Now that the holiday season has arrived, online retailers are experiencing increased volume as shoppers look for deeply-discounted sale events and efficient ways to purchase gifts. As CNBC reports, e-commerce sales are expected to rise as much as 22 percent through the holidays this year, reaching up to $134 billion in goods sold. While this upward trend in ecommerce traffic is a boon for online retailers big and small, it also serves another, far more malicious host – cybercriminals.
Online shoppers have long been a prime target for hackers, but falling victim to one of these scams will not only impact you personally - it can also compromise the company you work for! According to a recent survey, 64% of employees said they plan to make online purchases from the office this holiday season. That means that an online shopper who becomes a target is not only putting their personal information at risk, but they are also exposing their corporate networks and fellow employees as well.
The good news is that there are some simple things you can do to help minimize the risk to yourself and the company you work for. Here are some tips to help you avoid a phishing attack or other online scam this holiday season.
Check the URL for Misspellings and Fake Websites
While it may appear that you’re using a secure site to make a purchase, hackers frequently design fake sites to specifically emulate the look and feel of the “secure payment page” you’re used to seeing. One of the tricks that they use is to register a domain name very similar to the one you are looking for, but with small changes in the spelling. A quick glance at the address bar in your browser will often not be enough for you to notice that the URL is incorrect, and that you are actually at a bogus website. This is a super simple hack, but we have seen even the most seasoned IT professionals miss these little changes. Someone who is not an IT professional in your organization is even less likely to notice that “wallmart.com” is misspelled with an extra “L” in the name.
Fake websites are one way that criminals may try to steal your information, and they are especially potent when they are paired up with fake shipping notifications and phishing emails.
Be On Guard for Phishing Emails
Phishing emails remain one of the most effective tools in the hackers’ toolbox. Those hackers will attempt to steal your identity and passwords by sending you an email asking you to verify your personal information. Since this is a time of year when we are receiving so many legitimate shipping notices, and since we are often anxious to make sure a package arrives on time, it is easy to fall victim to one of these fake email communications.
A cybercriminal may send you an email that looks like it comes from a legitimate shipping services – UPS, FedEx, USPS, etc., or even a retail website like eBay or Amazon. The message will say something like “there was a problem with your shipment and your package cannot be delivered until you confirm your order information.” This is a phishing email. They are trying to get you to click a link in that email which will send you to a website that also looks legitimate, but which is created solely to capture your user information. If you enter that info into the fake site, it will tell you everything is now “OK”, but you have just willingly handed over your secure information.
If you are legitimately concerned that there may be a problem with an order, never click a link in an email. Instead, open a new browser window and go directly to the site in question. You can login with your credentials and check your orders to see if there is a problem or not.
Confirm that Charities and Websites are Legit
Cybercriminals may also send you an email asking for a donation to a seemingly legitimate charity. Unfortunately, sometimes these charitable websites are a scam, and you may end up giving money to a fake organization. Even worse, you may be giving financial information to someone who will not only process it for the “donation” you agreed to, but will also steal that information to make other online purchases or sell your information to other cybercriminals.
The BBB suggests cross-checking a charity with give.org to make sure your money is going to the right place. Additionally, if you are entering your credit card or other personal information onto any website, do your research and make sure they are legitimate. If you find a site with a deal that seems too good to be true, it probably is.
Be Wary of Unusual Requests
The Federal Trade Commission warns shoppers to be careful of how they pay. If someone wants you to pay with cash, a prepaid debit card, a gift card, or by wiring money, this could be indicative of a scammer.
This same scam can hit your company in other ways too. A common compromise we see is an “impersonation attack” where a hacker pretends to be someone you know, like your CEO, and they request that you do something like wire a payment to a vendor because you “have an important order that needs to be shipped out to a client overnight.”
It is easy to want to jump at this request from the CEO and make that transfer, but slow down for a moment when these requests come in, especially if they are out of the ordinary for you and your company.
If your CEO has never emailed you asking to make a wire transfer before, this request should be a red flag that this may be a scam. Take a few minutes to reach out to that CEO – NOT by replying to the email (since if that email was hacked, you will simply be communicating with the hackers), but perhaps by phone to make sure that they did make this request.
What to Do If Believe You’re the Victim of an Attack
If you think you’ve accidentally fallen victim to a holiday phishing scam or malware campaign, the United States Computer Emergency Readiness Team has compiled a list of several actions to either help repair the damage done or prevent similar attacks from happening in the future:
1. Contact your bank/financial institution ASAP and close any accounts that may have been targeted.
2. Watch your bank account for any suspicious or random charges.
3. File a complaint with the FBI’s Internet Crime Complaint Center.
4. Report the attack to your local police.
5. File a report with the Federal Trade Commission.
6. Immediately change any passwords you may have accidentally revealed and avoid using those passwords in the future. It’s always wise to avoid reusing the same password on multiple sites, and to strengthen your password with a variety of letters, numbers, and special characters, if the site permits.
What to Do If Believe Your Company’s Security is Compromised
In addition to following the suggestions listed above, if you believe you or someone at your business has been hacked or compromised in some way, the first thing you need to do is to report the problem to your IT department or provider. While you may be embarrassed to have fallen victim to an attack, your #1 priority in this instance should be to get the help you need so that the problem does not grow.
Your company should have a process in place to report suspected attacks. Learn what that process is, and if you do not have procedures in place, Envision can help establish cybersecurity protections and policies in your organization.
Our Chief Technology Officer, Jeff Wilhelm, offered some great advice when asked how to avoid cybersecurity attacks:
“My top tip is to be present. It’s so easy to just click on things, or assume that you are expecting a document that might look sort of relevant, or that a download is safe. If people took an extra two seconds to think about those sorts of things, I bet half of the issues related to security would disappear.”
Explore our cybersecurity services to find out how you can further protect your organization and its people.