SecureIT logo
Main post image

Cybercrime around the holidays, some sober thoughts and some advice



It is almost December, do you know where your credit card has been?

Like all of you at this time of year, I am of course thinking about… scams. Oh wait, shopping, and then about scams. This week I was reading a great little article on mbl.is called Fólk þarf að passa sig á Svörtum föstudegi, by Egill Aaron Ægisson, and it reminded me that this is the time when I need to start worrying if my dad will open up a search engine and search all over the internet for things he has heard I might want for Christmas or my kids will hear about something on TikTok and get caught up in the hype of getting everything you ever wanted, today. And in both cases, I worry because the current internet is full of fake everything, where for every brand and product one might be looking for, there is generally only a handful or two of legitimate websites you should be getting it from, and often an infinite number of websites that you should not be getting it from.

And because cybercrime is big business, and because I'm in the business of defending against it, I know that scammers love to prey on people who are busy and are in an emotional state like high excitement, high stress, high compassion, high anxiety…and that pretty much sums up buying Christmas presents for friends and family.

Want some solid advice? It is in fact, too good to be true! (I am sorry)

Have you seen an advert saying “Everything is 50% off” from your favorite store? Be careful. It might not be your favorite store at all. Did you find some very hard to find shoes, or a new console game that has been sold out for months? Maybe. But also, maybe, someone is betting you are willing to suspend your belief that you are somehow part of a select few with amazing supernatural search skills, and not perhaps, one of thousands of suckers who have been drawn towards a dream purchase for a dream price only to give away your personal and financial information.

There are really two types of holiday shopping scams, one is more of a fake sale and the other is criminal. The fake sale is just your regular everyday scam of consumerism: I have to admit that some of my best Black Friday deals were in-fact inflated prices in September and October and then suddenly, just before Christmas, the deal of a lifetime at the low low price of about what it used to cost in August. But by far worse is when the login process, the credit card process or even whole website is fake. I have seen criminals duplicate whole websites and flood social media and search results to push their sites to the top. Some create simple canned shopping sites that offer specific lists of hard to find items, almost like mouse traps, or others create dynamic websites which appear to have anything you search for, scraping pictures from global auction sites or Amazon, and many of these scammers promote their impossible deals during the holiday season to overwhelm legitimate offerings of products on the many platforms we get our shopping and gift ideas from. Sometimes, instead of fake sales, cyber criminals know the holiday crunch can cause tired web programmers to promote hurried updates and mistakes, so they find websites that are indeed legitimate, but are not following best practices, and compromise their sign-in pages and shopping carts to whisk away your login or credit card info. No matter what the scam is, the only thing worse than paying too much for something, is paying any amount for it and then instead getting your identity or credit card stolen.

For the first, classic, holiday shopping scam

The only real question is: do you agree with the price and what you are getting? Then great. You are probably not getting the percent off the label said you saved, but if you are satisfied, buy it. But, If you want to get the best price, and are not in a hurry, then take some notes from different places you can get the items you want, and for how much, over time. It is as easy as taking screenshots and saving them to your deal hunting folder. Then when the sites you already trust have a sale, you will be prepared to see real deals and ignore fake ones where they just manipulated the prices. For instance, I’ve learned, perhaps the hard way, to be a little cautious of buying expensive “gadgets” in early winter as we often see inflated prices build up to Black Friday’s big percent off sales.

For the second, more sinister shopping scams

You can build some basic “habits of a little mistrust”, like:

  • Checking the URL carefully, twice - Small misspellings or added characters often indicate a fake site. If you came here from a link, search for the site on a different tab to make sure this is the brand’s real URL. If you are on mobile, it takes extra time to take a look at a website’s URL because mobile browsers default to hiding it to save screen space, but it is worth it, especially when shopping online. Example: “amazzon.com” instead of “amazon.com
  • Making sure the connection is secure - Browsers put a lot of extra computer code into trying to alert you of fraud, don't ignore it. Example: If the browser shows “Not secure” then assume this is not the real website. Even if you are shopping through discount or second-hand sites, they should have valid security settings. The “Not secure” browser prompt is basically telling you: whatever website you think this is, the website owners failed to prove it.
  • Evaluating the overall quality of the website - Poor design, broken links, or bad grammar can signal a fake or neglected site. If there are a few here and there, everyone is human, but neglect is often financial optimization, even criminals know making good websites takes energy. Example: If you find a website that seem normal, but has a lot of strange errors, especially near logins or shopping carts, that is not a good sign.
  • Looking for basic trust and identity information - Legitimate sites typically provide real contact details, an About us section, and consistent branding. There are times when some website owners don’t have the time, energy, or know how to follow the usual patterns, but remind yourself that if you did have a problem as a customer, these same websites would be hard to get help or resolutions even if they are not a scam. Example: A site with no contact info or only a generic form is suspicious if it is selling something or offering some service.
  • Be cautious if a website asks for unusual or urgent information - Scammers often push users to act quickly, agree to spontaneous requests, or provide information where they normally wouldn’t (sign up for a newsletter when you know you don’t really care, create an account when you are not actually buying, or pop-up advertisements that take you to another site) Example: A pop-up demanding you buy in 10 minutes to save, save, save, is at best psychologically pushy, and at worst is guiding you towards giving up as much of your info and finances as possible.

All in all, the best defense against online scams

To be honest, awareness is one of the best defenses for detecting when someone is trying to swindle us. We need to be aware of the trends in the costs of things we like to buy (or know of some trusted sources you can go to when you need it), be aware of how legitimate websites generally look, and be aware of how evil-doers try to make websites that look mostly legit. For instance, jump around to the top 5 places you often visit to shop on the internet, chances are they all have a similar professional feel. Sure they all have their own menus and logos, but notice their similarities, like sitemaps or contact us links, help sections, banners and footers, etc. Mature websites might have special pages for certifications they have, or specialized public relation pages, they might have features like shopping history, abandoned cart reminders, your profile pages, etc. but even smaller sites like an Etsy page should have a way to for you to ask a question, track shipments, and dare I say, complain.

And then, in my opinion, the second best defense against online scams

This one might sting emotionally, but remember you are probably not a special customer, nor can any company possibly sell everything at 75% off and make a profit. When you find a good sale, you should be able to understand why it is available for less than the normal price: maybe it is a return, maybe it is missing a nonessential part, maybe it has a very limited warrantee, maybe it’s used, maybe it’s an older generation, maybe it was an overstock, maybe you have to buy in bulk, maybe the product is being sold cheaper in order to build a relationship with you, maybe it is discounted if you give up some of your privacy…whatever it is, remember sellers want and need money, so if it doesn't make any sense, I am sorry to say, it is probably a scam.

Finally, always check the URL before you enter passwords, personal information, or financial information

I know I already brought this up, but it is so important, and it just takes the smallest bit of time to make sure you are where you think you are, but it will save you, your family, and even your company so many headaches.

Shop wisely friends,

Aaron Galbraith, SecureIT.is - Cybersecurity Consultant

I have worked in IT for over 25 years. I eventually decided I love protecting stuff just a little bit more than I love fixing stuff. I write articles for SecureIT.is to help regular folk, and tired IT folk, make sense of cybersecurity.

We do Security Awareness training like these articles. Contact us for more information