Case Studies

Bah humbug: Eight Holiday Phishing Scams And How To Avoid Them

Featured image for Bah humbug: Eight Holiday Phishing Scams And How To Avoid Them

Home-grown Canadian cyber-security thought leader Anne Genge, CEO of Alexio Corporation, says “these days we need to treat every email as if it’s evil until proven otherwise. Holiday times are hectic and cyber-criminals have perfected the ‘art of the scam’.”

The truth is that cyber-criminals could care less that it’s a holiday – they see it as an opportunity. Here are ten tips that you need to make it through the holidays without incident. After all, I’m sure the very last way you want to spend your new year on the phone cancelling and replacing all your credit and ID cards because you’ve had your identity stolen.

1. Fake shipping notifications

If you get an email or text notice from Canada Post, DHL or FedEx about a parcel, think twice before clicking. You’ve probably ordered presents online, and hackers know this…they expect you to be too busy to look carefully. The click will often take you to a fake website where you get infected with malware, or they might ask for additional information so they can steal your identity.

HOW TO AVOID IT: Above all, don’t click on link. Never give out personal information unless you’re certain you’re in the right place. The better option is to log into your email and find the original confirmation, or go straight to the retailer’s site to track the shipping status.

2. Letters from the North Pole

Preying on children at Christmas is pretty low, but because no one expects it, it’s successful.

In this case, there are some sites out there that quite legitimately will send your kids letters from Santa for a fee. However, scammers have been known to quickly build and market a site offering the same. After they’ve got your address and credit card info, they vanish into the dark web and no letter ever appears.

HOW TO AVOID IT: A great skill to have is knowing how to vet a website properly. For instance, you can search the name of the company with the word “scam” after it, and see if there are any hits from unhappy customers. Also, look for a physical address on the website under the contact info. Failing that, look for the privacy policy, which is usually in the bottom banner, and make sure there’s contact info in there, per law.

Above all, don’t share yours or your child’s personal information. If you want to go above and beyond and have Santa encourage your wee one to keep up the good work, the Canadian Postal Service’s letter from Santa is free.

3. Fake confirmations

Occasionally – it seems coincidentally – you’ll get an email or text from a retailer that you’ve just shopped at. Who knows if it’s luck, or if either you or the retailer has already been breached and there’s a hacker with a foothold in one system or the other, monitoring online activity.

Once again, these links lead to a fake website that asks for more information. Alternately, they may ask you to click a link if you did NOT authorize a purchase – the goal here is to panic you quickly enough to get you to click before you think.

HOW TO AVOID IT: There are often little hints, such as poor grammar or errors in spelling. As well, if the logo seems blurry, that’s because they’ve copied the low-res picture online to set up their trap. Stay calm, don’t click. Type the URL into your browser yourself to check on the status of your account. Never provide a username, password or personal information from a link-click.

4. Lookalike websites

‘Tis the time of year for marketing email blasts! Unfortunately, there are so many email addresses available on the dark web, it’s an easy matter for a hacker to buy a cheap list, throw together a lookalike website for a major retailer. They create deals, discounts, free gifts or offer gift card bonuses to convince you to make a purchase. The bad news is that now they have your credit card number (as well as your email) and you never get your purchases.

HOW TO AVOID IT: If you see a good deal, it may be too good to be true. Find the retailer in a good old-fashioned web search, and compare the deals they have. Anytime you want to purchase something from a website, make sure the URL begins with “https” – this tells you it’s a site that’s been secured and encrypted for your safety.

5. Bogus charities

 It’s unconscionable that people would steal the money right out from under a charity, but that’s what happens. At the end of the year during the holiday season, people are often feeling a little more generous, or they may have a little money left in their donation budget that they want to forward to someone who needs it.

Cyber-criminals will use social media posts to take you to a fake website. Sometimes you’ll get a plea for urgent assistance through an email.  These often suggest payment in ways that are not traceable, for instance: cryptocurrency, preloaded credit card or wire transfer.

HOW TO AVOID IT: They often use a name similar to a legitimate charity, so be sure to check the Government of Canada’s List of Charities. Alternately, do a google search for the name they’ve given you with ‘scam’ to see if anyone has already reported them.

If you do decide to share your holiday spirit by donating to a charity in need, look for the charitable tax number, and only pay using traceable means.

6. Social media gift exchanges

It sounds like a fun adventure…a broadening of the traditional secret santa gift exchange. It’s set up on social media, where you’re lured into sending a gift to one person, and promised 24 or 36 gifts in return. However, this is a scam built around a pyramid scheme, and it’s designed to be a quick way for them to get your personal information.

HOW TO AVOID IT: Honestly, your grandma was right: if it sounds too good to be true, it probably is. If you like the idea, set up your own gift exchange amongst your friends and avoid phishing schemes altogether.

7. Family emergency scams

 Cyber-criminals will often contact older family members through social media – a forum not all parents or grandparents are comfortable with – and prey on their fears. They recreate fraudulent accounts for young family members, and tell an involved story about being in trouble and needing money.

As an alternate route, they may simply pose as a lawyer representing the relative, and request a wire transfer or gift card purchase to cover bail, an emergency plane ticket, or foreign legal fees.

HOW TO AVOID IT: If you get contacted about a family crisis, reach out to other family members to corroborate the story before responding. A good idea is to get their legitimate contact details from someone you trust (or another family member), and reach out to them yourself for confirmation. If you’re still suspicious, ask them personal information that ONLY a family member would have known, like the name of their stuffed bear when they were young.

8. Phony e-cards

Just like the infamous Trojan Horse, these e-cards send you friendly greetings in order to plant a virus in your computer, or perhaps to get information out of you.

E-cards used to be far more popular than they are now, but they are still shared, so this is one to look out for during holidays (including Thanksgiving and birthdays).

HOW TO AVOID IT: don’t click the link unless it comes from an e-card website service you recognize and can legitimize online. Double check the name and email address of the sender before you click, and never click on a file that ends in .exe – this is how viruses are downloaded into your computer.

Education for all

One of the best ways to stay safe from the rampant cyber-crime out there is to stay informed. As certified cyber-security professionals, we consider it our duty to help the public to better protect themselves from hackers and scammers.

That’s why Alexio offers free training to anyone who wants it – just follow our social media accounts on Instagram, Twitter, Facebook or LinkedIn and that will help to keep you in the know. We post examples of phishing tactics as they pop up and gain traction so that you don’t fall for them.

We also have a free micro-training series to get you up to speed quickly – in one or two minutes a week – that you can pass along to loved ones (or businesses!) who you worry about.

Just remember: stay aware, stay safe, and enjoy the holiday season!

Anne Genge, CEO Alexio Corporation

Anne Genge is the CEO and co-founder of Alexio Corporation. She and her team of certified privacy and security professionals help dentists, physicians, and other healthcare providers to secure their data & systems, and comply with privacy laws & college mandates. She is a firm believer that good training in cyber-security is the key to protecting not just her family and clients, but also government bodies and major corporations. To this end, she has partnered with many organizations, including the Canadian Dental Association, to produce training in order to reduce the frequency of human error resulting in a security breach.