Beware of these Black Friday Email Scams – Criminals Phish Black Friday Shoppers for Credit Cards, Usernames, Passwords, and Anything Else They Can Scam
Black Friday email scams use many of the same email phishing tricks and tactics that we see all year. Undoubtedly holiday email scans will be accompanied by some new variations as Black Friday, which officially marks the holiday shopping season, ramps up. Recent data from cybersecurity researchers at McAffee stated that 41% of Americans fell victim to email phishing scams in 2019. A startling 39% of those surveyed reported that they don’t check email senders or retailer websites for authenticity.
The dark web has over 2.2 billion stolen account credentials that were available for purchase in the first quarter of 2019.
RELATED READ: The Deep Web vs Dark Web – What Does It Mean?
Black Friday is the first Friday after Thanksgiving and is historically is the biggest retail sales day of the year. However, the holiday shopping season is much longer spanning November and December until Christmas Day. It includes smaller shopping holidays like Cyber Monday, Small Business Saturday, and Green Monday (usually the second Monday of December).
Black Friday is still the busiest shopping days for brick-and-mortar stores, but foot traffic is declining according to the National Retail Federation. In person retail sales declined nine percent in 2018. That’s a larger increase compared to the previous year. In person sales. In 2018, it fell as much as 9 percent from 2017. Holiday shoppers may never abandon brick-and-mortar stores completely and they do expect retailers to offer a convenient online way to shop.
Holiday online sales are expected to increase about four percent over last year. The average Black Friday shopper is projected to spend just over $1,000 each, of which $637.67 is for gifts with the remainder spent on food and decorations.
Enter the hackers and scammers who plan out their Black Friday email scams and spoofed holiday sale websites to steal money, personal information, and gifts from not so diligent online shoppers.
No business is immue with Black Friday phishing email scams covering all sectors from typical fake retail sales the credit card scams and even request for fraudulent donations for non-existent charities.
Fraudulent Holiday Donations
Requests for holiday donations are not immune from hackers and scammers looking to steal money from well-meaning donors. During the busy holiday shopping season, keeping up with work, house cleaning, and preparing for guests, people who are in a hurry are not always careful with where they spend their money. Requests for seemingly legitimate looking charity websites, can come in the form of a phishing email and even spear phishing emails.
Be wary about any request for money in an email, even if it’s from an organization that you’ve donated to before, like the Red Cross. If you want to donate during the holidays, locate the website of the charity and give your donation there. Type in the website address very carefully. Hackers set up fake (spoof) websites that look exactly like their legitimate counterparts. The website address of the spoof website may only be one letter different than the legitimate version in hopes of tricking the viewer.
Plus get 2X Loyalty Rewards! Use code EXCLUSIVEC940
Spoofed websites URLs can be easily missed if you are in a hurry and not reading carefully. A hacker can set up a website with just one letter difference in spelling and the unsuspecting consumer may never know the difference. It is easy to make the visuals look the same, especially when you only one or two web pages to fool someone into giving you their login information or credit card details.
Regardless of the email scam or time of year, email recipients should always verify the person sending an email. Always avoid clicking on links unsolicited emails. Never pay an invoice directly from an email or send any kind of login credentials. Check the email sender’s email address, then check it again. If the sender is asking for payment verify their request with a phone call. Never download any file that you were not expecting. Even MS Word docs and PDF attachments can contain malware scripts and malicious downloaders.
Overdue Bills Phishing Scam
Black Friday phishing email scam can contain messaging to consumers about supposed overdue bills. Cleverly crafted email scams warn consumers that they have an account that is past due or account balance they didn’t know about.
Some of these email scams may even be designed it look and feel almost identical to a legitimate email communication from a credit card, utility, or other account the consumer actually has a relationship with. If you receive an overdue bill phishing scam and want to make sure you haven’t missed a payment go to the official website of that organization. Login and check your account. Never click on any links in the email. Go to the credit card or utility website directly. Make sure you typed in the website address correctly and double check it before you log in.
Rectify A Discrepancy with Their Account
Another common Black Friday phishing scam prompts the recipient to rectify a discrepancy with their account. Again, this kind of phishing scam can come from any type of business, but it’s likely to come from a credit card, bank, or possibly even a work email as part of a BEC scam. The email may attempt to scare the recipient into thinking there’s a discrepancy with payment information, incorrect shipping details, or other erroneous order details.
