it to them means the likelihood of being hacked is going to go down dramatically.”

Scam of the day

Because they try to trick victims by blending in with legitimate emails or web traffic, scams tend to follow cycles throughout the year, often tapping into changing buying patterns for particular holidays or exploiting hot-button issues such as the current shipment delays that are plaguing online holiday shoppers.

One ongoing campaign, for example, has impersonated Amazon to harvest victims’ credit card details and personal details like phone numbers.

Another tapped the surge in generosity on November 30 — known as Giving Tuesday, the date is an antidote of sorts to the shopping indulgences of the Black Friday long weekend — while other recent attacks have included fake ransomware, ephemeral malicious phishing shopping websites, the use of small fonts to trick security scanners, and even attacks that capitalize on the ongoing disturbance around vaccination passports.

“This is all changing so quickly that there will literally be a scam of the day,” Morgan said, advising shoppers to be frugal with their personal information and to teach their children to do the same.

Scams are also being targeted at employers who naturally struggle to keep up with increased volumes of purchases, emails, and everyday tasks.

“When you’re busy, you’re distracted,” he explained. “And that’s when you need to remind yourself that there are a lot of phishing emails going around — and that’s how you get infected with ransomware.”

– David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.