While the risk of being hacked, conned or having sensitive information stolen is possible all through the year, most security experts agree that the holiday season brings a spike in fraudulent activity, both online and off.
CSO compiled a list of twelve dirty tricks to avoid this holiday season (or any time).
After a day of shopping, you log on to Twitter and 'tweet' about how hard it is to find a Zhu Zhu Pet, this season's hot toy, for your daughter. Soon after, you receive a direct message from another Twitter user offering to sell you one. It's your lucky day, right?
Unfortunately, the user often ends up paying for a fake version of the product, or no product at all. It's the classic phishing scam with a new and sophisticated twist because criminals can see what you are looking for by monitoring your tweets on Twitter.
"It used to be that you could identify a phishing scam because they often had spelling mistakes, or the link had some kind of tell-tale sign," said Mark Cohn, vice president of enterprise security with Unisys.
But the game has changed now. The signs that made scams so obvious before are no longer always present as more sophisticated techniques employed by criminals on Twitter and Facebook make it harder than ever to know what's legit. The easiest way to stay away from this?
"Be skeptical," said Cohn. "Double-check to find out: Who is the issuer? If it is not someone you know, think twice about buying."
Fraudulent auction and payment sites
If you do fall prey to the first scam, there is also a chance you could end up at a fraudulent site while paying for the item. Or you might find yourself at a fake auction site while bidding on an item. Escrow services such as PayPal allow businesses and consumers to securely and conveniently send and receive payments online. However, escrow scams are increasing as fraudsters set up fake payment sites to con both buyers and sellers out of money, according to Unisys.
To ensure payment sites are legitimate and secure, Unisys security experts suggest checking to ensure the sites have SSL certification. Also check that the web address starts as https:// rather than just http:// as the absence of that "s" is often an indicator of rogue traders. A real escrow company will also only ask you to transfer money to them directly from your bank, i.e. a traceable transfer. If they ask for another method, refuse. Before you send anything, verify with your bank where the receiving bank is located. If this looks like it is outside the seller's own country, stop the transaction.
Another casualty of being phished is your password. Password theft is rampant during the holidays, according to security firm McAfee, which also compiled its own 12 Scams list for folks to watch out for this holiday season.
"Once criminals have access to one or more passwords, they gain vast access to consumers' bank and credit card details and clean out accounts within minutes. They also commonly send out spam from a user's account to their contacts," official with McAfee said.
Dangerous search terms
Andrew Brandt of Webroot recently blogged about how prevalent dangerous sites have become in search results. Brandt searched for news about Zhu Zhu Pets.
"What I found were a flood of fake alert sites mixed in with the legitimate search results," said Brandt.
The bad guys know what people want, and they are getting cleverer about devising dangerous sites that will be ranked high if a user searches for a popular term. Using the most up-to-date version of your browser can help. If you try and head to a malware-laden site, the latest version of today's browsers will often warn you first that the site contains dangerous content.
Seasonal email scams
Merry Christmas, Mary! The email attachment looks like a holiday greeting card. It even has your name on it. It must be from someone you know, you think. Think again. The number of malicious e-cards circulating to personal and business computers is expected to rise this year, according to Unisys. Cohn suggests that even in a workplace setting, individuals should never open an email or attachment from an unknown sender and do not download 'exe' files as these often contain adware, unwanted downloads and spyware.
If you can't resist opening a file, drag it into your 'junk' email folder first as this allows you to check all the links to see if they are legitimate. If a site looks suspicious, follow your instincts and don't click on it.
If you are one of those people who will accept any friend request you get on Facebook, this is a particularly dangerous time of the year to be too friendly. Because of the information you disclose on social networking sites, they can be a goldmine for identity thieves.
"It's surprising to me how many people on Facebook put their birthday," said Cohn. "Not just the date, but the year."
According to GetSafeOnline, one in four people using social networking sites have posted confidential or personal information such as phone number, address or email on their online profile. To avoid identity theft, never offer personal information to anyone over a social networking site, even if the request is from a friend or relative. Do not offer your birth date, birth town and home address on your user profile, and always make sure you apply the right privacy settings to protect yourself. Avoid posting photos of expensive belongings or dates when you are away from home over the holidays.
