TechRepublic spoke with email security firm Tessian’s CEO Tim Sadler, who tells us how to avoid being phished or scammed during the search for perfect presents.
The final countdown to Christmas and holiday gift-giving is nigh upon us, and why wouldn’t the 2020 holiday season be as challenging as the rest of the year? Hampered by COVID-19 protective restrictions, brick-and-mortar stores are either closed or limiting how many can go in, resulting in outdoor lineups. Travel bans, stay-at-home orders, as well as half the country experiencing “the biggest storm in several years” while the entire US suffers through particularly cold weather, e-commerce may be the only alternative if you want to give gifts.
Because of the flurry of e-commerce activity, email inboxes are filled with offers and notifications from retailers. For those who’ve already ordered gifts and have had them sent, they expect to hear from those retailers regarding deliveries, etc. This glut of messages creates just the right setting for opportunistic hackers to take advantage of retailers who haven’t properly protected their email domain. In fact, 75% of the top 100 retailers haven’t properly protected their email domain against phishing, spoofing or fraud, making it easier for hackers to impersonate a retailer and guide consumers into thinking they’ve received a legitimate email.
A noisy inbox is a welcome arena for hackers
“Online shopping is booming this holiday season presenting a big opportunity for cybercriminals,” said Tim Sadler, CEO of the email security firm Tessian. “Hackers like to take advantage of noisier-than-usual inboxes, crowded with deals, shipping updates, and delivery notifications to hack humans via phishing attacks. By convincingly impersonating a trusted retailer or logistics firm, shoppers may unwittingly download a malicious attachment or click a link that leads them to a fake website.”
SEE: Identity theft protection policy (TechRepublic Premium)
Retail staff can be a target of cybercriminals, too
It’s not just customers who are in danger of being hacked, but retail staff, too. “Hackers cash in on the people-heavy nature of the retail industry by using social engineering techniques or by impersonating someone in an employee’s trusted network such as a customer, vendor, supplier or colleague,” Sadler said. “If the sender’s display name and email address looks like the real thing, why would a busy, distracted and stressed employee question its legitimacy?”
“Techniques are used to conduct spear phishing attacks that allow bad actors to steal sensitive information or wire money to fraudulent accounts,” Sadler said. “These attacks take advantage of email’s openness by using advanced impersonation techniques, mimicking a trusted relationship in the hopes that the receiver will believe it was sent from someone else.”
Identifying the red flags that signal a scam
Sadler cited “simple checks” to avoid falling victim to a hacker:
- Click on the display name to reveal the actual email address
- Check for spelling or grammar mistakes, legit messages rarely have errors
- Cross-check if the deal in the email is on the retailer’s website and official social media
- Be alert, this email associated with a sense of urgency or deadline; were you expecting it?
- Be skeptical of hyperlinks and don’t click on them.
What scammers get for their efforts
“These types of scams are low effort and high reward,” Sadler said. “It’s actually quite easy for hackers to impersonate a retailer and trick people into thinking they’ve received a legitimate email. Hackers cash in on the people-heavy nature of the retail industry, in order to steal sensitive information or wire money to fraudulent accounts. If the sender’s display name and email address looks like the real thing, why would a busy, distracted and stressed employee question its legitimacy?”
In the event that you discover you’ve actually been hacked, Sadler offered solutions and said: “If you receive a phishing message or alert at work, make sure you report it to your IT or security team. If you’re on a personal device, you should report significant attacks to the relevant authorities in your country, such as the Federal Communications Commission (FCC).”