Modern field guide to security and privacy

Cybersecurity experts' guide to outwitting Black Friday and Cyber Monday scammers

Watch out for bogus e-mails and copycat sites designed to mimic big brands, hang up on unknown callers warning you're an identity theft victim, and never use public WiFi to make a purchase.

Reuters/File

Flex your fingers. Find a comfortable place to sit. We're heading into one of the biggest shopping weekends of the year.

An estimated 135 million Americans say they're planning to partake in Black Friday, Small Business Saturday, and Cyber Monday, and nearly half of them, according to the National Retail Federation, are expected to make purchases online. But before you begin mashing "checkout" buttons, consider security.

According to a recent study by criminologists at the University of South Florida, people who use the Internet at home are more likely to be victims of online crime. That's because the study found that people engage in riskier online activities in private as opposed to when they are online outside the home and in the office. The researchers theorize that people conflate the safety of their home with that of their online behaviors, opening them up to various types of attacks.

This holiday season, phishing schemes, mobile threats, and social engineering attacks are among the most common types of threats. But greater vigilance can help everyone be safer online, especially when handing over personal information and banking details to online retailers. Here's what security experts recommend for outsmarting the online crooks:

Phishing and spear-phishing e-mails

Phishing e-mails and their more targeted incarnation, spear-phishing e-mails, are likely to make their way into your inbox at some point, said Greg Mancusi-Ungaro, chief marketing officer of security firm BrandProtect.

Many of them are disguised as offers from trusted brands and large retailers, and are often sent from a known contact's compromised e-mail address, he said. It isn't just a threat for those who aren't particularly Internet-savvy – even Mancusi-Ungaro fell victim to a phishing attack this year. "We’re all susceptible, we’re all busy," he said. 

Mr. Mancusi-Ungaro recommends taking a few extra seconds to assess an e-mail. If it says you can get a great deal on a new Nikon camera, for instance, check the official Nikon site to see if that’s really true, and buy from the official site. If you don't recognize the name of the company, he said, don't buy from them.

Be wary of copycat sites, which are pages that look similar to a familiar companies' sites. Adam Levin, chief executive officer of identity threat detection firm IDT911, said many people take a good first step by checking for the lock icon in the URL bar, indicating a secure connection between the user and the site. But even copycat sites can have that lock.

Mr. Levin recommends going a step further to check the address bar to make sure the URL is correct. Many phishing sites, he said, use a slightly misspelled variation of an official site to trick users.

Someone calling to 'verify' personal information

Another threat to be on the lookout for, Levin said, is someone calling for an urgent situation to get personal information. Ironically, he said, they say they are calling because you may be a victim of identify theft, and they'll ask to verify personal information.

His company often gets reports of attackers attempting to trick people into believing they are identity theft victims, and then getting those victims to reveal personal information such as Social Security numbers. "Once you do that, you’re doomed," he said.

Levin said IDT911 is seeing an uptick in this kind of scam when it comes to smart chip cards. Known as EMV cards, the credit and debit cards are considered safer alternatives to signature and pin cards, and are widely used across Europe. As banks are rolling out the new cards, Levin said criminals are targeting consumers with "verification" scam calls, capitalizing on consumers' unfamiliarity with the new cards in an attempt to steal personal information.

In this case, protecting yourself is as easy as hanging up, Levin said. Should someone call you with a similar scenario, don’t let the urgency of the situation overwhelm you. If the person says they are from your bank, hang up and call the number your bank lists on the back of your card or on their website.

Mobile threats

According to the National Retail Federation's survey of online shopping, about 21 percent of the 7,200 consumers polled last month said they intended to do some holiday shopping with their smartphone. Mobile shopping brings its own pool of threats, said Paul Henry, mobile forensics consultant for Blancco Technology Group.

Many people use public WiFi on their mobile devices, opening themselves up to man-in-the-middle attacks, in which a third party intercepts someone’s internet traffic, such as credit card information.

Apps are another inherent area of concern for mobile, Mr. Henry said, because of the amount of information they collect. That means when downloading any new apps, notice the permissions they ask for, including whether or not they require access to your contacts. And make sure the apps you’re downloading are from the official app store – Google’s Play Store or Apple’s App Store.

In Henry’s perfect world, he would tell consumers, "Don’t use your mobile device, use your desktop." But if you do decide to use a mobile device for holiday purchases, he recommends taking screenshots of the checkout page as an extra record of what was purchased and at what price. 

Check your bank statements daily

All three experts emphasized that the only way to get ahead of any suspicious bank activity is to check your bank statements daily to look for discrepancies.

BrandProtect’s Mancusi-Ungaro recommends signing up for purchase alerts from your bank or credit card provider to be notified whenever a purchase is made. It might seem like overkill, he said, but it can help detect small phishing amounts attackers often use to test whether or not they can put a larger amount on.

Even after the holidays end, they said, consider keeping up some of these security practices for year-round vigilance. "It’s not just being on your toes for two weeks in November and December," Mancusi-Ungaro said. “It’s being on your toes all year round."

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Cybersecurity experts' guide to outwitting Black Friday and Cyber Monday scammers
Read this article in
https://www.csmonitor.com/World/Passcode/2015/1125/Cybersecurity-experts-guide-to-outwitting-Black-Friday-and-Cyber-Monday-scammers
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe