Featured Article : Christmas Cons
In this article, we take a look at some of the latest known online scams so that you can avoid falling foul of cybercriminals this Christmas.
Christmas – A Great Opportunity For Scammers
The extra spending at many different online shops, often for large amounts, and the requirement for delivery before the big day makes Christmas the ideal time for scammers to play with and exploit the fears of shoppers. For example, Action Fraud figures show that 28,049 shoppers were conned out of their money when shopping online over the Christmas period last year.
A Different Approach
Today’s attackers would much rather log in than hack in and are, therefore, favouring the types of scams that fool their victims into giving-up their information, rather than going through the complicated and time-consuming process of hacking in the ‘hard way’. Also, whereas in previous years criminals have used stolen card details to make payments, now they are trying to trick customers into authorising a payment to an account which they control.
Here are some examples of the most popular Christmas cons this year.
Parcel Delivery Scams
This type of scam became super-popular during the pandemic lockdowns when more people started to order more of their goods online and is designed to extract/steal personal details. Christmas is THE time of year for parcels thereby making it the ideal time of year to operate this most popular of ‘smishing’ scams.
This particular type of smishing scam works in the following ways:
– The attacker sends a text/SMS message purporting to be from a reputable company, in this case, the Royal Mail or a parcel delivery company/courier service e.g., DPD, FedEx, or Hermes. The message states that (for example) either a parcel delivery has been missed and delivery needs to be re-scheduled, or there is an ‘outstanding shipping fee’ that needs to be covered before the parcel can be delivered.
– The recipient, who may be expecting a parcel delivery or several (and doesn’t know when) is fooled into clicking on the link in the text message. This either sends the attacker personal information (credit card number or password) or downloads a malicious program/malware to the victim’s phone or other device. The malware can be used for snooping on the user’s personal data or sending sensitive data silently to an attacker-controlled server.
Fake Charity Appeals
These scams take advantage of strong emotional responses and the desire to help those less fortunate or in need at Christmas. Action Fraud data shows that £1.6m of the public’s money was lost to online charity fraud over the past year. These scams work in the following way:
– Victims are contacted by email by scammers using a legitimate charity’s name and appealing for a donation.
– Clicking on a link to donate can direct victims to a bogus/phishing page to extract their money and/or can download malware.
Gift Card and E-Card Scams
Gift card scams involve the scammer sending the victim an email, pretending to be from a friend asking to buy gift cards for them. The idea of the scam is to obtain the code on the card to spend the money.
Also, scammers send e-cards that are infected with viruses/malware e.g., ransomware. A healthy dose of suspicion coupled with good, up-to-date anti-virus protection can help reduce the risk posed by these types of scams.
With so many people shopping for presents online, often at shops that are unfamiliar to them, these scams can be convincing and can catch consumers out. Scammers set up fake websites offering gifts and services that don’t exist. They are designed to steal personal details and money. It is worth noting that secure website addresses start with ‘https’ and display a locked padlock (although some cybercriminals are now able to add secure certificates to their websites). Sticking to known websites and a good degree of caution and scrutiny are, therefore, advisable to be extra-safe.
Most shoppers have an idea of how much their favourite brands and sought-after presents are likely to cost. If products advertised online (shops, platforms, or in emails) appear very cheap, it could be that they are counterfeit goods being sold in shopping scams. Counterfeit goods are likely to be sub-standard and potentially dangerous. It is likely to be a case of “if it sounds too good to be true, it probably is”.
The Bank Scam
This common money scam is operated throughout the year but is likely to be particularly effective at Christmas when people purchase more items from a wider range of sellers. This scam, which is designed to steal all the victim’s savings from a bank account, works in the following way:
– A fraudster may call, send a text, or email, claiming to be from the victim’s bank reporting suspicious activity on their account e.g., a fraudulent or unrecognised transaction. The tone is urgent and serious, designed to cause fear, thereby prompting an emotional reaction before any critical thought can take place.
– The victim is urged to click on a link in an email to a report. This is used to extract personal details. The victim is urged to move their money quickly to a bogus ‘safe account’, supposedly set-up by the bank. In fact, it is an account set-up/used by the fraudster. Once transferred, the victim’s money is moved immediately.
Refund scams/windfall scams are designed to use a strong emotional response and the lure of fast, easy money to trick victims into parting with their personal details and leaving themselves open to more attacks. Refund scams work in the following way:
– The victim is contacted (e.g. by recorded phone message, SMS, or email) by scammers pretending to be from legitimate companies or agencies (e.g. the victim’s broadband provider, bank, or HMRC).
– The victim is informed that a refund is waiting for them, and they are instructed to click on a link to claim it (or call a number, which is a phone operated by scammers).
