Fortinet Photo: Fortinet

The days are shorter, the nights are colder, and it’s the holiday season—the most wonderful time of the year… for cybercriminals.

Things haven’t gotten entirely back to “normal” yet after last year’s pandemic holiday season – especially for the retail and e-commerce sector. Although shoppers are more likely to return to brick-and-mortar malls and stores this year, many will still rely on online shopping and digital gift cards. Gift cards are a common vector for cybercriminals because stealing the money loaded onto them is like stealing cash. Once they have it, there’s no way for a victim to get it back. 

With the global supply chain shifts impacting some purchase plans, many people are getting a head start on their holiday shopping – not to mention that with COVID-19 spikes in some places, some people are still reticent about big crowds. Those two factors are likely to spur more online purchasing – and gift cards will be in high demand, too. Cybercriminals know this and are ready to strike

So, what can you do to have a cyber-safe holiday season? Here are some of the most common cyber threats to prepare for and actionable tips on how to avoid them. 

Online Gift Scams

If you’ve ever received an email asking you to help someone with an emergency, and that email asked for a gift card as payment, it was most likely a scam. Thieves have come up with creative ways to manipulate gift cards sold in stores, like scratching off the protective coating to steal the PINs and then replacing the layer with a sticker so it looks brand new. Scammers will add those PINs into software that alerts them when someone has purchased and activated that gift card, then drain all its funds. 

The easiest way to avoid becoming the target of a gift card scam is to be vigilant and follow these best practices: 

  1. You’ve probably heard it a million times, but the first thing you should do is set strong passwords for all your online accounts and use a different password for each site. Password management apps are great for keeping track of your various accounts.
  2. Update your login credentials and check your payment accounts regularly for signs of any unusual activity. Most banks and credit unions will give you a quick call if something looks awry.
  3. If you buy a gift card in a store, check it out for tampering signs before loading funds. And only buy them from retailers that keep them secured behind the checkout counter. 
  4. Never agree to pay for online purchases in gift cards from an email. In these cases, the thing you’re trying to “purchase” probably doesn’t even exist. Shop with retailers you know and trust, and always ensure the site’s checkout system is secure. 

Zooming With Your Family? Watch Out for Phishing Scams

It’s not just shopping you need to worry about. It’s also online events. Since the pandemic hit, most of us have spent significant time on video meetings or met virtually with family or friends. This has opened up a new attack vector for phishing campaigns. These phishing attempts sometimes start with emails containing suspicious links that prompt you to download an updated version of their video conferencing software. The link directs you to a third-party website where you can download an installer. Then the program loads a remote-access Trojan malware program on the host. This program gives scammers access to all your sensitive data and information, either sold on the black market or leveraged for identity theft. Other phishing attempts involve email invitations with links to video calls. These links will take you to a fake login page in an attempt to steal login credentials. 

To avoid video-conferencing scams, always follow cybersecurity best practices. Look at the sender’s email address before clicking on any links or downloading attachments. In most cases, phishing emails are sent from addresses that do not contain a legitimate web address. If you think something is off, it probably is. 

Mobile Vishing and Smishing on the Rise

You might have noticed lately that you are getting more weird text messages or phone calls that remind you to update something or that your car warranty is about to expire. These are text message scams called “smishing;” the phone call versions are “vishing.”  

Mobile phishing attempts are widespread for e-commerce shoppers. These messages typically contain a link that, once clicked, redirects you to a fraudulent website that is designed to extract your personally identifiable information (PII). Malicious apps can also be used to skim financial data and credentials.

Vishing can be successful social engineering scams—an urgent message about your recent order!—that trick you into providing login credentials or bank account information. Avoid vishing and smishing by confirming that the phone number or text message is legitimate before providing any information. And remember that banks and government agencies rarely contact customers or individuals by text. Call your bank directly to get to the bottom of it; they’ll be able to tell you whether or not it was legitimate and will report the incident to the appropriate authorities if it turns out that it was a scam.

Cyber Safe Holidays to All

Things have certainly changed from holiday seasons in the past, thanks to digital transformation and the tectonic shifts of the pandemic. But it is possible to have cyber safe holidays with a little bit of vigilance and education. If a deal seems too good to be true, it probably is. These cybersecurity safety tips are pertinent all year long, not just over the holiday shopping season. 

  • Never blindly trust an email, text message, or phone call, especially ones that come from unknown numbers or sources. 
  • Use common sense and keep your eyes open for phishing attempts. 
  • Update your login credentials regularly, and change up those passwords. 
  • Check out some free cybersecurity training and spread the word!

Here’s wishing all of you a safe and pleasant holiday season. 

About the author 

Aamir Lakhani is a cybersecurity researcher and practitioner for Fortinet’s FortiGuard Labs. He formulates security strategy with more than fifteen years of cybersecurity experience, his goal to make a positive impact towards the global war on cyber-crime and information security. Lakhani provides thought leadership to industry and has presented research and strategy world-wide at premier security conferences. As a cybersecurity expert, his work has included meetings with leading political figures and key policy stakeholders who help define the future of cybersecurity.