HO HO OH NO! Holiday Scams Prevalent Across Social and Digital Media
The prevalence of scams and fraudulent activity may come as no surprise to savvy web surfers around the holidays. ZeroFox has previously shared tips to help identify counterfeit goods on online marketplaces during the holiday season, and the past few years have yielded no shortage of scams, brand impersonations, and suspicious domains as we shop for friends and family. This is the first of two blogs that will explore 2018 holiday scams, focused on helping you know what to look for (security-wise!) as you shop for those last minute items!
The Naughty List: Impersonations and Giveaways
This fall ZeroFox investigated holiday-related fraudulent activity across five different industries: retail, technology, big box stores, airlines, and gaming. For retail, we looked at eight brands popular for holiday shopping; for technology, five; for big box stores, three; for airlines, seven; and for gaming, one top gaming brand. We focused on social media and digital activity from early to late November, and although scams don’t stop after Black Friday, we knew we’d see a lot of interesting and concerning activity beginning in November.
So what were the most common holiday scams we observed? We found that fraudulent activity across the social and digital landscape significantly involves impersonations and giveaways.
One of the most common types of fraud on social media and across the Internet, especially around the holidays, is brand impersonation. Fraudsters know online shopping is most popular during the holidays, and if they can get someone to click on a fake link—or follow a bad profile—they increase their chances of making a profit through stolen credentials, fraudulent payments, and advertising revenue. Attackers can advertise counterfeit goods, trick customers into paying for goods or services they’ll never receive, solicit customers’ credentials and personal information, or generate fraudulent advertising revenue. In this study alone, we found nearly 20,000 suspected cases of impersonation across 24 brands.
Of these cases, nearly 15,000 involved potentially fake websites.These sites have domain names and content similar to those of legitimate brands making it easy for a customer inadvertently visiting a site in error or through misdirection to think they are safely browsing and interacting with a trusted website. Almost one thousand of these sites used international characters that look similar to English characters in their domain names to make their domains look legitimate to the naked eye; this is known as a homoglyphs attack (read more about this in Part 2!).
The threat of impersonations also looms large across social media. In particular, technology, airline brands, and big box stores were at greatest risk. These impersonating social media accounts may deceive potential customers looking for information around the holidays. They might also push impersonating and potentially malicious links—perhaps even the impersonating domains we also found—or links that simply generate advertising revenue. In one case, an impersonating social media account put a link in its description advertising free airline tickets; the link simply directed the visitor to a third-party giveaway page!
Speaking of giveaways, one of the top holiday scams we found this year were giveaways for gift cards, merchandise, and other prizes. You may ask: are giveaways really scams? Don’t they advertise only a few winners? Giveaways can be legitimate, but many giveaways are thinly veiled opportunities to collect your personal information and potentially target you for other malicious activity.
Figure 1.A giveaway submission form that requests users’ names and email addresses.
Giveaways usually request personal information from the visitor, which then may be sold or used for malicious purposes. Participants in these giveaways might receive an email saying they’ve won a great prize, but here’s the catch: you have to pay a fee to receive this “prize”! And even if your information isn’t used for nefarious purposes, giveaways usually don’t yield the great prizes advertised.
Tips From the Pros: Online Shopping Around the Holidays
As we finish up our final days of shopping for the holidays—or take advantage of post-holiday sales—we can still find great gifts for our friends and family and avoid bad actors.
First, if you’re checking out a brand’s products on social media, make sure you’re on the right page. We have lots of tips and tricks to help you identify legitimate accounts on social media, such as looking at the account “About” section, looking for typos or grammatical errors, and checking to see if the account is “verified.”
Second, be careful about the websites you visit and buy gifts from. I love to find great gift ideas on social media, but when it comes time to actually buy a particular item, I separately search for the retailer to find their website, rather than selecting suggested links. I then search for the item I want on the retailer’s website. You should also make sure the website is operating over a secure connection (i.e., using the “https” protocol, which displays a lock icon in the address bar), especially if transmitting payment information. Although many phishing sites now use secure connections to fool visitors, it’s still a good idea to look for this at minimum: legitimate websites should use secure connections for transmitting sensitive information.
Finally, for merchants and retailers looking to help protect their consumers this holiday season, digital risk protection tools like ZeroFox can help find impersonators and scammers. Our platform monitors for impersonating social media accounts, impersonating domains, and common scams such as giveaways related to your brands. Let us help you protect your potential customers so they can spend their hard-earned money on your great products!