Suspicious Activity Login Attempt
Suspicious activity email scams are not restricted to only the Black Friday period. This type of phishing scam scares the recipient into thinking there is suspicious activity detected on their account. Often the subject line text attempts to scare the consumer into thinking that someone has hacked into their account.
The body of this Black Friday phishing scam sends the reader some made up details about supposed fraudulent activity on their account. The recipient probably has a relationship with the business cited on the email. The email body may contain details of an account charge or failed login attempt.
As with all email phishing scams, never click on any links in the email. Just go to the official website associated with the account and check on your account for messages. If you have doubts, call the company in question.
Tax scam emails increase right after Black Friday and holiday shopping season ends. As consumers turn their attention away from the holidays and start working on their tax returns, tax scam phishing emails ramp up. This type of scam email usually attempts to steal personal information like birthdate, Social Security number, address, and employer information. The goal of a tax scam email is identity theft, to file a fraudulent return, and steal a taxpayer’s income tax return.
RELATED READ: How to Avoid an IRS Tax Scam
Spear Phishing Emails
Spear phishing emails are targeted more refined versions of broad phishing emails. Targeted spear phishing emails contain personal information about the recipient – usually at least their first name.
Spearfishing emails are focused on one or more individuals. Personal information about the target to use an email is commonly obtained from social media profiles or work websites.
Using personal information like a first name or work details makes the email seem familiar to the recipient. That person is more likely to follow the directions in a spear phishing – like click on a link or pay this invoice immediately – for example because they feel they know the sender.
PayPal Email Scam
PayPal is one of the top companies spoofed in a scam email. Hackers send PayPal scam emails to victims scaring them into thinking immediate action is required. This type of phishing email prompts the scared recipient into clicking on a link to reset their password or send money. Since the PayPal emails are scams and not legitimate, the hacker then gets the login credentials to a PayPal address and transfers money to their own accounts
RELATED READ: PayPal Phishing Emails Rank as Top Scam
Password Reset Requests
Scare tactics that prompt victims to reset a password are one of the easiest and most common types of Black Friday phishing emails. These scams may be easily confused with legitimate password reset request.Recipients receive a phishing email that encourages them to reset an account password because of some supposed fraudulent activity, excessive number of login attempts, or other suspicious activity. The password reset scam may claim the user account is locked until action is taken to reset it.
Some phishing emails are very rudimentary and prompts the user to reply to the email with their username and password.
Sending a username or password in any email is something no one should ever do, even if it’s a legitimate email, for any reason.
Most phishing emails of this kind scare the user into clicking on a link which takes them to a spoof website. The spoof website has some input boxes that capture the victim’s login information when they try to reset their password. The login credentials are stolen and sent to the hacker. Often the spoof email and website seem extremely legitimate and visually resemble the business they’re trying to imitate. Spoof website frequently used shorten links to disguise malicious links, files, and landing pages.
New Credit Card Offers
Many credit cards are encouraging their customers to use their app to get rewards from their spending. My American Express card has some really good rewards, and now one of my other credit cards is following suit. I constantly receive credit card offers to get more airline miles for my holiday shopping dollars.
Be careful about these offer emails which include clicking on a link to download an app. If you want to take advantage of these offers, don’t click on the link in the offer email. Open a web browser and go directly to your bank or credit card website and find the new offers by logging into your account from the official website.
Plus Free Shipping!
The American Express credit card phishing scam is one I see quite often. I get an Amex phishing scam email about once a month and it typically looks rather legitimate. The Amex scam email looks almost identical to the real emails I received from American Express. I always forward them to their fraud department. One call to a customer service representative at American Express taught me how to identify an Amex phishing email accurately.
There is one nuuance that easily tells me that the emails are phishing email rather than a legitimate Amex communication. Real Amex emails always contain the last 4 digits of my credit card number, the phishing emails never do. Regardless, even if I think it’s a legitimate Amex communication I just go to the app or the Amex website and look for the communication information there. I never click on the links even if I feel that the email is legit.
Use a Unique Passwords for Each Online Account
Don’t use the same password for all of your online accounts. If your login credentials are stolen from one online account, then the hacker will have credentials to other accounts.
If you use the same username and password for everything and it is stolen from one site, it’s easy for the cybercriminal to get into another account. For example, if a hacker gets into your Hulu, then they get your email address and payment information. Using a unique password for each line online account will help protect your other logins and your money.
If it’s too difficult to remember a unique password for each account then, use a reliable password vault to generate and store usernames and passwords.
Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers