‘Tiz the season to be jolly’ and between pre-holiday shopping and all the amazing deals that will be posted online for Boxing Day – (that’s December 26th for American shoppers), many of us will be avoiding the snow and shopping from the comfort of our homes, or between meetings from the company laptop as things wind down for the holidays.
But it’s important to remember that the season is not just about putting lights on the tree and stocking up on all kinds of drinks for expected, (and unexpected), guests, nor is it about wearing ugly Christmas sweaters and drinking mulled wine, cider, and hot toddies, it’s also ‘the season to be wary’. Wary about online shopping scams and last-minute deals that look too good to be true – because they very well maybe – untrue that is!
Our guards are down as we relax a little and look forward to meeting friends, attending a few parties, and enjoying some well-deserved downtime. The trouble is, that scammers know this too and each year they make a bonanza out of unaware, perhaps slightly tipsy, online shoppers looking for presents. Last year during the 2024 holiday season, the FBI’s Internet Crime Complaint Center received thousands of complaints about phishing and spoofing scams which drained more than $70 million from victims. And each year the number of victims increases.
It's not just the charges on your credit card or the packages that never show up, its identity theft and a heap of other dangers including malware and even ransomware, getting on your computer - and by extension the company network if you shop from the office.
Type Squatting and Homograph Attacks
While shopping online, scams are getting harder and harder to detect. Even a careful examination of the URL can be misleading as numbers and even Cyrillic characters are substituted for letters. While goog1e.com upon careful examination will reveal a number ‘1’ substituted for the letter ‘l’, most people in a hurry might not notice. This is known as typo squatting and is surprisingly common where fake URLs closely mimic real ones, such as using “PayPa1” instead of “PayPal.”Sadly, most people don’t even check the full URL of their online shopping cart which may have been hijacked before entering their credit card number and completing a transaction. Using a phone or tablet, and chances are that the full URL might not even be displayed. While Google has the money and foresight to purchase all domains that could appear close to its domain names, other online stores might not have the warewithal or the resources to do so, especially when different Unicode character sets are used. Criminal perpetrators know this and are increasingly exploiting this.
These attacks are known as known as IDN Homograph Attacks, and trick users by substituting Latin letters with visually identical Cyrillic ones (like 'a' for 'ɑ', 'o' for 'о') to create fake sites (e.g., www.google.com vs. www.googlе.com where the 'e' is Cyrillic 'е') that steal credentials; examples include using Cyrillic 'a' (а), 'o' (о), 'T' (Т), 'P' (Р) to mimic real domains for phishing shoppers. Apple: www.apple.com can be spoofed as www.аpple.com (Cyrillic 'а'). Microsoft: www.microsoft.com can become www.microsоft.com (Cyrillic 'о') and the list goes on and on.
To avoid these attacks its best to type the URL directly into a browser, or use a well-established and trusted bookmark rather than a link from another web site. It’s also good to avoid URL shorteners when shopping or banking, and to hover over embedded URL links before clicking as the link might not be what it appears to be.
Social media and many web sites today are powered by syndicated ads where the main site may have very little control over the legitimacy of those rotating ads. Look for red flags such as an “@” symbol within the URL or two web addresses combined using a question mark, especially if the first part looks like a trusted site such as Google.com or Apple.com.
Avoid unknown but familiar sounding domains. While https://www.ebay.com/mye/myebay/watchlist is legitimate https://www.ebay.mywatchlist.xy is probably not legitimate. And watch out for social media messages that ‘appear’ to be from friends who you have not chatted with before. Never trust always validate. Send a message to the sender asking a question that only your real friend will know the answer to or call them and ask did you send me a message via facebook, whatsapp, or whatever. Scammers often hijack or impersonate social media accounts belonging to people you know so this is a common attack vector. If a message from a relative or friend suddenly sounds aggressive, sales-driven or out of character, especially if it includes a link, verify by contacting them directly before clicking.
What to do if you already clicked a scam link?
If you’ve clicked on a suspicious link, the outcome depends on your device’s security protections. Firewalls or antivirus software may block the threat automatically. Without protection, however, action may be needed.Make sure that your endpoint protection is up to date and watch for signs of malware like unusually slow performance. Reboot and test if you are concerned. Phones are not immune. If infected, avoid using financial apps, clear your browser cache, delete unfamiliar apps or perform a factory reset. Contact your device’s tech support if needed.
Once you have validated that your device is running fine, check your bank and credit card accounts. This is super important this time of year especially. If you see a transaction you don’t recognize, immediately ask family members who may have access to your cards. Check the transaction date, as purchases may take a day or two to post and merchants may not have a credit card ‘merchant name’ that reflects their ‘doing business as’ name. It’s not uncommon for a major brand like a hotel chain to post your room charges under a merchant name you don’t recognize as many hotel properties are franchises as an example. Dates and amounts usually help to sort this out so check against your calendar. If you are still at a loss, then contact the institution if the charge remains unidentified and ask for clarification or to report a fraudulent charge. The card company will invalidate your card and send you a new one in 5 business days usually or less if you ask.
Report the scam: If you lost money, report the incident to the Federal Trade Commission and your local police department. Reporting helps authorities warn others and reduce future victims. The FTC can also help you if your credit card or bank can’t, or won’t, process a credit to your account for a fraudulent transaction. You usually have a maximum of 60 days to report a fraudulent transaction after which you will need the FTC’s help to reverse a charge so don’t leave unknown charges to languish. Staying alert and informed is your best defense against holiday scams and the best way to keep the season joyful and secure. So be vigilant and check your transactions regularly.
to periodic new posts so you don't miss them.Original stories and articles may be republished without charge provided that attribution is provided to the source and author. Articles written for, and published first elsewhere, are subject to the republishing terms and conditions of the host site.
