Black Friday scams you need to avoid today
Between Black Friday and Christmas shopping, Americans are expected to spend a staggering $189 billion, according to Adobe Analytics. All that money changing hands means cybercriminals will be targeting both you and the online retailers you trust, now more than ever. Some hackers, like those who struck Macy's last year, hack into merchants' websites directly to try to steal your identity. Even more common, however, are scams that try to lure you away from legit sellers onto malicious sites or apps that often spoof familiar retailers like Amazon, Best Buy or Walmart.
Think we're exaggerating? Research from RiskIQ has identified nearly 1,000 apps using holiday-related terms the cybersecurity company considered malicious, plus over 6,000 apps using trademarked names and copyrighted slogans from popular retailers to fool you into giving up your credit card number. RiskIQ also identified 65 fake websites posing as popular retailers.
As always, your best defense against these kinds of schemes, scams, frauds and cons is to learn how to sniff them out as soon as you run into them. With that in mind, here's everything you need to know about how to not get duped this holiday season.
Fake websites and fraudulent apps go 'phishing'
In a phishing scheme, the victim receives an email or text message directing them to enter payment information or other personal details on a fraudulent website, which is often designed to look just like a legitimate site.
A survey by cybersecurity company McAfee reported that 41% of Americans fell victim to email phishing schemes in 2019. Unsurprisingly, a similar number -- 39% -- reported that they don't check email senders or retailer websites for authenticity.
To top it all off, 30% of respondents reported losses of $500 or more just in the last year alone.
If the data from RiskIQ is any indication, expect a surge in messages claiming to be from Amazon, Best Buy, Walmart, Target or other large retailers over the next few months. If you receive an email asking you to update your payment method or requesting other personal information, contact the company's help desk to make sure the email is legit before you do anything else.
Other ways to identify a phishing email, according to the Federal Trade Commission and StaySafeOnline.org, include:
Credit card skimming goes all-digital
Credit card skimmers that steal your personal information when you swipe a credit or debit card at the ATM gas pump (or other payment kiosk) have been around for well over a decade, but last year's attack on Macy's is an example of that same technology deployed digitally.
Essentially, instead of using physical hardware to steal payment card numbers, hackers inserted malicious code directly on Macy's website to do the same thing with online payment information.
Regarding online credit card skimming, Tim Mackey, principal security strategist for Synopsis, a digital security company, warns, "There isn't an obvious way for the average person to be able to identify if or when a website has been compromised. The only potential tell-tale sign might be that the website itself doesn't quite look 'right.'"
Mackey suggests a few strategies consumers can use to protect themselves:
Avoid the 'Secret Sister' gift exchange -- it's a pyramid scheme
Originating on Facebook sometime around 2015, this gift exchange among internet strangers plays off the popular workplace practice of "Secret Santa," a game where each person buys a present for one other, randomly selected person without anyone sharing their giftee. Instead, it's a pyramid scheme dressed up in holiday clothes, according to the Better Business Bureau. The "Secret Sister" exchange invitation promises you'll receive about $360 worth of gifts after purchasing and mailing a $10 gift for someone else.
Unfortunately, such bad math hasn't stopped this scam from resurfacing year after year. Not only will you probably be out 10 bucks when you don't receive any gifts in return, but the scheme also involves you forwarding personal details -- names, email addresses, phone numbers -- to people you've never met in person.
The Better Business Bureau recommends you deal with any request to become a Secret Sister by ignoring it -- do not give your personal details to online strangers. You can also report the invitation to Facebook or whichever social network you were approached on.
'Juice-jacking' fears may be overblown
The Los Angeles County District Attorney's office published a blog post last season advising citizens not to use USB charging ports in public places like airports and shopping malls, warning hackers could install "juice-jacking" software that downloads malicious code on connected phones and tablets, granting the thieves access to your personal information.
Although that is theoretically possible, as the urban myth-busting website Snopes points out, the changes of that actually happening to you are incredibly slim.
When TechCrunch contacted the LA County DA to ask how widespread the problem really is, the chief prosecutor's office could not confirm any actual "juice-jacking" cases on the books. One reason could be that most smartphones and tablets currently in use now have software in place to prevent exactly these kinds of attacks -- that's why your phone asks if you trust the connection when you plug it into a laptop or desktop to charge.
As long as shopping still exists, scammers and thieves will continue to try and rip you off. In the meantime, the best you can do is to stay ahead of their trickery and protect yourself with knowledge. For more strategies for getting through this fun but stressful season, check out our Holiday Thrive Guide. We've compiled the best tips and tricks for how to enjoy Thanksgiving safely, according to the US Centers for Disease Control and Prevention, how to get the most out of your Amazon Prime membership and how to return Amazon purchases the right way.