Republished on December 1 with new Cyber Monday warnings highlighting dangerous cybersecurity threats to online shoppers.
With Black Friday now here, it is clear that the dangers facing online shoppers are greater than ever. The latest reports suggest scam websites have surged 89% over last year, and almost 80% of shopping offers hitting inboxes are fraudulent. We have even seen Google search results poisoned to send traffic to dangerous websites.
Little surprise then that the FBI has released a new warning for online shoppers, setting out the sellers that must be avoided on Black Friday, Cyber Monday and throughout the holiday season. For all users of Chrome, Safari and Edge, which control 95% of the US browser market, this is a must-have checklist to stay safe.
The FBI’s advice on which sellers to avoid comes down to seven key points, think of this as your online safety check during the holiday season—don’t take any risks:
- Don’t buy from websites until you’ve carefully checked the URL to ensure “it’s legitimate and secure.” Websites should have the telltale secure connection padlock in the address bar and https at the beginning of the full address. If the website is not secure to the URL is not obviously right, move on.
- Do not buy from a website for the first time until you’ve done some research and checked any available online reviews. Remember, reviews can be faked as well, so don’t gloss over the first you find.
- If you’re using an auction site or similar marketplace, “be wary of sellers with mostly unfavorable feedback ratings or no ratings at all.” You want sellers with a large numbers of completed transactions and favorable reviews.
- Don’t buy from sellers “who act as authorized dealers or factory reps of popular items in countries where there would be no such deals.” This is a well-known scam whereby these shopfronts take orders and rarely ship goods, and those they do ship are usually counterfeit.
- Also beware of any sellers “who post an auction or advertisement as if they reside in the U.S. but then respond to questions by stating they are out of the country on business, family emergency, or similar reasons.” Again, this is a typical scam whereby the seller will offer a plausible excuse for having an overseas address or phone number. Move on.
- Don’t buy from websites that specify unusual shipping arrangements or who offer to bypass customs checks or fees, similarly don’t buy from sellers you don’t know who request direct money transfers. Always use a credit card which brings additional checks and protection.
- Don’t pay for items you buy with pre-paid gift cards. As the FBI explains, “in these scams, a seller will ask you to send them a gift card number and PIN. Instead of using that gift card for your payment, the scammer will steal the funds, and you’ll never receive your item.”
According to the cyber research team at Check Point, “cyber criminals are putting in overtime—with Black Friday and Cyber Monday approaching, threat actors are poised to take advantage of consumers hoping to shop the yearly discounts.” The team warns that this year’s “surge in websites related to Black Friday is 89% higher than the surge in the same period last year… Nearly all of these sites impersonate well-known brands, and almost none are classified ‘safe’.”
Check Point offers a similar five-point checklist to the FBI’s:
- “Check URLs closely for misspellings or unusual host domains.
- Make sure the url starts with “https:// and shows a padlock icon.
- When emails come in, reference the sender against emails you know to be real. Don’t click anything you’re not sure about.
- Don’t blindly click through on QR codes.
- Never input unnecessary details like your social security number, and avoid inputting extra info like your birthday where it’s not required.”
Check Point also gives some examples of the kinds of URLs designed to trick users into visiting fraudulent websites:
- Stüssy (Steatwear): stussycanadablackfriday[.]com
- Longchamp (Bags): longchampblackfriday[.]com
- Wayfair (Online Home Store): wayfareblackfriday[.]com
- SOREL (Footwear): soreloutletblackfriday[.]com
- Crew (Retail): jcrewblackfriday[.]com
- IUN (Footwear): blackfriday-shoe[.]top
The added focus on phishing is critical. This holiday season, Bitdefender warns that “cybercriminals have wasted no time trying to capitalize on the frenzy,” with an incredible 3 out of every 4 Black Friday themed marketing “spam” emails now actually a scam, intended to defraud you of your money or even install malware on your device to steal your credentials or your data.
This year, we have seen a deluge of AI-crafted phishing lures, which make mimicking a popular, trusted brand all too easy. And these enticing, time-sensitive offers can be pumped out to email addresses on an industrial scale.
“Remember,” the FBI warns, “if it seems too good to be true, that’s because it is.”
The retail numbers just released show how big a target this holiday shopping season has become for cyber criminals, and why the FBI’s advice is so critical. According to Adobe, this year will see record levels of spend, with its forecasts suggesting “consumers will spend a record $241 billion online during the 2024 holidays, up 8.4% from 2023.” That sheer level of activity drives the scammers’ paradise that the FBI and others have warned about.
Salesforce also forecasts a record level of spend this year, reporting (via TechCrunch) that “Thanksgiving generated $33.6 billion in sales online globally, up 6%. The U.S. market alone was up 8% to $8.1 billion. Europe was also a standout, growing 10%.”
From a cybersecurity perspective, the standout statistic in Adobe’s report is not the overall spend but the percentage being spent on mobile devices. “Mobile spending momentarily overtook desktop spending during the 2023 holidays and will be even more prominent in 2024. This holiday season, Adobe forecasts mobile revenue share will hit a record 53.2% of online shopping and account for $128 billion.”
That’s critical because it’s much more difficult to spot a scam on a mobile screen than a larger laptop or desktop. Truncated URLs and lures optimized for small screens, to say nothing of the one-click attacks from social media and messengers. It’s all too easy on mobiles given the ease of clicking between apps and browsers.
