We’re heading into the busiest period for online shopping of the year, as people look for gifts and bargains ahead of the festive season.
And now what was already a busy time for shopping is super-charged by Black Friday and Cyber Monday, the days bookending Thanksgiving weekend, where retailers offer major discounts and sales. Black Friday started as a phenomenon in the US, but has now spread to retailers around the world.
But while Black Friday can offer a chance for shoppers to buy things at big discounts, the popularity of the event and the rush to grab bargains means that Black Friday is a major target for cyber criminals, fraudsters and scammers.
Cyber criminals are opportunists and will always exploit major events in order to conduct campaigns – and one where consumers are actively looking to hand over credit card information and other personal information to online retailers makes it the perfect opportunity to strike.
According to the UK’s National Cyber Security Centre (NCSC), victims of online shopping scams lost an average of £1,000 ($1,176) each during the holiday shopping period last year – and the figure is rising.
Some of these scams involve fraudsters simply stealing money. Others see scammers send buyers inferior, knock-off products. There’s also the risk of having usernames and passwords stolen by phishing sites, or even the prospect of attackers infecting your system with malware.
In the face of all these outsider threats, here’s how to stay safe and boost your cybersecurity while looking for Black Friday bargains.
Be cautious of unexpected emails claiming to offer Black Friday deals
Many of us who go looking for Black Friday deals have something specific in mind, such as a new laptop or a games console. It’s also likely that many of us will visit well known and trusted retailers, including Amazon, Walmart or BestBuy to look for deals.
But to drum up interest in Black Friday, many online retailers will also send out promotional emails, offering people the chance to click through for bargains. Cyber criminals know this and send out fake versions of these emails.
“People are looking at their inboxes looking out for deals, looking for links they can click to get discounts – so it just creates a very ripe environment for criminals trying to social engineer people,” says Mike McLellan, director of intelligence at the Secureworks Counter Threat Unit.
Those emails could direct victims towards sites that send out phony products, or don’t send out anything at all, with fraudsters just taking the money and running.
There’s also the risk that, if the fake website is based on a popular retailer, the attackers will use a phishing page to ask victims to log in to their account – stealing their username, password and any other sensitive information associated with the account.
If you receive an email that offers Black Friday Deals – particularly if it claims to be a retailer where you don’t remember signing up to their mailing list – be cautious. Visit the retailer directly rather than clicking on the link to avoid the potential pitfall of visiting a phoney or malicious site.
If you haven’t heard of the retailer before, be wary and do your research
The online-shopping industry is a huge sector – and while there are large numbers of well known, big retailers that offer opportunities for online purchases, there are also plenty of independent shops and individual sellers that also have the opportunity to sell their products to a significant audience in the run-up to the holidays.
Many of these smaller retailers will be entirely legitimate, offering customers the opportunity to buy items, perhaps even at a better price than major retailers are offering. However, scammers know that people are looking for bargains and look to direct potential victims to storefronts of online retailers that might not even have products at all.
Shoppers could be directed to these fake stores by phishing links, scammers pushing sites up search engine rankings or links on hijacked social media. If you haven’t heard of a retailer before, be sure to research it to ensure whether it’s a real and trusted website, particularly by looking at any reviews that might have been left, which could point to issues.
“I urge shoppers to be cautious of where and who you’re buying from. Our figures show that most scams last year involved mobile phones and electronics, so always shop with official retailers and don’t be enticed by deals that seem too good to be true,” says Pauline Smith, head of Action Fraud.
In the rush to grab a bargain, you might not cast your eyes up at the web address bar – but if you do, you might just protect your details from being stolen.
If you can see a little padlock symbol to the left of the URL, that means the site is secured by HTTPS, which means your connection is secure and any private information sent to the site, such as passwords or bank details, are private and kept secure. That usually points to the website being secure and safe to use – although sometimes cyber criminals can secure an HTTPS padlock in an attempt to trick users.
When making online payments, a recommendation from the NCSC is that, if possible, online shoppers should use a credit card instead of a debit card – because using a credit card comes with greater protections, with many credit card providers obliged to refund money if you’re a victim of fraud.
Using a credit card that’s separate from your main bank account can also be helpful, because in the event of your credit card details being stolen, your main bank account won’t be directly affected.
Using platforms like PayPal, Google or Apple Pay can also help to keep your bank details safe from being stolen.
Be wary of ‘missed delivery’ messages
It isn’t just the buying stage where cyber criminals try to lure victims into falling victim to scams; the increased demands for online shopping mean that shoppers are relying on delivery companies more than ever – and cyber attackers known this.
That’s why fraudsters are sending out large numbers of messages claiming to be from delivery companies including DHL, UPS, Royal Mail, Evri, and many more.
These messages arrive as emails or SMS messages and claim that either you were out and missed a delivery or there’s been an issue with the postage costs that requires you to pay a fee.
The attackers won’t have any idea if the victim – who is being sent the message as part of a mass-phishing campaign – has bought something being delivered by that company or not. But the sheer number of deliveries being made around Black Friday and the holiday shopping season means that people will be expecting packages – and they can be tricked into following the links.
What they find are websites that could look almost identical to the real delivery companies and they’re likely to be asking people to enter passwords or bank details, which are then stolen and used to commit further cyber crime.
Therefore, in order to stay safe, it’s best to avoid clicking on ‘missed delivery’ links, particularly in text messages from unknown numbers.
“When it comes to text messages coming from people that you don’t know or an email, I would just ignore it. Don’t click on text messages, or WhatsApp messages that come in,” says Rachel Jones, CEO of SnapDragon Monitoring, an online brand protection provider.
It’s also worth remembering that many delivery firms won’t ask you for an additional payment, especially via text message. And if you have made an order, you’ll likely have received an official and legitimate tracking link when you made it – so if you are waiting for a delivery, you can check the status of the order using that link.
Protect your accounts with a strong password and multi-factor authentication
Many Black Friday scams see cyber criminals directly targeting people’s wallets, but it’s important to remember how it’s not just by stealing bank details that there’s money to be made – crooks can also profit from stealing usernames and passwords of accounts, too.
Cyber criminals send large numbers of phishing emails that claim to be from retailers and service provides including Apple, Amazon, Microsoft and Google – and the aim of these attacks is to get hold of logins.
Sometimes these emails will claim there’s a problem with your account, while sometimes they’ll claim a purchase has been made, or state you’re due a prize or a refund. No matter what lure they use, the aim of the attackers is to trick you into entering your username and password on a phishing site – which they’ll then be able to use to access your account.
Then there are times where attackers might not even need a phishing email – they might be able to simply use a brute force attack to breach your account if it’s secured by a common or weak password.
The attackers could sell this information on underground forums, or they could use it to steal your data themselves and commit fraud in your name.
A strong password can help to prevent hackers from cracking your account, while using MFA means there’s an extra barrier against attacks – and one that can alert you to potentially suspicious activity, particularly when you’re doing a lot of online shopping.
“Sadly, we know that criminals will look to exploit consumers at this time of year, which is why good cybersecurity has such an important role to play,” says Lindy Cameron, CEO of the NCSC.
And in the event of discovering a password has been stolen, it should be changed immediately.
And remember… if it sounds too good to be true, it probably is
In the hunt for Black Friday bargains, it could be easy to be taken in by massive discounts, particularly for items that are in high demand.
So, it’s worth remembering when shopping for Black Friday deals – or shopping at any other time of year – that you should be thoughtful and keep in mind that, if a deal seems too good to be true, there’s a strong chance that it probably is. And it might be better for you to stay safe rather than sorry.