'Tis the Season for Holiday Scams

Cybercriminals are preparing for the holidays with stealth, and they’re determined to take advantage of distracted consumers. In this second installment of a two-part article on holiday scams, more cybersecurity professionals provided CU Times with details on scams credit union professionals and members should watch out for.

Rebecca Herold, founder of SIMBUS and CEO of The Privacy Professor:

• USB charging station skimmers: Cybercriminals can quickly (in less than a second) and discreetly install skimming devices into charging station ports that will copy all the data and other files from the devices using them, or load malware or ransomware onto those devices. “Use a standard power outlet whenever possible to charge because cybercrooks cannot compromise these very easily,” Herold advised.
• Credit card skimmers and shimmers: These can be quickly installed and will capture all the credit card data from those using them. Skimmers often snap over the credit card reader, but are sometimes inserted within the credit card reading device; ultra-thin shimmers, which take data from chipped credit cards, fit inside the reader.
• Malicious apps: “Cybercrooks know most people are gullible for fun, free apps, so they put out their own that will steal data from your phone, send and post messages on your behalf to a wide range of online sites, load malware on your phone/tablet/etc., launch ransomware and do even worse,” Herold said. Before downloading an app, ask yourself: Do the app providers have a professional website? Describe privacy protections? With whom they share your data? Include clear and validated contact information? If the answer to any of these questions, is no, do not download it.
• Phishing messages related to holidays and gifts: “Last year there were many holiday-time phishing scams where emails pretended to confirm Amazon orders targeting people doing online shopping. If you get a message that seems too good to be true, delete it.”
• Fraudulent classified ads, social media ads and auctions: Internet criminals often post classified ads or auctions for products they do not have. Do not provide credit card numbers, bank account numbers or other financial information directly to sellers you cannot validate through legitimate third parties.

Paul Bischoff, privacy advocate with Comparitech:

• If you see small charges on your credit card or bank account that you don’t recognize, don’t ignore them. After stealing card data, fraudsters will “ping” the card with a small charge to test its validity, then sell it to someone who will charge a lot more.
• Watch out for affinity scams. Scammers prey on people with good intentions by posing as charitable organizations. They may take a large commission or simply pocket all of the money.
• If a deal sounds too good to be true, it probably is. If a vendor on a marketplace like Amazon or eBay asks to communicate outside of those marketplaces’ official channels, do not do it.
• Watch out for phishing emails. Scammers send emails posing as your financial institution, a retailer or even a government agency. These emails try to instill a sense of urgency in victims. Do not click on links in unsolicited emails. Always check the domain of the sender’s email and of the website.

Sherri Davidoff, CEO, Brightwise:

• Infected e-cards: “Criminals love to send cute Thanksgiving, Christmas and New Year’s e-cards, which entice you to click a link – but once you do, your computer is infected with malware that can steal your online banking credentials, credit card numbers and more,” Davidoff said.
• Gift card scams: “Scammers impersonate your CEO or another executive, and send emails or text messages to the office manager, executive assistant or other staff, asking them to purchase gift cards.” The victim sends card details to the scammer, who steals them and cashes out.
• Fake retail deals: “Cybercriminals love to lure consumers into clicking on fake offers. Often, these phishing emails perfectly mirror real email blasts sent by Amazon or other big names. To be safe, do not click the link – instead, type the store’s address directly into the address bar.”
• Point-of-sale and ATM skimmers: “Criminals can place skimmers to steal credit or debit card numbers as you swipe. They can also overlay a keypad to capture PIN numbers. Check card readers and PIN pads carefully for unusual signs such as cracks, loose parts or scratches. If you notice anything suspicious, do not use that machine.”
• E-skimming: Criminals break into third-party software providers to inject malicious code designed to steal customer payment data into thousands of websites at once. Merchants can defend against this by carefully vetting third-party code.

Anurag Kahol, CTO and co-founder, Bitglass:

“Black Friday and Cyber Monday present a great opportunity for retailers to collect customer data,” Kahol said. However, while ramping up efforts to collect this data, it is even more important to store it safely in order to meet data privacy regulations like the EU’s General Data Protection Regulation. “While complying with data privacy laws can be particularly challenging for small- and medium-sized businesses, the demands for SMBs are still the same as larger companies and they must take full responsibility for securing their customer data.”

Ben Goodman, CISSP and SVP of global business/corporate development, ForgeRock:

“The online holiday shopping frenzy that comes with Black Friday and Cyber Monday represents a great opportunity for consumers to give themselves a privacy checkup,” Goodman noted. “People tend to reuse passwords across multiple accounts, meaning that if one set of login credentials are exposed, the individual can become highly susceptible to accounts with much more sensitive information being hijacked such as banking, health care and even government portals.”

Alexander García-Tobar, CEO and co-founder, Valimail:

“Retailers recognize that email marketing is one of the most important tools for capitalizing on this massive sales opportunity, but it also represents a huge opportunity for cybercriminals to send phishing emails to consumers by impersonating popular brands.” These fraudulent emails come in many forms, including fake sales alerts and fake online order confirmations. “To prevent these attacks, brands need to protect their domains from both inbound and outbound phishing attempts with strong sender identity protection.”