Heading to the ATM to get some cash for your holiday shopping, are you sure the machine you are using is legit? ATM skimming, a scheme that involves fitting a real looking device over the actual pin pad in order to steal credit card information, is on the rise. Terrie Ipson, an ATM security expert with Diebold points out that while your card information may be stolen today, you might not even know until well after the holiday season.
"A lot of skimming attacks are conducted by highly-organized groups," said Ipson. "The card [data] could be held for several months."
Ipson recommends using an ATM you are familiar with so you know what it should look like and check it to make sure that it is solid and sturdy.
"Put your hands on it and see if you can wiggle it," she said.
This is the time of year when many organizations or individuals may be disposing of sensitive documents such as receipts or financial statements. A year-end clean out could make your dumpster rife for the picking by criminals. (See security consultant Steve Hunt's video recap of a dumpster dive that yielded personal checks, laptops and more.)
"We tend to focus too much on the digital," said Cohn, who noted that another concern around the holidays is employees working remotely. "Companies need to ensure that materials being used when working at home are also disposed of properly. Employees must protect their company's intellectual property by safely disposing of materials that are proprietary to their companies."
Google is offering free Wi-Fi this holiday at 47 airports in the U.S. in a campaign to promote Google products. Good news for road warriors traveling for the holidays? Not if you don't keep security in mind, according to Cohn.
If you are using that new laptop on a wireless network at home or workplace, Unisys recommends making sure that wireless network is secure. The Wi-Fi network range will radiate beyond the confines of your building, leaving it vulnerable to "wardriving" (the act of searching for Wi-Fi wireless networks by a person in a moving vehicle, using a portable computer so they can use your unsecured network for free). Hackers could use an unprotected wireless network to anonymously download illegal material or perpetrate attacks that would appear as if they were coming from you.
A famous hacker technique in wireless scenarios is the "man in the middle" attack. A hacker can sit in a coffee shop or hotel lobby, with their own laptop showing itself to other patrons as a free Wi-Fi connection. While a patron uses this connection to surf the web or check email, the hacker's laptop can record all data passing back and forth, hoping to capture passwords or other valuable information.
Phony bank reps
You've been doing a lot of shopping with your credit card this holiday season. Isn't it considerate of your bank to check and make sure that it's you? Sure, if it really is your bank calling. Unfortunately, this time of year if a great time for crooks to call and pry sensitive information from consumers. Unisys security experts recommend that individuals at home or work be wary of account checking scams in which a phony representative of a bank or supplier who contacts you by phone or email to ask for account details to update their records.
Callers will often claim that they need certain data in order to check the security of your account while actually obtaining very valuable information to carry out fraud. If you think the call is genuine, ask to call them back and check the number by visiting their website before you call back. It is relatively simple for the caller to spoof Caller ID such that your bank's name appears, regardless of where the call actually comes from.
Also be wary of emails seeking the same kind of information. Crooks are now devising links with lookalike sites where your logon ID and password can be captured.
It's the time of the year for giving. But it's also a popular time for scammers to devise cons to pry money out of well-meaning givers. If you get caught in such a ruse, you might end up donating to nothing or the scam artists could end up with your credit card or other information and use it for something much less charitable.
"Spirit of giving" scams have been around for decades. Unisys suggests that individuals watch out for emails or tweets from charities that ask for donations, particularly if you have never signed up to receive correspondence from them. Be sure to check that charity collectors in your neighborhood or near your office have some form of identification.
With the economy still in sour state in many parts of the country and the unemployment rate at its highest since 1983, a number of people may be looking for work to pay the holiday bills.
"Scammers are preying on desperate job-seekers in the poor economy with the promise of high-paying jobs and work-from-home moneymaking opportunities," according to a statement from McAfee. "Once interested persons submit their information and pay their 'set-up' fee, hackers steal their money instead of following through on the promised employment opportunity."
In fact, earlier this month Google filed a lawsuit against a Pacific WebWorks, a company it alleges runs work-at-home scams that unnecessarily charge people's credit cards and spoof Google's brand name. The bottom line: Work-at-home offers deserve a lot of scrutiny, and those requiring a fee up front are to be avoided.