Be cautious of the 'order confirmation' email. It could be a malware attack

We all indulge in a bit of online shopping in preparation for the holidays, so getting an order confirmation for an in-store pick up with a link below might tempt you to open that link. If you do, you'll be playing right into the hands of the scammers. Do not click on it. 

AP Photo/David Becker/File
Joe Abbey, Arxan Technologies' director of software engineering, displays on his computer how he hacked into a phone app during a demonstration at the Black Hat USA 2014 cyber security conference, in Las Vegas. Experts say systems grow more susceptible to attack with more user-friendly websites and apps.

You've no doubt been doing a bit of online shopping in preparation for the holidays, so getting an order confirmation email from a store like Target, Home Depot, Walmart or Costco most likely wont set off any alarm bells for you.  After all, you probably think you know how to spot an email scam from a mile away: there are the misspelled appeals for cash, the promises of future riches and, of course, the desperate signatures of unjustly usurped Nigerian princes. But those seemingly innocent order confirmations may be just as sinister as the grammatically incorrect ramblings of your Nigerian pen-pal.

As noted in a recent post on Krebs on Security, phishing scams, where cyber-criminals craft fake but authentic-looking emails from trusted companies in order to steal your personal information, are becoming increasingly common--especially during the holiday season. Here's how it works: You get an email with the subject line "Thank you for shopping at Target!" You click on it, and the body of the email looks something like this:

This probably strikes you as a little odd-- maybe you don't remember buying anything from Target, or maybe you did order something, but didn't opt for in-store pickup. Either way, you're gonna be tempted to click on that link to get to the bottom of this, and if you do, you'll be playing right into the hands of the scammers. See, that link won't lead you to Instead, you'll be redirected to a foreign site that will automatically download a .ZIP file filled with malware designed to hack your computer and steal things like your credit card numbers, your banking information, and your sensitive personal data. Sometimes this malware will be disguised as an attachment which the email text will implore you to open, but no matter how it's presented, you should NEVER click on it!

Luckily, it's easy to spot a phishing scam once you know what to look for.

If you're a frequent online shopper, you'll know that you usually receive an order confirmation immediately after you make a purchase online. If you're getting emails with subject lines like "Order Confirmation" "Acknowledgment of Order" "Order Status" or "Thank You for Your Order" and you haven't bought something within the last 15 minutes, it's safe to say they're not legit. Also, look out for misspellings, poor grammar and weird send-offs. For example, the above email is riddled with red flags, like: "You may pick it in any store of closest to you within four days." It is highly improbable that a company like Target would ever include such a glaringly incorrect sentence in what is supposedly an auto-confirmation email. Scammers often purposely include typos, as people who don't notice them are more likely to fall for their tricks. If you get an email that looks like it's from a store you DID recently order from, make sure you double check the address of the sender.

If you get an email from Target but the sender's address is, it's a scam. Also, take care to hover over all the links in the body of the email. If they seem to be directing you somewhere other than the official store website, don't risk it. Most retailers let you check your order status and history on their store pages, so go there first if you get a fishy (or phishy) looking email. Finally, phishing scams don't only happen during the holidays. Here are a few things to look out for if you want to stay safe from scammers year-round:

  • Password reset requests from Facebook, Twitter, Tumbler and other social networks -- Facebook says it clearly in its security policy: "Facebook will never request your password over email, and we advise against providing your login information to anyone under any circumstances." Don't fall for this!
  • "Urgent" messages from banks, health insurance companies or government agencies asking you to provide personal information -- IT'S A TRAP! Sophisticated hackers often use this trick, and link to a form for you to fill out on website that looks just like your bank's. But entering your info here will almost certainly result in identify theft down the road.
  • Messages from contests or lotteries you've never heard of -- Sadly, you can't win a contest you didn't enter. Mark these million-dollar emails as junk and don't look back. 
  • You've read  of  free articles. Subscribe to continue.
    Real news can be honest, hopeful, credible, constructive.
    What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

    Dear Reader,

    About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

    “Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

    If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

    But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

    The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

    We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

    If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

    QR Code to Be cautious of the 'order confirmation' email. It could be a malware attack
    Read this article in
    QR Code to Subscription page
    Start your subscription today