While the whole Black Friday through Cyber Monday long weekend is expected to yield a big bounty for retailers, it’s also (unfortunately) the most wonderful time of the year for cybercriminals. If a recent survey by DomainTools is any indication, odds are that you either know someone, or you are someone, who has been taken in by a phishing attack.
Even though 91 percent of U.S. consumers in the survey declared themselves phishing-aware, nearly 2 in 5 have clicked on a bad link, with various results, none of them good. The phishin’ hole is deeply stocked, too: 92% of us shop online regularly, and around half of us will be filling those carts on Black Monday. These kinds of statistics are music to criminals’ ears.
You Might be Santa Claus
Consumers who fall for deceptive links, coupons, or other lures give criminals “gifts” that can pay off in an ongoing way. When you click on a phony retail site and enter your login credentials, you potentially enable any or all of the following Bad Things:
- The criminal now has access to your account on the real retail site (the one they spoofed in the lure). They can use this to place fraudulent orders in your name.
- If you added credit card information on the phony page, they now have cardholder information that they can either use, sell on a carder forum, or both.
- If you reuse passwords—as many people do—they may try your login credentials on other sites to see if they can gain access to those, as well.
- They may pass along a piece of malware that could do anything from report your keystrokes (continuously, not just when you logged on to the phony page) to encrypting your files to hold them for ransom, to recruiting your computer’s processing and network resources to participate in a distributed denial of service (DDoS) against some other target.
You didn’t realize you were that generous to strangers, did you? But it’s true—the Anti-Phishing Working Group, which does exactly what its name suggests, reported the detection of nearly 119,000 unique phishing sites during November 2016, with over 300 individual brands targeted. This year is unlikely to be any better. The brands with the most spoof-worthy websites this November will probably correspond to the most popular online retailers, which include Amazon (82%), Walmart (36%), and Target (20%). The reason all this infrastructure exists is because it works--unwary consumers fall for the lures.
Don’t Be Santa Claus. Be the Grinch. Despite the grim stats, all is not lost. There are steps you can take to avoid handing valuable information over to thieves. Here are some tips to help make yourself decidedly less generous to them this season:
Tip #1: Get Domain-name-savvy Shopping tends to be fast-paced, but that’s part of the problem: it helps to explain the disconnect between phishing awareness and phishing susceptibility: when we’re moving fast, we are less likely to notice cues that could help distinguish a phony site from the real thing. If we’re multitasking, our vigilance drops even further. So, this season, slow down a little, take a deep breath, and look more closely at what you’re being invited to click. Here are some ways to detect some of the wiles of the phisher.
- If you are tempted to click on a link, hover your mouse over it first. In some browsers, including Chrome and Firefox, this triggers a small pop-up near the bottom of the browser window, which shows what URL the link goes to. Read it carefully: is it the same domain name that the real business uses?
- Look for typos, such as the number 1 substituted for lowercase L, flipped letters, extra letters, or missing letters. Warning: some “typo” domains are extremely clever, using extended character sets that substitute nearly-identical characters for the real ones. The domain ᴡhatsapp[.]com looks legitimate, but when you do the mouse-over trick, you see that the real domain is xn--hatsapp-h41c[.]com. You will feel like an infosec superstar when you catch tricks like this!
- Watch for add-on words and obscure domain extensions. Big retailers tend not to append extra words to their domain names, and if they do, they don’t use obscure domain extensions (called “top-level domains” in the biz). The domains amazonshop[.]gq, targethome[.]today, and walmart-outlet[.]ga are all examples.
- For extra credit in domain-name-savvy, study how domain names are constructed. A good tip is to watch for the last appearance of a dot in the URL, because that is what signals where the real domain name ends. A scam made the rounds last year with phony Starbucks coupons that used the URL starbucks.com-latte[.]us. In this example, the actual domain name is com-latte[.]us—and that domain was controlled by a scammer. The starbucks.com part was actually not part of the registered domain name. Domains generally have only one dot, which comes right before the top-level domain extension. (Do be aware that there are some exceptions to the rule, most notably .co.uk and similar country-code top-level domains. If the name of the retailer is a word or two removed from the top-level domain, there’s a much greater chance that you’re looking at a spoof domain.
Tip #2: Do Your Own Navigation Let’s say you discover an email or an ad or a coupon, seemingly from Acme Grommets, with a can’t-miss deal on 2017’s hottest grommet. Rather than clicking on the link or ad, pull up your browser and type in Acme’s main page address manually. From there, navigate your way toward the bargains. If an email contained a promotional code, you can type that into the (real) Acme site to get the same bargain. (Of course, if the email was a phish, the promo code may not work, but this way you didn’t fall for the lure!)
Tip #3: Be Paranoid: They Really Are Out to Get You. Sad but true--basically, if you have a heartbeat and an Internet connection, criminals want your money and your data, and they’re working pretty tirelessly to get it. Never forget this as you conduct your online business. Here are a few specifics to guide you:
- If something is too good to be true, it likely is--especially if it was emailed to you. Look for corroborating evidence that the deal is real before you click.
- Apply the same scrutiny to ads that appear on other sites--the tips here are equally relevant to ads as to email links.
- This will be particularly difficult during Cyber Monday, as the entire day is dedicated to sales, deals and promotions, but apply your newly-minted skills to every shopping action you undertake. This considered, consumers must be hyper-skeptical.
- Be extremely hesitant about adding details, such as social media profiles, to any promotional materials asking for them.
It’s Not As Hard As You Think, But You Do Have To Commit
Inspecting or rejecting email links, doing your own shopping navigation, and exercising healthy skepticism: if you spend even ten or fifteen minutes studying and internalizing these tips, it could save you considerable heartache later on. And here’s the best part: unlike those Black Friday or Cyber Monday deals, these new habits will help keep you safe throughout the year, and that’s important, because cybercriminals never seem to go on vacation.