return to news
News

CISA Warns Public About Online Holiday Shopping Scams

Published 04 - December - 2020
cyber attackssecurity magazine
Source: Security Magazine
Read full article

Also, beware of email “offers” from companies you don’t recognize and even those that you do know but shouldn’t be emailing you – they’ll likely contain a malicious click through link or even an attachment.

Steve Durbin, Managing Director of the ISF

With more commerce occurring online this year, and with the holiday season upon us, the Cybersecurity and Infrastructure Security Agency (CISA) reminds shoppers to remain vigilant. Be especially cautious of fraudulent sites spoofing reputable businesses, unsolicited emails purporting to be from charities, and unencrypted financial transactions.

According to Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, Lookout saw a massive spike in COVID-19-related scams when the pandemic first broke out: a 37% increase in mobile phishing attempts. Most of these attempts were directly tied to COVID by posing as relief funds, medical updates, or entertainment for life in isolation.

So it makes sense that there would be a spike in retail-related URLs, especially at a time when online shopping has become the primary way people are purchasing things, explains Schless.

“People are shopping on their smartphones and tablets more than ever before. Threat actors know that. We receive messages about new deals and shipping updates through SMS and social media platforms all the time. Phishing campaigns based on an event, such as Cyber Monday, are built to imitate those communications. We’re programmed to interact quickly with notifications on our mobile devices. It also doesn’t help that mobile devices have smaller screens and simplified user experience that makes it more difficult to spot many of the red flags that would usually warn us of a phishing attack.”

Schless notes he has seen mobile-specific phishing campaigns recently where they target users with fake SMS messages pretending to be their local package delivery service. When the user taps the link in the message, they’re asked to identify themselves by entering their credit card number or other personal data.

“To protect yourself from mobile phishing attacks, you should never tap a link from a number or person you don’t recognize. If possible, contact the sender and validate the communication before interacting with the link. If you do tap one of these links, read the full URL in the browser. Phishing sites often use URL spoofing to look like a retailers website, for example, but when you view the full URL it’s actually something very different. You should also protect your phone and your personal data by using a mobile security app that offers phishing protection. Not only will this keep your personal data safe, but it also helps protect any work data you access from your personal smartphone or tablet,” says Schless.

Steve Durbin, managing director of the Information Security Forum, a London-based authority on cyber, information security and risk management: “When shopping online, especially at a busy time like Black Friday and Cyber Monday, be sure to update your security software and check that your firewall and antivirus is working. Always use genuine and familiar sites. If you don’t know them, check them out via Google or your favorite search engine. Also, beware of email “offers” from companies you don’t recognize and even those that you do know but shouldn’t be emailing you – they’ll likely contain a malicious click through link or even an attachment.  Don’t click through or download the attachment unless you are completely certain that they are legitimate.”