Ah, the holidays—that most wonderful time of year when the Web is aflutter with e-mailed season's greetings, online shopping offers…and cyber criminals. The scams run the gamut, from fraudulent e-mails purporting to be alerts about online transactions to scam gift offers. "There is always an effort by the criminal underground to separate victims from their money this time of year," says Paul Ferguson, an advanced threat researcher with Trend Micro, a security software provider.
Cybercriminals know it's easier to get people to fall for scams related to online shopping when they have shopping on the brain. It also doesn't hurt that the legitimate act of online shopping often involves visits to comparison-shopping sites and strange discount sites. So it's little surprise that some of those destinations turn out to be fake. "People are particularly vulnerable this time of year because they are looking for bargains," says Bill Loesch, chief technical officer and co-founder of GuardID, the maker of a device, similar to a USB memory stick, that stores account information and verifies the identity of financial sites.
The rising popularity of online shopping makes for a target-rich environment. Consumers have spent about $25 billion online since Nov. 1, according to a Dec. 20 comScore (SCOR) study. That's a 19% increase from last year. Security firms expect a similar increase in the amount of online fraud, bringing the total amount lost online to $3.6 billion this year, according to a November survey by CyberSource (CYBS), an electronic payment and risk management firm.
So what can consumers do to protect themselves from unwittingly buying someone else's holiday gifts this season? For starters, they can keep an eye out for the following common holiday scams:
You've probably heard the one about the Nigerian bank manager who needs your "confidential" help opening a U.S. account to transfer millions in oil-related profits. But those "dear friend" e-mails are fairly primitive compared with some of the devious phishing techniques criminals have come up with to trick consumers into handing over account information.
In fact, phishing attacks have become more successful in recent years. According to a survey by research firm Gartner, released Dec. 17, more than 3.6 million adults lost money as a result of phishing in the 12 months ending in August, 2007. That's up from 2.3 million people in 2006.
One reason for the increase is the ingenuity of the scams themselves, which can look identical to legitimate notices from financial institutions such as Citibank (C) and PayPal, the leading online payment service from eBay (EBAY). Many of these e-mails open with warnings of imminent account cancellations or detection of fraudulent activity, which can make consumers more likely to click a link in hopes of rectifying the problem.
But the link typically directs to a fraudulent copycat site or downloads malware—software that scoops up account and other information—onto the computer, says Shane Keats, a research analyst with McAfee (MFE), a security software provider. "At some point this season you will get an e-mail saying that your auction account has been hacked and you must respond now," says Keats. "Don't panic.… It is not real. The auction sites and the banks don't send that information by e-mail."
For instance, phishing e-mails purporting to be from PayPal often begin with "Dear PayPal user" or "Dear PayPal member." On its Web site, PayPal says it uses first and last names of customers when sending them e-mails; anything without the full name is a scam. PayPal also has an e-mail address, firstname.lastname@example.org, where users can report notices they suspect are fraudulent.
The key to avoiding these scams is to avoid clicking on such e-mail links altogether. For consumers who do open such links, Keats says that if the URL is unusually long or consists of all numbers, it likely isn't legitimate. Misspellings on the site and grammatical errors are also giveaways.
Even sites without such obvious mistakes can be fraudulent. "Honestly, it is very hard to tell," says Keats. Not surprisingly, he and other experts from security outfits say the best way to avoid such sites is to download their security software. Many security companies, including McAfee, offer basic security software, or at least limited-time trials, for free online.
Gift cards are a wildly popular way for many retailers to take advantage of the desire to purchase a present rather than buy an item someone will only want to return. In recent years, they have also become a favorite means for criminals to launder money, says David Gilles, director of the anti-money laundering group of Deloitte Financial Advisory Services.
Here's how it works: A criminal uses cash earned by illicit means to buys a number of stored-value cards, such as phone cards or gift cards, to condense the funds and make it easier to hide the source of income. He can then use the cards for transactions under the guise of redeeming a gift from some legally employed friend. More often than not, however, the criminal sells the cards to other people, often at a slight loss. This allows criminals to obtain a more legitimate source of funds, such as a personal check or online bank transfer, which can be used to open a bank account. Consumers who buy the cards, often through online auction sites, believe they are getting a deal.
Online gift-card buyers also risk purchasing cards that someone else has access to. Thieves can rip off the gift-card number while it sits in a store display and when the proper owner uses the compromised card, the funds have often already been spent. One way around this is to avoid buying gift cards off the rack where other people clearly may have had access to them. Gift cards for major retailers are typically not on display.
It seems particularly heartless for criminals to take advantage of the increased generosity many exhibit during the holidays. But if criminals had big hearts, they wouldn't be trying to steal your money, right? "What you will see is stuff [such as e-mails] from your favorite charity, or a charity that you may not have even heard of but it sounds very compelling," says McAfee's Keats. The e-mails typically link to a fraudulent charity site where visitors can submit their account information or credit-card numbers in order to give funds.
"Win a Free Gift" Sites
Keats calls these sites "breakage" sites. There actually may be a prize at the end, such as a free iPod, but 99% of consumers will close their Web browser before they ever get close to the prize. Owners of such sites make sure that they have included enough hurdles to jump through, such as signing up to receive weekly astrology e-mails or a free trial magazine subscription, to frustrate most consumers.
While not technically a scam—there is, after all, a prize at the end—such sites are designed to ensure that users provide their personal information to spammers and other unknown sources for little chance of a payoff.
Programs that monitor the letters and numbers that people type into Web sites are a particular threat during the holidays. Typically, such programs are unwittingly downloaded by PC users who visit virus-ridden Web sites, open an infected e-mail attachment, or even click on a compromised ad with an embedded virus. Web surfers are not necessarily any more likely to download such programs during the holidays, but they are more likely to be entering financial information into myriad shopping sites. "It's not what you catch today, it's what you caught in September that can hurt you now," says David Perry, Trend Micro's global director of security education.
The best advice to avoid many of these scams, of course, is to exercise common sense. "The Web is the same as real life," says Keats. "If it sounds too good to be true, it is."