Savvy shoppers are already preparing to secure the best Black Friday and Cyber Monday deals. But, many remain oblivious to devious cybercriminals that are hoping to use the excitement and thirst for massive sales to trick unsuspecting users into handing over their details.
Many will remember David Baggett as the co-founder of ITA Software that was sold to Google in 2010 for $700 million. But the cybersecurity expert and Inky CEO, recently shared essential information on my podcast about the most common scams and how to avoid them. Baggett warned that everyone should approach emails that seem to be from major e-commerce sites with extreme caution.
Why would a fraudster want you to visit their site when you think you’re visiting Amazon? There are lots of reasons — and they all mean big trouble for you. The scammer will most likely be harvesting credentials and aiming to trick you into signing in to a fake Amazon site to capture your login information.
That Amazon email in your inbox may not be from Amazon at all, it may be a very convincing forgery from a criminal whose goal is to trick you into visiting a phishing website.
Cybersecurity experts have even seen elaborate frauds targeting sites like jewelry purveyor Pandora, where criminals create a near-perfect replica of the real site, complete with shopping cart and shipping confirmation. But, when you shop on sites like this, your purchased items never arrive.
Regardless of the attacker’s goal, once they’ve tricked you into logging in and have secured your valuable information, you’re compromised — so always be on your guard. Fortunately, you can often spot mistakes in phishing emails, so it’s good to scrutinize all the transactional messages you receive.
Attackers will often alter the From line to look visually similar to, say, Amazon, but hide from mail protection so ware. In these cases, the word Amazon might be misspelled (e.g., “Arna-zon”) or have a strange accent character (“Àmazon”). So always be on the lookout for these subtle clues.
Remember that the attacker’s goal is to simultaneously hide from the email protection software and fool you, the human reader. Another way to detect phishing emails is to hover over the critical links in the message. It’s not good enough to just spot check a few URLs because criminals will often copy a brand’s real transactional email and modify just one link to point to their forged site.
Generally, the modified link will be the call-to-action, “click here to change your payment method” or something similar. Before you click this action link, verify that it goes to the right place. Better yet, just ignore the link and manually type the brand’s name directly into your browser, sidestepping the email entirely.
Also, note that attackers can register new domain names that look very similar to legitimate ones. For example, an attacker might register a new domain arnazon.com and host a fake “small business” there using G Suite or Office 365. This is easy, looks legitimate to most mail filtering software, and costs under $20.
Criminals can even create new domains where a single letter is replaced by an identical-looking but different letter — replacing a Latin letter A with a Cyrillic letter A, for example. This new domain then looks the same as the real amazon.com to the human eye but is totally different — and unsafe to visit.
Be especially suspicious of email gift card and survey reward offers that tempt you by suggesting you’ll get something for free. 2017 has seen an explosion of these scams targeting all major brands: Amazon and WalMart, but even smaller brands like CVS and AMC Theaters. As you can see below, some are very believable.
A good rule of thumb is to never act on a gift card or survey email. No major brand sends emails like these legitimately.
The most reliable way to assess the validity of a given email is to examine the raw message headers. Like looking under the hood of your car, doing so can give you additional clues as to what might be wrong.
Pay particular attention to the To: line (is it actually to you?); the From line (does it have any funny characters, odd spacing, or extra separators?); and the Reply-To: line (it should be absent or exactly match the From line).
Mail from major brands should also include a DKIM-Signature: header line, so if that’s missing, the message is almost certainly a forgery. Here are instructions on how to view the raw headers for Microsoft, Google, and Apple.
After observing the increasing sophistication of cyber attacks against online shoppers, cybersecurity expert Dave Baggett told me how he was inspired to launch Inky. The company offers a free tool called Inky Phish Fence that performs phishing checks automatically.
However you choose to protect yourself, it’s especially important to remain vigilant over the holiday shopping season. After all, the crooks are as eager for that holiday bonus as you are.
This post is part of our contributor series. The views expressed are the author’s own and not necessarily shared by TNW.