Ahead of the upcoming shopping season, we’re spreading awareness of potential Black Friday and Cyber Monday security concerns affecting people who shop and sell online.
In anticipation of the upcoming holiday shopping season, we want to help spread awareness of potential Black Friday and Cyber Monday security concerns affecting people who either buy or sell products or services through digital means.There are many scams that fraudsters attempt when targeting victims online. Falling for a scam can be as simple as clicking on an email link or visiting an insecure website where attacks take place in the background, without your knowledge or consent. Here we’ll cover common attacks and, more importantly, some practical advice to identify phishing and other attacks to reduce your chances of falling victim to online scams and fraud.Perfect security is a myth
Security is all about trade-offs. Security can easily be achieved by disconnecting―but you can’t do anything without connecting. It’s just a fact that shopping online entails risks and so must be approached with awareness.
Image credit: The Verge on Twitter
Let’s use Amazon Key as an example. It’s great for customers who have had packages stolen from their doorsteps, and it ultimately reduces fraud and financial loss. But in the meantime, attackers―in this case, burglars―want to unlock houses that use Amazon Key. Through this service, an attacker could potentially unlock your front door. It would require a breach of some sort: attacking the organization, obtaining a valid key to unlock the door, or finding a software vulnerability in the smart lock software . But while Amazon might have escaped major breaches recently, it has had breaches in the past.Myth busted?
Now the question concerns the trade-off between having a package stolen or your house broken into. Amazon Key is a risk issue. What I mean is that if you have stuff constantly stolen from your porch, the trade-off between the risk of your stuff being stolen and the risk of your house being broken into is actually a good one. Stuff being stolen is a common occurrence, but how many people have their houses broken into? We should acknowledge there are risks, but for many, Amazon Key is a good idea to reduce the loss of things they’ve paid for and ensure their packages remain safe. The door cannot be opened without consent, and there’s video. We also know:Who the drivers are Where they are How long they’ll stay in a place
So for those who choose to use Amazon Key, the risk is acceptable―and if you know the risks and don’t accept the trade-off, you just don’t use Amazon Key. But what about people who buy or sell online, where you don’t know who the “drivers” or “burglars” are, you can’t record them on video, and there are plenty of ways for attackers to access your information without your consent?The method of a scammer
Scammers first approach you in a way to ensure you, or someone else, will fall for a scam. They spread a wide net through legitimate websites such as Craigslist, Amazon, and eBay. They also create fake advertisements and even e-commerce websites that can be found through online searches, email, or text messages.
To obtain sensitive information, scammers deploy a range of tactics to make victims hand over their information:
Once they’ve gained the trust of their victim, the scammers simply cash out, walking away with personal information such as the victim’s name, address, and date of birth. If the victim signed up on the fake website, the scammers have also captured the victim’s username and password, which the victim may have used elsewhere, such as on PayPal. Finally, scammers want to get as much cash from victims as possible and thus often capture credit card details or take money for items that do not exist.
With the immense volume of personal information being passed to websites, stored in databases, and even shared with third parties, it’s no wonder people are now calling data the new oil . The way we handle our data and provide data to companies, and the way they secure it, are the common factors in today’s identify theft cases. In 2017 the BBC released an article stating that 88% of recorded incidents occurred online.
Image credit: BBC News
As you can see, identity theft is increasing yearly. This might be from security breaches, where someone has found a way to gain a foothold within an organization, or from users entering or handling their personal information insecurely.
When scammers obtain your information―for example, through a data breach―they might attempt to do the following:Redirect your mail to a controlled address, such as a P.O. box. Take out loans in your name. Take out credit cards in your name. Take over your bank accounts. Destroy your creditworthiness. Make it difficult for you to get new credit or mortgages. Scammers take over your devices
A data breach is out of a user’s control; however, the goal of scammers is not only to profit from you by impersonating you but also to gain control of your devices. This allows them to expand their attack surface so they can continue to benefit from you. Today’s criminals will attempt to persuade you to install malicious software on your devices―for example, keyloggers to exfiltrate every key you press. If they can install a keylogger, they can capture your credentials for every website you visit and read sensitive information in every email you write.
Scammers have a wide range of tools to get your information:Install remote access Trojans / spy software (keyloggers or software to take screenshots or access your camera or microphone). Intercept secured communications (such as on banking and online shopping sites). Install malware or ransomware and encrypt your files―payday! Install command-and-control (C2) software so you unwittingly control botnets and RATs. Install spam software so you unwittingly send millions of spam messages. Anything else they want. Attacks Phishing
Phishing is a common technique used by scammers, fraudsters, and other types of attackers. Phishing coerces a user into clicking a link. On the other end of the link is a method for scammers to either extract information from the user or spread malicious software.
Phishing doesn’t affect just the gullible; it can affect anyone. In fact, everybody knows somebody who has fallen victim to one of these scams:Generic emails, such