It’s obvious why mobile spend is now so high given the ease of buying while sitting with friends and family without having to open a larger screen. According to Salesforce, mobile orders on Thanksgiving itself were up 3% on last year, according for more than 70% of all orders it tracked on Thursday.
ESET has now published guidance on what to do if you think you’ve been caught out by a scammer on Thanksgiving or Black Friday. Do this right away, the sooner you act the more likely you will significantly reduce the scale of any losses”
- “Report the scam immediately to authorities like Action Fraud in the UK or the FTC in the US
- Tell your bank and, if relevant, freeze your cards – requesting new ones
- Stop contact with the scammer and don’t tell them why
- Change any passwords that may have been compromised
- Freeze your credit to prevent scammers opening new credit lines in your name. You’ll need to contact each of the three major credit bureaus separately: Experian, TransUnion, and Equifax
- Gather evidence of the scam in case it is required”
With this year’s Black Friday now over, attention turns to Cyber Monday and warnings that shoppers need to be even more vigilant given the additional dangers this second scammer honeypot brings. With many shoppers back to work, distracted while shopping in the margins of their daily activity, the opportunity to miss a trick is heightened, and the potential for threats to escalate to work systems adds dangers.
The Better Business Bureau’s advice for Cyber Monday shoppers has been making headlines in various parts of the US this weekend (1,2,3). “The Monday following Black Friday, known as Cyber Monday, is one of the top shopping days of the year… Online shopping – even on Cyber Monday – has risks. Be wary of misleading advertisements, lookalike websites, and untrustworthy sellers.”
While the stats from Black Friday suggest a shifting balance between physical stores and online, Cyber Monday is a pure play. It is focused on online offers and lends itself to those shoppers who have missed Black Friday discounts looking to make good.
BBB’s Cyber Monday advice is clear:
- Pay particular attention to deals for “hot” items. As BBB says, “if a company sells the hottest item of the year at a price that seems too good to be true, it probably is. This means being on your guard for false or misleading ads, especially on social media as you spend the weekend post Black Friday looking for deals you may have missed.
- As with the FBI’s advice, look out for lookalike websites and emails, and ensure you check carefully before assuming a marketing site or email is really linked to the trusted brand it presents.
- Again, just as with the FBI’s advice, BBB warns consumers to “shop with trustworthy sellers on secure sites only. Be wary of businesses you aren’t familiar with. Check their BBB Business Profile on BBB.org, review the rating, and read customer reviews.” That means check in for the padlock in the web address bar and that all connections are HTTPS.
- BBB says you should “never put personal or credit card information in forms on non-secure webpages.” I would go further, and advise you not to use and certainly not to input any data at all in non-secure webpages.
- If you’re shopping on a PC, ensure you have good antivirus software in place, and be very careful before downloading and installing any software at all and opening any attachments, whether from websites or emails.
- BBB advises consumers to “price check before you buy… Dozens of online retailers will claim they have the best price on an item, but their offers can be misleading. Do your homework by comparing prices. Remember that the best deal may not be the real deal.”
- BBB also suggests you use any reward or loyalty programs where you can, this includes programs as part of your credit card or other store or travel cards. Many of these programs offer retail links, with the added advantage that you can be fairly certain any retail sites linked to a trusted loyalty program are likely safe—still do your usual checks, though.
- As always, “watch out for phishing scams. Busy schedules and increased purchases make it easier to miss – and fall victim to – a phishing scam.” This counts double when you’re at work. There are major cybersecurity issues with staff bringing their own devices to work and connecting them to enterprise systems. Accessing fake shopping websites on Cyber Monday is a risk not only to you but also to the enterprise from which you’re going online.
- And then the usual housekeeping factors—use a credit card, check shipping and return policies, don’t make any special arrangements that seen unusual.
Cyber Monday plays into the wider enterprise risk of bringing your own devices into the office and connecting to your company’s network and systems. Zimperium’s 2024 mobile security report warned that 83% of phishing sites specifically target mobile devices and 70% of businesses “fail to adequately secure personal devices used for work purposes.” This is especially relevant to Cyber Monday. According to Zimperium, “90% of successful cyberattacks originate from endpoint devices [and] 71% of employees admitting to engaging in actions they knew were risky.”
According to ArcherPoint, “the surge in online activity makes Cyber Monday a prime target for cybercriminals. Threats like phishing, data breaches, and fraud spikes highlight the need for robust security measures. While the advice might seem repetitious, it is always a good idea to rethink your online security and take precautions to avoid being a victim of cybercriminals.”
Cybersecurity firm Darktrace warns that “Cyber Monday Is A cybersecurity nightmare,” with enterprise security teams needing to be as much in guard as the consumers on the frontline where these scammers are concerned.
“Most of us tend to use personal email addresses for our holiday shopping, but in an era of remote and hybrid working, this can easily have knock-on effects, granting attackers a backdoor into the corporate sphere,” the firm says. “BYOD has seen a surge in popularity to enable flexible working, increase efficiency, reduce costs, and give employees the opportunity to use IT they feel comfortable with.”
Darktrace says this “increasing convergence of our personal and professional lives. Phishing emails that target personal email accounts – often using more relaxed email security measures – therefore put organizations at risk. Malicious executable files may grant an attacker access to the device, and from here they can pivot into corporate activity, and infiltrate an organization through a single, careless employee.”
Just make sure that’s not you this Cyber Monday.