Watch out for these 3 holiday shopping scams

The holiday shopping season is also the holiday scamming season. Whether you shop online or at the mall, be mindful of these three types of scams.

holiday scams

'Tis the season to be scamming.

It's no secret that Americans are about to spend a lot of money during this upcoming holiday shopping season. Holiday sales are expected to hit nearly $617 billion this year – this after consumers spent $2.29 billion on Cyber Monday alone in 2013.

That's a big pile of money and credit card numbers and passwords and logins for scammers to jump into, whether through point of sale hacks or phishing scams that go beyond just email.

"It will really be more of the same," says Jerry Irvine, CIO of Prescient Solutions and a member of the National Cyber Security Task Force.

Here's what to expect for holiday shopping 2014.

Phishing in All Waters

Not only will consumers get fake emails, they'll get fake targeted emails. That's because victims of big retail and bank hacks are still possible victims if their email addresses were stolen.

"If I got something from a lady's clothing store, I wouldn't click on it, because I don't shop there," says Irvine, who calls this practice spear phishing. "But targeted attacks to people with known accounts and environments make [preventing this] event more difficult."

[ Analysis: Retail CIOs Look to Break Online and Offline Shopping Barriers ]

So customers of companies that have been hacked could get fake emails from those same retailers or banks and click on them because they think they're safe – especially since they're probably getting promotional emails from them anyway around the holidays.

Social media represents another possible phishing scene, says Gary Davis, chief consumer security evangelist at McAfee/Intel Security.

"Social media sites are great places for companies large and small to create targeted promotions, but [they're] also a great place for scammers to post phony promotions aimed at grabbing customers information and money," he says.

For example, scammers spread fake promotions for gift cards by asking consumers to click on a Facebook post if they want a gift card. That link then takes them to a scam page. "Once you click on the link and arrive at the scam page, you're asked to 'share' the promotion by clicking on a 'Like' button that automatically posts to your wall with the scam," Davis says. "You are then offered a choice of surveys that ask for your personal information."

Finally, security experts warn consumers to look out for phishing emails from Amazon, eBay and airlines. Hackers are taking advantage of online shopping habits, as well as the uptick in travel during the holiday season, to trick people into clicking on rogue links or downloading attachments.

Hackers Still Hacking Familiar Targets

We still haven't seen the last of point-of-sale hacks either, says Davis. "There are just some scams that consumers can't avoid," he says. "Given that there are millions of point of sale devices at stores worldwide, it's likely [that] these devices will remain a popular target until retailers deploy new security solutions that thwart these attacks."

[ Related: Apple Pay Has Retail CIOs Rethinking How Customers Pay ]

While Apple Pay and chip and pin cards are starting to come onto the retail scene, they're not going to revolutionize how we pay for holiday gifts this year. Apple Pay is still limited to a small number of consumers – those with an iPhone 6 or iPhone 6 Plus shopping at retailers that accept Apple Pay – and chip and pin technology isn't expected to be widely adopted until next fall in the United States.

Beware a Trojan USB

McAfee's annual 12 Scams of the Holidays list includes expected items such as phishing and point-of-sale hacks, but it also references corporate gifts – USB drives specifically. What could seem like a harmless client gift could infect malware onto your work computer.

"The reason we're cautioning is because of the recently discovered flaw in the USB architecture," Davis says. At this year's Black Hat hacker conference, researchers demonstrated that the controller chips on USB devices can be reprogrammed, and there's no way for the host computer (or the user, for that matter) to detect that this has happened.

"USBs can now contract an undetectable – and unfixable – virus that can be spread quite easily," Davis says, adding that, simple put, they can no longer be considered secure.

[ How-to: Prevent Thumb Drive Security Disasters ]

That doesn't necessarily mean the gift-giver is trying to hack into your corporate system, of course. It does mean, though, that USBs can have malware pre-installed on them before the gift-giver even gets the device in his or her hands.

This story, "Watch out for these 3 holiday shopping scams " was originally published by CIO.

Copyright © 2014 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022