A holiday ornament on a fishhook

As millions of Americans prepare to fire up their laptops in the hopes of gobbling up Black Friday deals, security experts warn that cyber criminals have raised their efforts to steal valuable personal and financial information from unwitting shoppers.

While email scams remain popular, the fraudsters are increasingly using mobile apps and popular social media platforms to launch their swindles, too.

Earlier this month, retail giant Macy's reported that hackers had planted malicious code on its website to capture details such as the names, home addresses, email addresses, and credit card numbers of online shoppers.

Zack Allen, director of threat operations for ZeroFox, a company that specializes in social media cybersecurity, notes that people are getting better at spotting online scams, but admits it's hard to withstand the barrage of cyber attacks at this time of year.

More on Digital Security

“You could not click on 100 bad links, but the 101st will get you,” he says.

During the first 20 days of November, ZeroFox researchers identified 61,305 potential online scams targeting 26 popular retail brands. Of those, 11,741 contained language related to gift giving, 4,593 used the word “holiday,” and 637 were specifically related to Black Friday or Cyber Monday.

Here are some things to watch out for as you begin your holiday shopping. For more tips, consult our story on how to protect yourself from online shopping scams.


Go to 
Consumer Reports’ 2019 Holiday Gift Guide for updates on deals, expert product reviews, insider shopping tips, and much more.
 

Feast of the Phishes

Cyber criminals love to use phishing scams during major seasonal events to hoodwink people into coughing up their info. They use emails and Facebook posts to pitch great, limited-time deals on hot holiday gifts, for example. But those emails also can masquerade as shipping notifications or pleas from well-known charities for end-of-the-year donations.

They all contain links that send you to a website made to look very much like the real thing. But instead of helping you make a purchase, showing you where your package is, or processing your donation to those in need, the site steals your information or plants a virus on your computer.

ZeroFox cites a fake Facebook page for the fashion label Michael Kors touting 70 percent off Cyber Monday discounts on handbags. When you click on the link, it takes you to a sophisticated look-alike site set up to collect payment card information.

Other social media scams bait consumers by offering the chance to win gift cards for major retailers such as Amazon or Walmart, ZeroFox says. The landing pages then ask for personal information such as names, addresses, and dates of birth.

A phishing email offering a $25 Apple gift card
This phishing email offered a $25 iTunes gift card from Apple.
Photo: COFENSE

Aaron Higbee, chief technology officer and co-founder of Cofense, which specializes in anti-phishing technologies, says cyber criminals are moving away from stealing banking credentials and logins for money transferring services such as Venmo or Paypal, because companies that offer those services are much better at detecting fraud these days.

Instead, the scammers are focusing on identity theft; going after consumer names, addresses, Social Security numbers, and dates of birth. With that information, he says, they can open up new lines of credit or even file fraudulent tax returns.

Other phishing schemes target email passwords. "This is where the dominos start to fall,” Higbee says. Criminals often can use those passwords to reset other passwords and ultimately take control of your online accounts.

And so, it's always smart to take a beat before you click on a link or download an attachment in an email—especially if it's an email from a person or retailer you don't usually do business with.

Consumers should be particularly wary of emails that look like shipping and delivery notifications, Higbee says.

“Everyone is busy during the holidays and consumers are online shopping even more,” Higbee explains. “At the same time, they’re worried about those packages being stolen. 

“It’s a real opportune time for a criminal to slide in a phishing email."

Naughty or Nice?

While Apple and Google try their best to keep bad actors out of their app stores, some inevitably sneak past security.

According to RiskIQ, which maintains a database of blacklisted apps, cyber criminals are increasingly creating fake apps with the intent of fooling consumers into downloading malware or handing over sensitive data intended for well-known retailers.

The number of malicious apps in the company’s database has risen 20 percent in the last year. And, when RiskIQ researchers looked at all available holiday shopping apps, they found that 951—about 2 percent of the total—had been blacklisted.

A smartphone app that requests access to an excessive amount of information
This smartphone app requests access to an unusually high volume of information, says RiskIQ. Note the permissions on the right.
Photo: RiskIQ

While the vast majority of those malicious apps are found on third-party app stores, RiskIQ says, some do slip through the cracks and make it into the Apple and Google stores as well.

As part of its annual holiday report, RiskIQ also surveyed 1,000 consumers about their online habits, and 24 percent admit to downloading an app from a third-party store. Another 7 percent concede that they might have done so.

Like other security experts, RiskIQ researchers say consumers should keep their purchases to the major app stores and to think first before granting apps excessive permissions like access to contacts, text messages, or credit card information.

Hackers (Not Santa) Watching You

For many consumers, the Macy's hack is a clear example of the need for better protection of personal data collected by online retailers and services.

Macy’s says the malicous code that threatened people who used its website existed for about nine days in October before it was discovered and removed. The banking and credit card numbers of those affected have been reported to the respective issuers. Macy’s is also offering the shoppers free identity protection services.

But those consumers are now at risk for credit card fraud, identity theft, and other cyber threats, says John Shier, senior security advisor for the U.K.-based cybersecurity company Sophos.

“And, unfortunately, on the consumer side, there’s really nothing you can do to protect yourself from these kinds of attacks,” he adds. The malicious code, which is tied to a rapidly growing cybercrime syndicate known as Magecart, would not have adversely affected the buying experience or made Macy's site look any different to shoppers, he explains.

In its annual Black Friday and Cyber Monday threat report, RiskIQ notes that Magecart breaches are detected on an hourly basis. In total, the company has spotted Magecart skimmers in the wild more than 2 million times. 

“This detection rate is a clear indication that the group is extremely active and will continue to be a critical threat to consumers, especially over the Thanksgiving shopping weekend,” the researchers write.

Given all the threats to online shoppers, tech companies and retailers need to do more to protect consumers, Allen argues.

“They are so apt to blame the consumer for making mistakes," he says. "Instead they should really be looking inward and asking themselves why they designed a system that would allow them to do that.”