Watch Out for These 3 Holiday Shopping Scams

The holiday shopping season is also the holiday scamming season. Whether you shop online or at the mall, be mindful of these types of scams.

'Tis the season to be scamming.

It's no secret that Americans are about to spend a lot of money during this upcoming holiday shopping season. Holiday sales are expected to hit nearly $617 billion this year -- this after consumers spent $2.29 billion on Cyber Monday alone in 2013.

That's a big pile of money and credit card numbers and passwords and logins for scammers to jump into, whether through point of sale hacks or phishing scams that go beyond just email.

"It will really be more of the same," says Jerry Irvine, CIO of Prescient Solutions and a member of the National Cyber Security Task Force.

Here's what to expect for holiday shopping 2014.

Phishing in All Waters

Not only will consumers get fake emails, they'll get fake targeted emails. That's because victims of big retail and bank hacks are still possible victims if their email addresses were stolen.

"If I got something from a lady's clothing store, I wouldn't click on it, because I don't shop there," says Irvine, who calls this practice spear phishing. "But targeted attacks to people with known accounts and environments make [preventing this] event more difficult."

[ Analysis: Retail CIOs Look to Break Online and Offline Shopping Barriers ]

So customers of companies that have been hacked could get fake emails from those same retailers or banks and click on them because they think they're safe -- especially since they're probably getting promotional emails from them anyway around the holidays.

Social media represents another possible phishing scene, says Gary Davis, chief consumer security evangelist at McAfee/Intel Security.

"Social media sites are great places for companies large and small to create targeted promotions, but [they're] also a great place for scammers to post phony promotions aimed at grabbing customers information and money," he says.

For example, scammers spread fake promotions for gift cards by asking consumers to click on a Facebook post if they want a gift card. That link then takes them to a scam page. "Once you click on the link and arrive at the scam page, you're asked to 'share' the promotion by clicking on a 'Like' button that automatically posts to your wall with the scam," Davis says. "You are then offered a choice of surveys that ask for your personal information."

Finally, security experts warn consumers to look out for phishing emails from Amazon, eBay and airlines. Hackers are taking advantage of online shopping habits, as well as the uptick in travel during the holiday season, to trick people into clicking on rogue links or downloading attachments.

Hackers Still Hacking Familiar Targets

We still haven't seen the last of point-of-sale hacks either, says Davis. "There are just some scams that consumers can't avoid," he says. "Given that there are millions of point of sale devices at stores worldwide, it's likely [that] these devices will remain a popular target until retailers deploy new security solutions that thwart these attacks."

[ Related: Apple Pay Has Retail CIOs Rethinking How Customers Pay ]

While Apple Pay and chip and pin cards are starting to come onto the retail scene, they're not going to revolutionize how we pay for holiday gifts this year. Apple Pay is still limited to a small number of consumers -- those with an iPhone 6 or iPhone 6 Plus shopping at retailers that accept Apple Pay -- and chip and pin technology isn't expected to be widely adopted until next fall in the United States.

Beware a Trojan USB

McAfee's annual 12 Scams of the Holidays list includes expected items such as phishing and point-of-sale hacks, but it also references corporate gifts -- USB drives specifically. What could seem like a harmless client gift could infect malware onto your work computer.

"The reason we're cautioning is because of the recently discovered flaw in the USB architecture," Davis says. At this year's Black Hat hacker conference, researchers demonstrated that the controller chips on USB devices can be reprogrammed, and there's no way for the host computer (or the user, for that matter) to detect that this has happened.

"USBs can now contract an undetectable -- and unfixable -- virus that can be spread quite easily," Davis says, adding that, simple put, they can no longer be considered secure.

[ How-to: Prevent Thumb Drive Security Disasters ]

That doesn't necessarily mean the gift-giver is trying to hack into your corporate system, of course. It does mean, though, that USBs can have malware pre-installed on them before the gift-giver even gets the device in his or her hands.

Join the CSO newsletter!

Error: Please check your email address.

Tags online safetysecurityPrescient Solutions

More about AppleCustomerseBayFacebookIntel

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jen A. Miller

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts