Be careful out there…:
Black Friday has fast become a staple of our high street and online shopping experience, even though it has its roots in US traditions.
But the day isn’t all fun and bargains. Besides the traumatic experience for some retail employees and those injured in shop-floor brawls, Black Friday is also a time in which many of us are caught out by scams, with cyber criminals taking advantage of customers desperate for a bargain.
A Barclays survey published last week found that nearly one in four 18–34-year-olds in the UK have fallen victim to a Black Friday scam, with victims losing £661 on average.
The report also found that one in ten scams result in losses of more than £2,000.
This blog explains some of the scams you should be looking out for and what you can do to protect yourself. But first, let’s delve deeper into the context of what you’re up against.
Why Black Friday is primetime for cyber crime
Many people in the UK will know ‘Black Friday’ as the last Friday before Christmas, which was ‘black’ because of the number of people who got blackout drunk and needed police or ambulance intervention.
This is unrelated to the US incarnation of Black Friday, which refers to the discounts that retailers offer the day after Thanksgiving – similar to the Boxing Day sales in the UK.
Thanks to the rise in online shopping, those outside the US have been acquainted with the tradition and are able to take part in shopping sprees.
The Guardian reported last year that UK shoppers spent £7.7 billion in Black Friday sales, with the average consumer forking out £220.
You can see why this is a perfect opportunity for scammers; we’re busy spending money freely, making dozens of purchases and in a hurry to bag the best deal available.
It’s inevitable that someone will visit a dodgy website in pursuit of a bargain or click a phishing email because they thought it was about an online order they’d made.
How are the criminals catching us out? Here are three common scams:
1. Bogus order confirmation emails
Picture the scene: you’re hunkered over your laptop scouring through deals, when you receive an email from Amazon confirming a purchase you’ve made.
You look at the order and swear that you didn’t buy anything that fits that description, so you assume there’s been a mistake.
Source: Bleeping Computer.
The email doesn’t say what you’ve bought, but it does contain a link to where you can look at the order details.
This is a classic case of phishing, in which criminals send malicious emails that appear to be from trusted senders.
If you click the link, one of two things will happen. You might be directed to a bogus site that looks like Amazon’s login page but is controlled by the criminal hackers. When you enter your login details, you’re handing your information to them.
Alternatively, you’ll download a Word document that asks you to ‘Enable Content’ to view. Doing so unleashes malware on your systems.
In the example above, Bleeping Computer notes that the scam infects computers with the Emotet banking Trojan, which logs users’ activity and steals sensitive information.
If you receive this version of the scam, consider yourself lucky. It should be straightforward to spot that you’ve been scammed, because Amazon will never send you a Word document containing order information. It will always direct you to its website.
Enabling macros is almost always a huge no-no, and Word may well warn you about the dangers of doing this if you try to give the document permission.
Fortunately, you can simply close the Word document without taking any further action, and you should be safe.
If the scam directs to Amazon’s website, things are a lot more complicated. Scammers do a very good job replicating sites, and in your eagerness to find out what’s going on with your order, it’s easy to blindly follow the page’s instructions.
The only way to protect yourself is to make a habit of looking for signs of bogus websites – like URLs that look slightly off (annazon.co.uk, with two ‘n’s for example, can easily be mistaken for the real thing at first glance) and those that don’t have a lock symbol on the left side of the address bar.
Of course, the best way to protect yourself is to identify the scam before clicking anything. Phishing emails always contains a handful of tell-tale giveaways of their true nature, and you should take the time to memorise them.
2. Exploiting public Wi-Fi
You’re walking along the high street and you see a 60-inch television on sale. It seems like a good deal, but you want to check that it isn’t available cheaper online.
Luckily the shop has free Wi-Fi, so you take out your phone and – lo and behold – Amazon has the same TV on sale with a further 10% off, but time is running out on the deal.
What do you do?
You definitely shouldn’t buy the TV online there and then. As a rule, it’s never advisable to buy things online using public Wi-Fi, because you can’t be sure that the connection is secure.
It doesn’t matter whether you have to enter a password or log in, as any network that’s set up for the public can be abused.
These are known as man-in-the-middle attacks, and they work by exploiting a flaw in the network to intercept traffic going to and from victims’ devices.
When you use public Wi-Fi to make a purchase online, there’s always a chance that a cyber criminal is monitoring your activity and logging your payment card details.
If you want to buy something online while out and about, you’d be much better off using mobile data. It’s not 100% secure, but it’s much harder to tamper with than public Wi-Fi.
3. Instant messaging scams
An acquaintance sends you a WhatsApp message with a link to an online sale.
This is about as transparent an example of a scam as you’re likely to see, as your contacts presumably don’t make a habit of spamming you with marketing offers.
However, it’s reasonable to believe that Black Friday might be the exception, as there are a ton of deals online, and it’s nice to know that someone’s thinking of you when they discover a bargain.
But don’t be fooled – any unsolicited instant message containing a link should be viewed cautiously.
In this case, scammers begin by creating a fake website that mimics the layout and URL of a legitimate online retailer.
They then hijack instant messaging accounts by phishing their owners or sending them keylogging malware.
From here, the scam looks a lot like the Amazon phishing scam that we described earlier. You click the link, which causes your computer to download a file containing malware.
These types of scams are becoming more common as an alternative to traditional phishing scams. They require more work to pull off but bypass the main stumbling blocks for phishing emails – spam filters and the slim odds that the recipient uses the service that’s being impersonated.
As with each of the scams we’ve listed, it’s essential that you spot suspicious activity. To understand the threat of instant message scams, you must realise that they exploit the inherent trust between contacts and the ‘instant’ aspect of the interaction.
People are far more inclined to click a link straight away when it appears to be part of an ongoing conversation, rather than when it’s sent as an email, which can be opened at any time.
The trick to staying secure is to remember that bogus links can be sent on any communication platform. Make a habit of viewing links with caution and keeping an eye out for anything that seems too good to be true.
Awareness is the key to success
These scams demonstrate how important awareness is to staying secure. Simply knowing what threats are out there can make you more cautious and less prone to scams.
This is a lesson that applies just as much to workplace threats as it does to your everyday life – and its something management could do with reminding.
We recently discussed a report that found that 53% of IT managers believe organisations rely too much on technological defences and didn’t do a good enough job training staff to spot cyber threats.
Another report found that organisations invest in unnecessary software solutions at the expense of staff awareness training.
This trend must stop. To help that happen, IT Governance has created our Rewards Club to make it easier and more cost-effective to enrol on staff training.
Members receive a 25% discount on training courses for life, and if you book before the end of November, you’ll also receive a £30 e-book voucher to spend on anything in our webshop.
A title that our readers might enjoy is CyberWar, CyberTerror, CyberCrime and CyberActivism, by Dr Julie Mehan.