Black Friday deals are everywhere. Adobe Digital Insights predicts that 2019 will break records once again, with U.S. consumers spending $7.5 billion online on the day—Cyber Monday will be even bigger, nearing $10 billion. Some of the deals just seem too good to be true. One emailed promotion, for example, offers 80% discounts on designer sunglasses. Hard to resist—just click the link. Only it’s a scam. The email, the website, the links, all fake. And it’s one of many. This type of fraud is now so prevalent that experts advise you to avoid clicking on email links altogether.
In a new report issued on November 26, researchers at leading cybersecurity firm Check Point warn that the increasing risk from cybercriminals over the holiday season means we should modify how we shop online. In November 2018, the researchers say, there was a “significant increase” in phishing emails. Now, a year later, it’s even worse. When Check Point prepared its report in mid-November 2019, “even before the peak of Black Friday and Cyber Monday,” the team explains, “the use of retail phishing URLs had more than doubled—up by 233%.” A week later, by the time this article was published, that had jumped even higher, to 275%.
Just think that though for a moment—last year there was a huge spike in phishing emails over the holiday season; this year there are almost three times as many again.
The U.S. sales season is a $144 billion bonanza, up 14% on last year, and running through late November to Christmas. Almost $30 billion will be spent just over the Cyber Weekend. This is a never-ending honey pot for cybercriminals. It’s so easy to slip scams into the mix, with fake emails, text messages, social media posts. “The bad guys can steal credit card details entered unwittingly by users,” Check Point explains, “or directly take your money through PayPal without ever sending the goods paid for.”
“We have seen a very big increase in the popularity of these kinds of attacks,” Check Point researcher Omer Dembinsky tells me, referring to malicious actors faking major retail sites. “Last year, it doubled from October to November. Then it went down and started to climb again towards November this year.”
So how easy is it? It starts with a “lookalike domain,” plausible enough to trick consumers. And don’t think these will be obvious and easy to spot. Many will appear as secure HTTPS sites, they will load a long URL string with legitimate text, hiding any giveaway text, they will configure the string to be especially hard to read on mobile devices. “A lookalike domain needs to appear close enough to a known domain to avoid raising the suspicions of prospective customers.” Fake domains are prolific. “More than 1,700 domains which look similar to the amazon.com domain have been registered in the past six months,” according to Check Point, “like ‘amaz0n-jp[.]com’ meant to give the impression that it is the authentic Japanese amazon site.”
The fake 80% discount Ray-Ban campaign, pictured below, was emailed to thousands of potential consumers from infected computers acting as bots to send the emails from various locations around the world, bypassing spam filters. Even the domain below was set up just before the campaign launched. Cybercriminals have adopted their very own just in time supply chain—much less chance of being caught.
“Some [attacks] are short-term,” Dembinsky explains, “luring you to a payment site. Others are long-term, stealing PayPal or card credentials they can use later.”
As I’ve reported before, the number of phishing emails now runs to billions—estimates suggest phishing accounts for up to 90% of all cyberattacks. And the holiday season is a prime target. We expect offers and deals, our inboxes are full. It’s easy for an attack to hide in plan sight. Check Point’s advice is clear. Don’t click on the promotional links in Black Friday (or Cyber Monday) emails. Instead Google the retailer and click on the real link. Then you can safely navigate to the sales pages and the offers.
As savvy as you might think you are, the best of these attacks have reached a level of sophistication that can catch you out. “The websites now look the same,” Check Point’s Dembinsky says, “it’s better to be safe than sorry.”
Beyond the “no click” advice, use common sense. Offers that seem too good to be true usually are. No-one is going to offer 80% discounts on new smartphones, for example. And finally, check the website URLs that you’re accessing. This, though, is harder in practice—URLs are not always obvious. Use a search engine to access a retailers’ home page, then access the sales—if there’s an email code, simply cut and paste it.
“Email is one of the best promotional channels, which is why it’s so open to fraud,” Dembinsky warns. “Retailers will continue to send out emails and fraudsters will keep taking advantage.” And the numbers are spiralling. “This week,” he says, “is already 30% up on last week.”