Be cautious of the 'order confirmation' email. It could be a malware attack

We all indulge in a bit of online shopping in preparation for the holidays, so getting an order confirmation for an in-store pick up with a link below might tempt you to open that link. If you do, you'll be playing right into the hands of the scammers. Do not click on it. 

  • close
    Joe Abbey, Arxan Technologies' director of software engineering, displays on his computer how he hacked into a phone app during a demonstration at the Black Hat USA 2014 cyber security conference, in Las Vegas. Experts say systems grow more susceptible to attack with more user-friendly websites and apps.
    AP Photo/David Becker/File
    View Caption
  • About video ads
    View Caption

You've no doubt been doing a bit of online shopping in preparation for the holidays, so getting an order confirmation email from a store like Target, Home Depot, Walmart or Costco most likely wont set off any alarm bells for you.  After all, you probably think you know how to spot an email scam from a mile away: there are the misspelled appeals for cash, the promises of future riches and, of course, the desperate signatures of unjustly usurped Nigerian princes. But those seemingly innocent order confirmations may be just as sinister as the grammatically incorrect ramblings of your Nigerian pen-pal.

As noted in a recent post on Krebs on Security, phishing scams, where cyber-criminals craft fake but authentic-looking emails from trusted companies in order to steal your personal information, are becoming increasingly common--especially during the holiday season. Here's how it works: You get an email with the subject line "Thank you for shopping at Target!" You click on it, and the body of the email looks something like this:

This probably strikes you as a little odd-- maybe you don't remember buying anything from Target, or maybe you did order something, but didn't opt for in-store pickup. Either way, you're gonna be tempted to click on that link to get to the bottom of this, and if you do, you'll be playing right into the hands of the scammers. See, that link won't lead you to Instead, you'll be redirected to a foreign site that will automatically download a .ZIP file filled with malware designed to hack your computer and steal things like your credit card numbers, your banking information, and your sensitive personal data. Sometimes this malware will be disguised as an attachment which the email text will implore you to open, but no matter how it's presented, you should NEVER click on it!

Luckily, it's easy to spot a phishing scam once you know what to look for.

If you're a frequent online shopper, you'll know that you usually receive an order confirmation immediately after you make a purchase online. If you're getting emails with subject lines like "Order Confirmation" "Acknowledgment of Order" "Order Status" or "Thank You for Your Order" and you haven't bought something within the last 15 minutes, it's safe to say they're not legit. Also, look out for misspellings, poor grammar and weird send-offs. For example, the above email is riddled with red flags, like: "You may pick it in any store of closest to you within four days." It is highly improbable that a company like Target would ever include such a glaringly incorrect sentence in what is supposedly an auto-confirmation email. Scammers often purposely include typos, as people who don't notice them are more likely to fall for their tricks. If you get an email that looks like it's from a store you DID recently order from, make sure you double check the address of the sender.

If you get an email from Target but the sender's address is, it's a scam. Also, take care to hover over all the links in the body of the email. If they seem to be directing you somewhere other than the official store website, don't risk it. Most retailers let you check your order status and history on their store pages, so go there first if you get a fishy (or phishy) looking email. Finally, phishing scams don't only happen during the holidays. Here are a few things to look out for if you want to stay safe from scammers year-round:

  1. Password reset requests from Facebook, Twitter, Tumbler and other social networks -- Facebook says it clearly in its security policy: "Facebook will never request your password over email, and we advise against providing your login information to anyone under any circumstances." Don't fall for this!
  2. "Urgent" messages from banks, health insurance companies or government agencies asking you to provide personal information -- IT'S A TRAP! Sophisticated hackers often use this trick, and link to a form for you to fill out on website that looks just like your bank's. But entering your info here will almost certainly result in identify theft down the road.
  3. Messages from contests or lotteries you've never heard of -- Sadly, you can't win a contest you didn't enter. Mark these million-dollar emails as junk and don't look back. 

The Christian Science Monitor has assembled a diverse group of the best personal finance bloggers out there. Our guest bloggers are not employed or directed by the Monitor and the views expressed are the bloggers' own, as is responsibility for the content of their blogs. To contact us about a blogger, click here. To add or view a comment on a guest blog, please go to the blogger's own site by clicking on the link in the blog description box above.


We want to hear, did we miss an angle we should have covered? Should we come back to this topic? Or just give us a rating for this story. We want to hear from you.