We all can’t help but do more shopping than usual around the holidays, and cybercriminals know this. Especially with the popularity of online shopping, there are huge opportunities for unscrupulous scammers, hackers, and other crooks to take advantage of the high volume of transactions and urgency of shoppers toward the end of the year. To help keep your holidays happy—and not ruined by identity theft or a stolen credit card number—here are a few security risks you might face while doing your holiday shopping, and how to avoid them.
Phishing Scams
The holiday season brings an uptick in emails from online retailers advertising gift ideas and seasonal sales, but not all of these messages are from who they say they’re from. Cybercriminals will take advantage of elevated interest in good deals by sending out phishing campaigns. These emails will appear to be from legitimate retailers, but are designed to get the reader to click on links that will allow the cybercriminals to steal credentials or infect the reader’s computer.
Be especially suspicious of emails offering massive discounts over the holiday season, even if they look legitimate at first glance. A few characteristics that might indicate a phishing scam include:
- Reference to a purchase or shipment that you don’t recall making.
- Prices that seem too good to be true, especially for products that have very consistent pricing, such as iPhones.
- Before clicking a link, hover the mouse over it. In a phishing scam, the destination URL will often be subtly different than the legitimate website it is pretending to be.
Be sure to mark suspected phishing scams as spam in your email app, rather than clicking on the unsubscribe button. As this blog post from Heimdal Security points out, scammers just want you to click a link, so clicking the unsubscribe button works just as well for them. In fact, it’s one of the more common ways that people get phished.
Point-of-Sale Skimming
Earlier this year, we published a blog post about the risks affecting point-of-sale (POS) terminals. With most stores facing their busiest time of the year around the holidays, the risks of compromised terminals are elevated. Here’s what we wrote in our original post:
POS terminals are the vulnerable endpoints of a company’s security infrastructure, often guarded solely by the divided attention of a cashier or sales associate. Because POS terminals are so exposed, it is relatively simple for thieves to distract employees and gain physical access for a few moments.
In some cases, the entire card reader will be swapped for a device that stores the data from every card that is swiped through it. This method depends on the thieves being able to return and remove the device in order to exfiltrate the data.
Another method, which has recently been seen in a wave of attacks against self-checkout terminals, is to place an ‘overlay’ skimmer on top of a card reader and pin pad. These devices look nearly identical to the genuine terminal, and use electronic components such as Bluetooth capability on the inside of the skimmer to transmit card data and PINs to a nearby device.
Be sure to read our entire post on POS risks to learn about more ways that criminals can compromise POS terminals and networks.
Good Password Practices
When creating accounts for online shopping, don’t make it easy for hackers to access your account, along with all the personal data it holds. Everyone should know the basic principles of good password usage by now. Use unique passwords for different sites, use multi-factor authentication whenever possible, etc. However, there is a shift in some of the conventional wisdom that you might not be aware of. In June, NIST published new guidelines essentially saying that when it comes to security, password length is more important than complexity. Complexity has long been considered imperative for password security, which is why most websites require some combination of lower case letters, upper case letters, numbers, and special characters. What the new research shows is that even a highly complex short password can be cracked using automated tools much quicker than a long password that only uses lower case letters.
But whatever you do, please don’t use any of the passwords on this list.
Happy Holidays from D3
We hope this post will help you stay safe from cybercriminals during a joyful holiday season. If you want to learn more about current cybersecurity issues, check out our latest white paper, where we share curated findings from five major cybersecurity reports.
