Fraudsters Unpack New and Old Holiday Scams
Industry insiders provide insight into the most popular scams cybercriminals are running this holiday season.
Here is the first of a two-part series presenting security specialist concerns.
John Buzzard, the Industry Fraud Specialist for CO-OP Financial Services:
“This holiday season is really going to be interesting to see how concentrated card-not-present transactions increase as more and more Americans shop online during the U.S. holidays. My concern is that the movement towards online shopping, which has been so incredible all year long, will also be weaponized by criminals, who may take advantage of the moment by masquerading as merchants, shippers and financial institutions.”
Buzzard also provided a heads up on other fraudulent activity:
- “Criminals leveraged one-time passcode scams for most of 2019. They combine a complex blend of personally identifiable information obtained from open source websites on the internet as well as through various illicit dark web merchants,” Buzzard noted. The scam, a recipe of spearphishing (the consumer addressed by name) and technology (one-time passcodes, SMS messaging), involves scammers trying to convince consumers to divulge PINS, online passwords and logins. Best practice: “Financial institutions have to put forth a substantial effort to educate the consumer on what to expect from an authentic interaction with SMS messages, open communication and emails. There are often easily recognizable differences between a legitimate text message from a credit union and a fake one generated by a fraudster.”
- For those consumers not protected adequately by anti-malware and anti-virus protection on their various devices, a keylogger application could imbed itself and replicate every keystroke, capturing a bevy of login credentials and passwords. Best practice: Financial institutions need to promote account alerts and card controls. “If your member base is not adopting the simplest alerts you offer, then it may be time to incentivize adoption with promotions. It is essential that consumers establish stronger connections to their account activity,” Buzzard suggested.
- “Every financial institution in existence today should push a line of communication with their account holders that is underscored by the ethos of ‘Hang-up and call your credit union,’” Buzzard said. “Here is the common sense option: If contacted by someone pretending to be your financial institution and you are not sure of what to do – hang up and call your credit union.”
- Be sensitive and aware of members who call in to report a failed payment. “When reviewing account activity, you may see an authorized payment with no denials and sometimes you may not even see a payment at all that corresponds to the member’s inquiry,” Buzzard explained. The customer support specialist needs to be sensitive to the possibility it is a duped member resulting from a fake Amazon employee advising them a payment did not go through and to manually expedite the order by taking the payment card information over the phone. Best practice: Be sensitive to conversations about payment or order problems that do not even appear to correspond with the member’s account records.
PSCU’s David Ver Eecke, senior fraud product manager, provided this checklist:
- Be wary of fake charities. Fraudsters are betting on you and your generosity this holiday season. Do your research before deciding to give to a charity.
- Fake purchase order confirmations. These email scams verify a bogus order on the way and a charge against your card. In reality it is a phishing email designed to get you to share your personal information to “dispute” the order or charge. “Always visit the merchant’s site directly to verify an order status,” Ver Eecke said.
- Emailed discounts and coupons too good to be true. “Everyone loves a great deal, especially around the holidays. Be careful of offers from stores that seem too good to be true. This is another phishing scam designed to collect your personal login information for retail sites.” Fake coupons will direct you to a cloned website page that will capture your login information and redirect you to the legitimate site.
- This holiday season will be another big year for ecommerce spending. “Porch pirates will be waiting to scoop them up. Having your items delivered when you are home, or to an Amazon Locker is a good way to thwart porch pirates.”
- Scammers are betting that you may fall victim to this scam that involves impersonating loved ones facing a travel crisis. They often target seniors pretending to be a grandchild that is in trouble and unable to travel home. The scammers request money wired to them.
Dave Baggett, co-founder and CEO of anti-phishing startup, Inky, also offered warnings:
- Anybody can register a new domain on the internet, set up a mail server, and send mail to whoever they want. A bad guy can register a new domain that sounds plausible, like “amazon-black-friday-deals.com,” and send perfect-looking Amazon emails to anybody on the internet from that domain. How? The criminal just has to take a real promotional mail from Amazon, save it as an HTML, and then resend from his fake Amazon mail server. Baggett noted: “Sophisticated criminals will even set up their own fake Amazon websites to harvest your credentials when you click through their fake emails – you think you are logging into amazon.com, but you are really just giving your password to the crooks!”
- The bottom line is this: never click through any retailer or e-commerce email. Instead, go directly to the retailer’s web site via your browser, by typing in the retailer’s primary domain name. An email may look perfect, but it may be a forgery – and clicking links in that email might send you to a real-looking website that is also fake.
- As more bad stuff is getting through this season, consumers should be especially skeptical of emails that promise rewards in exchange for taking surveys, recommending items to friends, or giving gifts.
Look for more warnings in Part 2 of this holiday fraud compilation.