Aaah! The holiday season is upon us, and so are numerous emails and ads enticing us to shop, shop, shop. Along with clever advertising come clever cyber criminals with their clever ways, and their clever emails. Their only intent: to leave you with a lump of coal in your stockings, and a myriad of financial and identity troubles.
Cyber criminals are always in the cutting edge of social engineering crime to phish you, extort you financially, and infect your devices with malware. And the holidays are a prime season for their frenzy.
According to TransUnion’s 2019 Holiday Retail Fraud Survey, about 75% of Americans plan to do at least half of their holiday shopping online this year.
Here are some recommendations to help protect yourself while shopping this holiday season.
Don’t click links in emails
Criminals have gotten really good at devising phishing lures that are extremely difficult to recognize as fraudulent. Emails are a particularly common way for fraudsters to gain access to your credit card information or identity. Hackers send what’s called a phishing email, in which they copy a store’s sale or discount email and include a link to a false portal asking for your info. If you do get a tempting promotion, go directly to the retailer’s website by typing its name in your browser.
Don’t open attachments from retailers
In the same way that you should avoid clicking on email links, you don’t open up attachments from retailers. “Retailers won’t hide deals in attachments – that’s where attackers hide malware,” says Michael Madon, senior vice president and general manager of security awareness for Mimecast and a former cybersecurity director for the U.S. Treasury.
Cyber criminals aren’t only impersonating retailers, either. You could get a fake email that seems to be from a major shipping company like UPS, FedEx or DHL. Instead of clicking on a tracking number listed in an email or opening up an attachment, go directly to ups.com or fedex.com to check the tracking number.
Same goes if you receive an attachment from someone that appears to be in your contact list? Call them to confirm. Order something online? Before clicking the “track package” link in the confirmation email, ensure that it is actually an item you purchased from the correct vendor.
Avoid pop-ups and ads
Malware and viruses aren’t just spread via email. They can follow you around the Internet in the form of pop-ups and advertisements — these are actually referred to as malvertising, or malicious advertising.
These types of ads can send you to sites that ask for your information, but they can also infect your device with a wide variety of harmful programming such as adware, spyware and ransomware. This is a form of malware that locks up your computer or specific files and forces you to pay to get access back.
Skimmers abound
By now, you have most likely heard of skimmers being placed on the card readers at gas stations and bank ATMs. A skimmer is a hidden device placed inside the mouth of a payment card reader that is designed to copy your card data for criminals to user later. But what about in-store POS systems? Be on the lookout for suspicious-looking card swiping terminals that could be skimmers, or cash register attendants who seem to swipe your card on two different readers. Maintain this vigilance not only during the holiday season, but all the time, especially if you travel to other countries.
Additionally, That practice has gone digital, the FBI says. Cyber thieves can install malicious code on a retailer’s website to gather credit card data when you check out.
To protect yourself from this practice, you can pay using a third party such as PayPal, Venmo or Amazon, if the retailer allows it, so the store never actually has your credit card number. Or you can create a virtual credit card through sites like Privacy.com, or on your card issuer’s website, that provide temporary numbers so your information stays secure.
Use a credit card
Many experts recommend that you use credit cards instead of debit cards. That’s because the Fair Credit Billing Act makes it so consumers are only liable for up to $50 in fraudulent charges. And major credit card companies, including American Express, Discover, Mastercard and Visa offer “zero liability” policies, so you don’t have to pay for any fraud.
Save your debit card for taking out cash, Ally Bank recommends. Not just during the holidays, but year-round. And make sure to avoid suspicious ATMs. If the ATM looks broken, or anything on the front of the machine appears dislodged, or jerry-rigged, it could mean that someone has installed a card-skimming machine.
Banks and credit card companies have implemented some great security features, such as being able to set limits on the number of times the card can be used within an hour or on the amount that can be spent on one purchase. However, if you’re unaware of these limits for your personal accounts or your phone number is not up to date in your bank profile, you may end up with a declined card.
Use a VPN client
Almost half of Americans, 45%, have used public Wi-Fi to access sensitive information, according to a survey by payment compliance provider PCI Pal.
But with all the bad bots and cyber criminals lurking during the holiday season, it can be a particularly dangerous time of year.
When shopping online, make sure you’re using a private Wi-Fi connection or your smartphone’s cellular network to browse the internet. Public Wi-Fi networks are notoriously insecure and could open you up to malware or hacking.
If you’re not using the Northwestern VPN client while on public Wi-Fi networks you can purchase a VPN service such as ExpressVPN, which has packages starting at about $100 a year, or you can download and install Hotspot Shield Free – A service that will allow you to connect up to five devices from one account. You can also check with your phone carrier to find out if they offer VPN services with your mobile plan.
Get creative with your passwords
Almost half of Americans, 47%, use the same passwords over and over again, according to PCI Pal. But cyber thieves can use a stolen password and try to break into other accounts and sites that may expose your personal data.
Exercise strong password hygiene by choosing to use a long, easy-to-remember passphrase, such as “ipreferpassphrasesoverpasswords,” instead of complex passwords containing a combination of letters, numbers and special characters. Unfortunately, this is not always an option since many websites now require a password that contains this combination. Use different passphrases for each site. If this seems too daunting, use a password manager like LastPass. Rather than managing dozens of passphrases on your own, you’ll just have to remember the one key to your digital vault.
Always opt for two-factor authentication when available, and figure out which option is the most secure when choosing a real-time short message service (SMS) text message, an email message or an automated phone call.
Keep an closer eye on your accounts
Throughout the holiday season, keep a close eye on your bank and credit card accounts. “Often criminals will make small charges using bot technology to see if the charge will go through before making larger purchases,” Pavan Thatha, head of bot management at Radware.
To help protect your identity, set up alerts and monitoring — either with your bank or an outside app such as IdentityForce — that will let you know if any suspicious activity occurs. Also, keep a close eye on your annual credit report for any new accounts or queries you didn’t initiate.
Cover your cards. Yes seriously!
Is the person in line behind you taking a selfie, or is he or she taking a picture of your card as you make a purchase? By obtaining the credit card number, name, expiration date and the card security code or card verification value on the back, an attacker may be able to use the information to make online purchases.
Beware of gift card scams
And last but not least, this one has been affecting our Northwestern community for a long time in the form of email phishing, but did you know that it also happens physically at the retail stores?
A gift card can be the perfect holiday gift for that hard-to-please person on your list, but scams tied to these cards are becoming increasingly popular. For example, one popular strategy used by criminals is to scan or write down the card number in the store, draining the funds before they are even gifted.
When buying physical gift cards off the shelf, carefully inspect it to make sure there’s no tampering and you cannot see the code or pin. Many experts recommend buying electronic gift cards online.
If you ever fall for a phish or other form of scam, don’t feel embarrassed to seek help. It is harder and harder to determine what’s legitimate and what’s not. Your security team is always willing to help.