Ahhh, the holidays are upon us. Plenty of family time, food, and most importantly, shopping. Lots of shopping.
The growth in ecommerce shopping is hardly shocking, especially considering the effects of the COVID-19 pandemic. Black Friday and Cyber Monday deals are largely advertised and honored for most of the month, since fewer people than ever are shopping in-person.
Right now, ecommerce is experiencing tremendous growth with an expected global valuation of $6.6 trillion dollarskas in 2021. This is a 40% increase in just two years. Not surprising, then, that scammers would attempt to profit from this trend, especially as people prepare for holiday shopping.
Many consumers have likely already received emails advertising month-long deals or upcoming Black Friday specials. Common sales tactics will encourage consumers to buy as soon as possible, as stock is limited, and shipping complications necessitate early shopping.
We’re not here to tell you that online shopping is overly risky or that you shouldn’t want to take advantage of the latest lightning deal from Amazon.
However, holiday shopping and the stress allotted to the average consumer throughout the holiday season makes this a prime time for bad actors online.
As we’ve covered in other blog posts, not every phishing technique is as obvious as an email from an unfamiliar email address that is riddled with grammatical errors and it asking you to send $10,000 to Nigeria.
The latest techniques are significantly more effective and complicated than that.
Kaspersky Security Network recently released their research findings of threat detections and ecommerce phishing over a period of time ranging from January 2020 to November 2021. Here are some of their key findings:
- During the first 10 months of 2021, Kaspersky products detected 40,584,415 phishing attacks targeting e-commerce and e-shopping platforms, as well as banking institutions.
- The total number of financial phishing attempts targeting e-payment systems more than doubled from September 2021 (627,560) to October 2021 (1,935,905), showing a 208% increase.
- Amazon was consistently the most popular lure used by cybercriminals to launch phishing attacks. The second most popular was, for most of 2021, eBay, followed by Alibaba and Mercado Libre.
- The number of financial malware infection attempts dropped by half from 20.5 million in 2020 to 10 million in 2021.
- In 2021, 11 malware families were actively targeting online shoppers. More than 50% of malicious activity this year belongs to Zbot.
- From January 2020 through October 2021, the most targeted ecommerce platforms were in e-shopping (eBay, Alibaba, etc.) and entertainment (streaming services, online games) with 30.61% of attacks.
Phishing is one of the oldest tricks in the book, precisely because it’s easy and commonly successful — especially when customers are in a hurry to advantage of a deal that sounds too good to be true. As the holiday shopping season approaches, including Black Friday, cybercriminals have been trying to create faux web sites to phish for customers’ credentials.
The good news is they’ve been using well-known schemes, which means customers can stay secure if they’re educated on the most frequently used tactics.
One of the most common scams is to create a fake website offering great deals for popular shopping portals. Researchers uncovered such phishing pages for Walmart, eBay, Amazon, Alibaba, and Mercado Libre in various languages.
Some of these webpages promise special pricing or a giveaway, either because of a random drawing or in exchange for completing a survey. This will often involve completing that includes your login information. Once completed, the bad actors will have your information.
Of course, cybercriminals do not limit their malicious activity to ecommerce-related phishing scams. Banking Trojans are traditional tools for stealing access credentials to online banking or payment system accounts.
Some banking Trojan families have evolved and developed their functionality, launching new variants and extending their range. Today, most of them are able to perform transactions, download other malware and more. And some of them target not only people using online banking, but online customers of certain stores.
At the end of the day, shoppers love good deals, and this time of year is rife with them. However, this time of year is also great for bad actors. These bad actors will continue trying to profit off online shoppers and exploit popular shopping periods. As new e-commerce platforms arise, which most likely will become popular and easy targets, it’s important to stay vigilant.
Here are some safety recommendations to keep in mind:
- Use a reliable security solution that identifies malicious attachments and blocks phishing sites on both your computer and mobile device.
- Do not open attachments or click on links in emails from banks, ecommerce apps, or shopping portals, particularly if the sender insists. It is better to go to the official website directly and log in to your account from there.
- Double-check the format of the URL or the spelling of the company name.
- Be wary of any deals that seem too good to be true. They typically are.
- To protect your data and finance, make sure the online checkout and payment page is secure. You’ll know it is if the web page’s URL begins with HTTPS instead of the usual HTTP; a padlock icon typically appears beside the URL, and the address bar in some browsers is green. If you don’t see this, do not proceed.
- Keep your security and operating system up to date.
- Make sure you’re on a secure network. Logging on to the public Wi-Fi at the local coffee shop makes it far easier for attackers to access your online activity. It’s also better and safer to do online shopping on your own computer or device.
- Despite taking as many precautions as possible, you probably won’t know something is amiss until you see your bank or credit card statement. Check your statements online, on a regular basis, throughout the shopping season.
Stay safe out there. And, of course, happy holidays.