Cyber Monday 2020 set a record for e-commerce spending in one day, totaling $10.8 billion. With the pandemic raging on, many customers took to online stores to do their holiday shopping. While New Jersey COVID-19 cases have declined in recent weeks and vaccinations continue, I expect many people will choose to conduct their shopping online and potentially start shopping earlier than usual, given concerns for supply chain issues and shipping delays. Some predict that online shopping spending will total over $200 billion for the first time by the end of the holiday season.

Given that volume of e-commerce shopping, cybercriminals will continue to target online shoppers and marketplaces for financial gain. Therefore, it is vital to maintain awareness of the many cyber threats posed by these individuals and groups. Threat actors may target victims through various methods, including compromised or spoofed websites, phishing emails, social media ads and messages, or unsecured Wi-Fi networks. I’m going to present a list of common attack vectors, along with some tips and best practices that will help you to combat cybercriminals’ threats during this holiday season.

Magecart and Other Online Skimming Attacks

Magecart attacks are a type of web-based data skimming operation used to capture customer payment card data from the checkout pages of online stores. These attacks are accomplished by gaining access to the targeted website (either directly or through a supply chain attack), injecting malicious JavaScript code into the checkout page to skim the desired data, and sending the information back to a threat actor-controlled server. Magecart attacks are conducted by many threat actors and are not specific to one group.

Once they steal payment card data, they can make fraudulent purchases or sell it on the dark web or other marketplaces. Cybercriminals are likely to continue to target online marketplaces this year. As such, I encourage you to use credit cards rather than debit cards because they often have better consumer fraud protections. Also, if you are especially concerned about fraudulent attempts on your card, you can consider enabling charge notifications for every card transaction. Enabling these notifications may make it easier for you to identify a fraudulent transaction as soon as it occurs. If you discover fraudulent activity on your account, lock the affected card, notify your bank immediately, and request a new payment card.

Be Wary of Links and Attachments in Unsolicited Emails

Around the holidays, you will likely receive emails from known retailers regarding sales and coupons, order confirmations, and shipping notices. Cybercriminals can create spoofed emails by stealing retailer branding to make fraudulent emails appear legitimate and may contain links or attachments that install malware or lead you to spoofed websites that steal your credentials. These emails may attempt to convey a sense of urgency — “Limited Time Offer!” — to prevent you from thoroughly inspecting the email for red flags. I urge you to avoid these schemes and go directly to retailer websites by typing the legitimate URL in your browser instead of clicking on links in emails. And please refrain from entering your login credentials on websites if you clicked on a link in an email that looks even slightly suspicious!

Take Caution with Social Media Ads

Everyone is blasted with ads as you scroll social media platforms. While many of these ads link to known, legitimate vendor websites, you may also be confronted with ads that link to malicious or otherwise suspicious sites that could be used to install malware, steal credentials, or sell counterfeit goods. Cybercriminals frequently employ URL shortening to trick people on social media sites and other outlets by hiding the true destination of a link. I suggest you use a URL expander (e.g., https://urlexpander.net) to reveal the true destination of shortened URLs before you visit any website and verify it is a legitimate vendor before making any purchases.

Look Out for Holiday-Themed eCards and Messages Meant to Install Malware

In the past, people have reported being targeted with various Thanksgiving Day-related scams. In some cases, spoofed emails were sent appearing to originate from legitimate organizations and contained the subject line “Thanksgiving eCard.” Last year, an Emotet banking trojan campaign was observed using Thanksgiving lures, with the subject lines “Happy Thanksgiving Day Greeting Message” and “Thanksgiving Day Card.” As malicious actors commonly leverage public interest and current events to conduct financial fraud and disseminate malware, I want to remind you to exercise caution with unsolicited emails, especially those with a holiday theme.

Do Your Online Shopping at Home

Avoid using public computers, such as those at a library or hotel, or public Wi-Fi connections to log in to your accounts or conduct online shopping. Miscreants could infect public computers with malware designed to steal your information, and hackers can intercept network traffic traveling over unencrypted Wi-Fi signals. If you must connect to public Wi-Fi, use a virtual private network (VPN) to secure information transmitted between your device and the internet. Additionally, I advise you to refrain from using your office (or work) computer to make online purchases as cyberthreats could endanger company and customer information.

Beware of ‘Secret Sister’ Gift Exchange Scam

Many people enjoy participating in group gift exchanges this time of year; however, beware of potential scams. Social media posts promoting a “Secret Sister” gift exchange promise between 6 and 36 gifts in exchange for sending one gift. While this type of chain letter appears innocent, it is illegal and considered a pyramid scheme. The scam, detailed by the Better Business Bureau, begins by requesting the name and address of the recipient and their friends. This holiday season, only participate in gift exchanges with individuals you know personally and refrain from sharing too much (or any) personal information online.

Verify Charities Before Donating

It is common around the holidays to donate to charities, particularly those that provide goods or services to those individuals and families in need. You may be prompted to donate via solicitations received through email or social media; however, these could be promoting fake charities or impersonating legitimate charities. Prior to donating, research the charity through a nonprofit site such as https://charitywatch.org or https://charitynavigator.org for information on charity legitimacy and other details, such as the percentage of donations that go directly to the associated cause.

Be cautious with your online activities, think before responding to emails, and call me if you have any questions.

Thanks, and safe computing!