Every Monday after Thanksgiving I fire up the laptop and watch my inbox load up with security vendor warnings about Cyber Monday. The story pitches use a lot of over-the-top (or painfully obvious) images and warnings about the cyber Grinch hiding inside your computer, waiting to snatch up your credit card numbers with the zeal he displayed when stealing all the Christmas trees and roast beast in WhoVille.
I usually advise readers to ignore that over-hyped stuff, known around here as FUD. But brushing off the warnings entirely would be irresponsible. If you're like me, you do your Christmas shopping in a hurry, eager to get it over with. When you rush, you make stupid mistakes and bite into phishing hooks you might normally be smart enough to avoid.
That being the case, I thought I'd share a couple of the concerns and tips coming my way. Here's to a safe, healthy and scam-free holiday season!
ThreatMetrix has this insight about the perils of doing your shopping on mobile devices:
-- Mobile transactions are projected to reach $1 trillion by 2017 according to a new report by market research firm IDC Financial Insights, making consumers more vulnerable to fraud and malware attacks on mobile devices. As consumers continue making large volumes of mobile purchases and retailers do not have the time to closely monitor every transaction for suspicious activity, mobile opens the door to fraudsters during the holiday season now more than ever.
-- Account takeover is a major concern for retailers this holiday season because of the significant increase in mobile usage. Many retailers are not equipped to efficiently secure mobile transactions with an exponentially larger volume of transactions during Black Friday and Cyber Monday, making consumers’ account and credit card credentials vulnerable to cybercriminals if retailers don’t act fast and execute a mobile security strategy.
-- Clean fraud passes a retailer’s typical security screens and appears to be a legitimate transaction, when in reality, the transaction may be fraudulent and the result of a cybercriminal hiding behind a virtual private network (VPN). During Black Friday, Cyber Monday and the rest of the holiday season, many consumers travel with their mobile devices. Since fraudsters hide behind an IP address to mask their true geographic location, it is more difficult for retailers to tell which transactions are authentic.
SurfRight has these tips for safe online shopping:
1. Make sure you have an antivirus installed and updated. Set it up to scan frequently during the holiday shopping season. Like spam, spreading identity-stealing malware is a numbers game that is practiced on a massive level. It only takes a small percentage of victims to net large sums of money to cybercriminals through stolen personal and financial data. The easiest people to target are those who do not have any security measures in place. If the holiday season has tightened your budget, there are a number of decent free antivirus products available on the market today from vendors such as Avast!, AVG, Avira, Microsoft and others. They usually lack the advanced security features and support of paid products, but are a good line of defense if nothing else is available.
2. Check if your antivirus is working properly Even if you do have a working antivirus program, you should double-check your computer for an infection. According to European security vendor Surfright, when checking over 1 million computers that had an antivirus installed, 24% were still infected with a virus. You can use products like HitmanPro to get a second opinion about potential malware already on your system, as well as cleaning it up if exists.
3. Be cautious of emails warning you of unshipped or delayed items. A favorite tactic of cybercriminals is to create emails that create a sense of urgency to the intended victim in order to get them to click a link containing malware. Knowing that people want to make sure their gifts arrive in time, cybercriminals send fake emails purportedly from the U.S. Postal Service, UPS or FedEx claiming that a delivery was delayed. All you need to do is click a link to check your status, and a “drive-by download” can occur, making your computer open to identity theft if you try to use it for purchases or online banking. Any legitimate communication from shippers will usually also contain a tracking or other reference number. Copy and paste this number to the delivery company’s actual site whenever possible. This simple extra step can save you a lot of headaches down the road. If you see attachments within these types of emails, avoid opening them, as shippers rarely send attachments with their emails.
4. Give extra scrutiny to “card declined” or unrecognized “invoice” emails. A close cousin to the shipping email is the credit card email. Again, cybercriminals want you to think a purchase has not gone through, or that unauthorized purchases are being made from your credit card, all to get you to click a link that can install malware or get you to enter your personal information. Sometimes legitimate sites are temporarily hijacked for this purpose, and the link to the malware leads to these sites. Again, do not click these links, call your bank and find out if there is any recent unauthorized activity happening with your account.
5. Double-check unfamiliar online shopping sites. These sites are a less common tactic, but several do exist. They might come up on search results when you look for specific model items like flat screen televisions or video game consoles. You can check the domain with free online tools that contain user feedback such as Norton Safeweb or Web Of Trust that can give you a very good idea of how trustworthy a site actually is.
6. Watch out for Christmas-themed deals that are “Too good to be true” on consumer electronics. Many large e-tailers and retailers run incredible sales in order to make the season jolly, but beware, some lumps of coal may appear online or in your inbox. Typically they are the hot items of this year and last year at 70%-90% discounts. Although you might see some “door buster deals” on Black Friday and Cyber Monday, don’t expect to pay $100 for that new iPhone 5 or iPad Mini. These types of scams are also seen as links on Social Networking sites such as Facebook, so you might want to install a free security Facebook app such as SafeGo, to keep dangerous links off your Facebook feeds.
7. Make sure your operating system, browser, and critical software such as Java, Adobe Acrobat and Adobe Flash are up to date. Making sure your operating system is up to date is essential to safe shopping online. Outdated software can be exploited by cybercriminals in order to install malicious software without your consent. Here are some links to check if you are up to date: Microsoft Windows XP Microsoft Windows 7 Microsoft Windows Vista Java Adobe Flash Adobe Reader (Download the latest version)
8. Be aware of so-called “Ransomware.” One of the fastest-growing cyber-scams at the end of 2012 are “ransomware” attacks. A virus attaches itself to your computer and typically places a supposed warning from a government agency such as the FBI, claiming that you have violated copyright laws and are subject to fines. Your computer then has limited functionality until you pay the supposed fine through a convenient method such as a money transfer card, available at your local convenience store. In reality, these funds usually go to some overseas scammer, but the computer is impossible to use until the fine is paid. Antivirus programs and second opinion scanners should be able to remove these threats, but when in doubt, contact your local computer repair shop and have them take a look at it. Taking this step could save you a significant amount of money if this happens to you.
9. Use reputable online shopping sites that are verified by third parties. During the holiday season, hackers go into overdrive, trying to infect legitimate websites with malware that is later on spread to unsuspecting victims. Before entering sensitive data or downloading anything from online retailers, make sure you are accessing it through a secure encrypted page (you will see https:// in your address bar and other icons indicating that the connection is encrypted in your browser). Also check on the payment page for third party verification seals. The more popular ones are TRUSTe, Norton Secure (Formerly Verisign), McAfee Secure and Comodo, which ensure your transaction is private, and that the site is scanned daily for vulnerabilities or tampering.
10. Identity theft can also happen over the phone. We are all familiar with phishing scams, which attempt to get the victim to give up personal information that a criminal can use to perpetrate fraud. There is also a telephone version of this scam that is also growing and frequently targets landline owners. It works in a similar fashion to its online cousins. The caller claims to be from the bank, a store, or delivery service, and presents an issue that needs to be handled. In order to take care of this, they just need you to verify your social security number, account number, online banking password or other piece of sensitive data. One thing to remember is that no online business will ask for a password over the phone. Some businesses may ask for your account or social security, but before volunteering this information, you should get an issue or tracking number and opt to call them back, preferably on the number that is printed on your bill.