Cybersecurity experts' guide to outwitting Black Friday and Cyber Monday scammers

Watch out for bogus e-mails and copycat sites designed to mimic big brands, hang up on unknown callers warning you're an identity theft victim, and never use public WiFi to make a purchase.

Reuters/File

November 25, 2015

Flex your fingers. Find a comfortable place to sit. We're heading into one of the biggest shopping weekends of the year.

An estimated 135 million Americans say they're planning to partake in Black Friday, Small Business Saturday, and Cyber Monday, and nearly half of them, according to the National Retail Federation, are expected to make purchases online. But before you begin mashing "checkout" buttons, consider security.

According to a recent study by criminologists at the University of South Florida, people who use the Internet at home are more likely to be victims of online crime. That's because the study found that people engage in riskier online activities in private as opposed to when they are online outside the home and in the office. The researchers theorize that people conflate the safety of their home with that of their online behaviors, opening them up to various types of attacks.

This holiday season, phishing schemes, mobile threats, and social engineering attacks are among the most common types of threats. But greater vigilance can help everyone be safer online, especially when handing over personal information and banking details to online retailers. Here's what security experts recommend for outsmarting the online crooks:

Phishing and spear-phishing e-mails

Phishing e-mails and their more targeted incarnation, spear-phishing e-mails, are likely to make their way into your inbox at some point, said Greg Mancusi-Ungaro, chief marketing officer of security firm BrandProtect.

Many of them are disguised as offers from trusted brands and large retailers, and are often sent from a known contact's compromised e-mail address, he said. It isn't just a threat for those who aren't particularly Internet-savvy – even Mancusi-Ungaro fell victim to a phishing attack this year. "We’re all susceptible, we’re all busy," he said. 

Mr. Mancusi-Ungaro recommends taking a few extra seconds to assess an e-mail. If it says you can get a great deal on a new Nikon camera, for instance, check the official Nikon site to see if that’s really true, and buy from the official site. If you don't recognize the name of the company, he said, don't buy from them.

Be wary of copycat sites, which are pages that look similar to a familiar companies' sites. Adam Levin, chief executive officer of identity threat detection firm IDT911, said many people take a good first step by checking for the lock icon in the URL bar, indicating a secure connection between the user and the site. But even copycat sites can have that lock.

They took up arms to fight Russia. They’ve taken up pens to express themselves.

Mr. Levin recommends going a step further to check the address bar to make sure the URL is correct. Many phishing sites, he said, use a slightly misspelled variation of an official site to trick users.

Someone calling to 'verify' personal information

Another threat to be on the lookout for, Levin said, is someone calling for an urgent situation to get personal information. Ironically, he said, they say they are calling because you may be a victim of identify theft, and they'll ask to verify personal information.

His company often gets reports of attackers attempting to trick people into believing they are identity theft victims, and then getting those victims to reveal personal information such as Social Security numbers. "Once you do that, you’re doomed," he said.

Levin said IDT911 is seeing an uptick in this kind of scam when it comes to smart chip cards. Known as EMV cards, the credit and debit cards are considered safer alternatives to signature and pin cards, and are widely used across Europe. As banks are rolling out the new cards, Levin said criminals are targeting consumers with "verification" scam calls, capitalizing on consumers' unfamiliarity with the new cards in an attempt to steal personal information.

In this case, protecting yourself is as easy as hanging up, Levin said. Should someone call you with a similar scenario, don’t let the urgency of the situation overwhelm you. If the person says they are from your bank, hang up and call the number your bank lists on the back of your card or on their website.

Mobile threats

According to the National Retail Federation's survey of online shopping, about 21 percent of the 7,200 consumers polled last month said they intended to do some holiday shopping with their smartphone. Mobile shopping brings its own pool of threats, said Paul Henry, mobile forensics consultant for Blancco Technology Group.

Many people use public WiFi on their mobile devices, opening themselves up to man-in-the-middle attacks, in which a third party intercepts someone’s internet traffic, such as credit card information.

Apps are another inherent area of concern for mobile, Mr. Henry said, because of the amount of information they collect. That means when downloading any new apps, notice the permissions they ask for, including whether or not they require access to your contacts. And make sure the apps you’re downloading are from the official app store – Google’s Play Store or Apple’s App Store.

In Henry’s perfect world, he would tell consumers, "Don’t use your mobile device, use your desktop." But if you do decide to use a mobile device for holiday purchases, he recommends taking screenshots of the checkout page as an extra record of what was purchased and at what price. 

Check your bank statements daily

All three experts emphasized that the only way to get ahead of any suspicious bank activity is to check your bank statements daily to look for discrepancies.

BrandProtect’s Mancusi-Ungaro recommends signing up for purchase alerts from your bank or credit card provider to be notified whenever a purchase is made. It might seem like overkill, he said, but it can help detect small phishing amounts attackers often use to test whether or not they can put a larger amount on.

Even after the holidays end, they said, consider keeping up some of these security practices for year-round vigilance. "It’s not just being on your toes for two weeks in November and December," Mancusi-Ungaro said. “It’s being on your toes all year round."