– Clicking on the link downloads malware onto the victim’s phone or computer, which can be used to steal personal information, act as a gateway for further attacks, and/or slow down the device.
The Free Christmas Hamper Scam
As recently reported in the Birmingham Mail (from a warning by budgeting website Family Money) the Christmas hamper scam is designed to obtain a victim’s personal details i.e., full name and home addresses. These details can then be used to appear more legitimate in a follow-up attack at a later date which focuses on extracting financial information which could enable the scammers to empty a victim’s bank account. The scam works in the following way.
– Scammers call or email the victim claiming to be from a legitimate, reputable company using personal information to make it seem genuine.
– The victim is informed that they have won a Christmas hamper and their full name, address, and phone number (if emailed) are required for delivery.
– Once details are submitted, no hamper is delivered but the personal details are kept/sold-on and used for future scams.
The WhatsApp “Hello Mum and Dad” Scam
Action Fraud has reported that this scam has led to victims losing £48,356 from this scam on 25 different occasions between August and October, and Santander has reported a 532 per cent increase in this scam between August and November 2021. The scam works in the following way:
– Scammers posing as the victim’s children text their parents a different number on WhatsApp, claiming that they have lost or damaged their phone.
– The scammer asks for money to either pay for a new device or pay an urgent bill.
IT Support Scams
These scams are operated all year but can be particularly effective at Christmas when people are more likely to need their computer for online shopping or communicating with family members. This scam typically works in the following way:
– Scammers call or email the victim claiming to be working in a support role at a well-known tech company (e.g. Microsoft) or broadband provider.
– The victim is told that there is something wrong with their computer that needs fixing.
– The victim is directed to a fake website and instructed to click on a link and/or even asked for payment to fix the fault. Clicking on the link can download malware.
With Covid dominating the Christmas landscape again this year, Covid scams are likely to be used. An example of how this kind of scam works is:
– Scammers pretending to be from a local council or NHS or working as a contact tracer call the victim and tell them they’ve been identified as a contact of a confirmed case of COVID-19.
– The victim is then asked personal questions and perhaps even financial details.
There are many other popular scams in operation not just at Christmas but throughout the year including phone scams, romance scams, and numerous phishing and smishing scams.
How To Avoid Being Scammed This Christmas
Some of the ways to avoid the Christmas scams include:
– Be very wary of any message asking you for sensitive information.
– If you receive a message, don’t click the link and certainly don’t hand over personal details or payment information.
– Never click on any links inside a message, especially if it’s one you weren’t expecting, and don’t transfer any money to anyone you have merely just spoken to or received an email from.
– Stay alert, don’t allow yourself to be pressured, trust your instincts, and if something seems to be too good to be true or too out of the ordinary, then it probably is.
– Check the details of an email sender or on a website claiming to be legitimate for tell-tale signs of possible scams. For example, is the email address spurious, does the logo on the website look slightly off, are there spelling mistakes or is the wording strange?
– Remember that banks never use unsolicited calls to ask for personal details, pressure you to give information, or tell you to move your money to a safe account. If you receive a call out of the blue from your bank, hang up and if you would like to call them back to check, call the phone number on the back of your debit or credit card, using a different phone line.
– Remember that organisations like HMRC never send notifications by email about tax rebates or refunds, ask for personal or financial information in text messages, or use ‘WhatsApp’ to contact customers about a tax refund. They also do not use social media to offer a tax rebate or to request personal or financial information (a Twitter scam used this recently).
– If you receive obvious scam texts, forward and report them to 7726. This is a free service that looks into fighting scams. If you receive any kind of suspicious message, report it to Action Fraud either ( https://www.actionfraud.police.uk/reporting-fraud-and-cyber-crime) by calling 0300 123 2040.
– Action Fraud has launched a national campaign called ‘Take Five To Stop Fraud’ that is offering straightforward and impartial advice to help everyone protect themselves from preventable financial fraud this Christmas. See: https://takefive-stopfraud.org.uk/.
What Does This Mean For Your Business?
The threat ecosystem has evolved again over this year towards scams based very much on human error (e.g. smishing and phishing), plus businesses have also been targeted with more (sophisticated) ransomware and business email compromise (BEC) attacks. This threat evolution indicates that businesses may want to explore a more people-centric approach to cybersecurity to reduce today’s risks and, if they haven’t done so already, adopt a ‘zero trust’ approach to their cyber security. For businesses selling online, it’s a case of re-assuring customers as much as possible through signs of compliance, logos, social proof (testimonials), communication (social and website) and more. As consumers, we all need to be vigilant and maintain a healthy suspicion of anything out of the ordinary, trust our instincts and stick to our normal security practices (i.e. not click on links in unsolicited emails and not responding to or being pressured by unsolicited callers). Reporting scam attempts is also important to help protect everyone.