COVID-19 lockdowns, working from home and the run-up to the holidays have led to an unprecedented increase in online shopping ̵
Thanks to COVID-19 and the lockdowns, 2020 has become the best year ever for online shopping. We already loved shopping online – no crowds, no travel, no hassle – but this year convenience was overtaken by practicalities as the main benefit. Living in an enclosed space and through periods of self-isolation, no non-essential shopping and many stores closed due to staffing issues, online shopping became a lifeline for many.
Amazon has reported that their third-quarter sales were $ 96.15 billion, an increase of 37 percent. It forecasts revenues of $ 112 billion to $ 121 billion for the fourth quarter. As we approach the holidays, online sales will rise again. Amazon reports that Christmas shopping will already be underway in November.
Of course, online shopping is much more than just Amazon, but it is a useful measure to showcase the trends. Many consumers are still too scared to shop in the store. They are alarmed at the thought of crowds, they do not believe social distance guidelines are adhered to, and they suspect that many will not wear masks. It’s so much easier to shop from home.
If you are one of those who don’t work from home, you can order online and have your goods delivered to your work place. If you’re not there to sign for it, one of your colleagues will sign for it and take care of the delivery for you.
That is the only drawback to online shopping. The delivery.
At some point, the millions upon millions of online purchases have to leave the digital world and become a reality in the physical world. That only happens when your order arrives. Waiting for a delivery can be stressful. Especially when it concerns an important delivery. It may not be because the item is expensive, it may just be that you trust the item to be delivered to you on time so that you can pack it up and give it to the recipient on their birthday, your anniversary, or some other real estate deadline.
It’s easy to have an insidious inconvenience when you’re waiting for a delivery. Is it too late? Was it delivered to the wrong address, or did something go wrong and it hasn’t even been shipped yet? Has there been any delay due to the payment clearance?
And that’s where our opportunistic and seasonal threat actors come into the picture. With millions of online sales, there are millions of deliveries. That’s a lot of people who wouldn’t be too surprised to receive an email about their delivery. So the threat actors make use of that expectation and send as many people as possible an e-mail that is a wolf in sheep’s clothing.
Phishing emails are fraudulent emails that appear to have been sent by a recognized or trusted entity, such as a bank, a business, or an online payment platform. The more sophisticated attacks require great efforts to create an email with the same look and feel as a real email would have. They want it to have the right tone, the right color scheme and to be convincing. They want the recipient to believe the email is real and click on a link or open an attachment.
The link leads to a bogus website that will try to collect login credentials or infect your computer with malware. If there is an attachment, it contains malware, usually in the form of a small dropper or downloader program. This will install itself in the background and then download the larger and more harmful malware, perhaps a Remote Access Trojan (RAT) or one of the many ransomware threats.
Threat actors react very quickly to trends. They can re-skin an existing scam and wear it out in this season’s colors in no time. The easy way to hide them is to make them look like they came from a carrier – because they know millions of people are waiting for a delivery. They may also appear to be from a payment service such as PayPal and claim that there is a problem with your payment. But not everyone uses PayPal. And if you don’t, you will know right away that this is a scam. But if you are waiting for a delivery, you know it will involve a courier.
Taking advantage of the phenomenon of widespread delivery anxiety, threat actors hope that the average recipient will see an email about their delivery, a mental sigh of “Oh no!” Will gasp and then click the link or the attachment will open without stopping to check – or even consider – that the email might not be real. And so delivery anxiety takes precedence over basic cyber hygiene.
Associated with phishing is smishing, which is phishing via text messages. Since text messages are a short and sweet medium, you don’t have to think about the appearance of the message. An SMS looks like an SMS regardless of who sends it. The threat actors don’t have to worry about finding the right font, logo, voice and tone. And the low character limit means that shortened URLs are the norm in text messages, so they don’t arouse suspicion.
RELATED: PSA: Beware of this new text message delivery scam
Everyone is a target
Using email addresses from the vast databases of the compromised personal information found on the Dark Web, the threat actors can send their fake emails to literally millions of recipients. You will not be chosen. You are a target simply because your data happened to have entered a data breach at some point in the past. This is not sniping. This is blind machine guns and then see who got hit.
You can easily check if your email has been exposed due to a data breach. The Have I Been Pwned website collects all data breaches and places them in a searchable online database of more than 10 billion records. If your email address is found in the database, you will be told which company or website the breach took place on. You can then change your password on that site or close your account.
However, there is not much you can do about your email address. Once it’s there, it’s out there. And it will likely be included as part of the ammunition that a threat actor puts into their phishing campaign software.
The same principle applies to mobile numbers. Data breaches that leak personal data often include cell phone data. These are then used as target numbers for the automated text messaging software used by the threat actors.
RELATED: How to check if employee emails are in data breaches
Why organizations should be wary
There is a blur between the digital life of people at home and the digital life of their company. People bring their own devices, such as cell phones, to their workplace and connect to Wi-Fi. They make their online purchases from home, but often choose to have it delivered to work if they are there during the day.
That means if a phishing email masquerading as an email from a carrier ends up in their business inbox, they won’t be surprised. Their interest in the delivery is likely to override their staff’s awareness training on how to spot phishing emails.
They may receive the phishing email on their mobile phone and forward it to their business email for printing, or handle it on a large screen and a real keyboard. They can use their company computer to jump to their personal webmail during lunch. Regardless of the route a phishing email takes to get into someone’s corporate inbox or company computer, your organization’s network is at risk of being infected and compromised.
How to recognize attacks
These actions help protect your staff – and your network – from phishing and smishing attacks.
- Are you actually expecting a delivery? Can you justify what you have ordered?
- Check the sender’s email address carefully. Does it have the domain you would expect? If not, then be suspicious. Often times there can be a difference of a single letter. There are some well-known examples of this. One seemed to say ‘microsoft.com’, but the first ‘m’ was replaced with two letters ‘r’ and ‘n’. At a glance, ‘rn’ looks like ‘m’. The second example was ‘apple.com’ with the lowercase ‘l’ ell, replaced with a capital “I” aye. In some fonts these look exactly the same. So look carefully at each letter of the email address. Do not look at it or read it.
- Treat links as possible traps. Hover your mouse over them and check the tooltips to see where they want to take you. You can have the text of the link say whatever you want. That doesn’t mean the link actually points to that. If in doubt, do not use the link. Do a web search and navigate to the site manually.
- Despite their best efforts, threat actors can still make mistakes with grammar and spelling. Real emails don’t contain these kinds of errors, especially if they come from automated systems. If it looks wrong, it is wrong.
- Do the graphics and color scheme look professional, or do they look like someone used cut and paste to put the images down and don’t quite match the version of white in the background?
- No creditable organization will ask you to provide passwords, account information or other sensitive information.
- Keep in mind that the data breaches that the threat actors use as a source for email addresses and mobile numbers also contain other personal information. So it is easy to use your name in the email or text message. Just because it mentions you by name isn’t an indication that the email or SMS is genuine. You still need to be on your guard and careful.