Season Scam Survival: Safeguarding against common seasonal holiday scams

By Sundar Balasubramanian

Every year around this period of time, be it year-end or the Christmas season, the majority of celebrants are eager to gather, express gratitude, and give gifts. Unfortunately, the festive season is also when scams start to skyrocket, souring the spirit of celebration.

Even if you’re a cyber scam prevention pro, take the opportunity to raise awareness about scams among your colleagues, friends and loved ones. Infact, with the arrival of IoT devices in the lives of digital users, cybercrime has exponentially increased due to the weak security systems we see in these IoT devices from karaoke machines and connected home appliances like vacuum cleaners and coffee machines, to digital wallets on our mobile phones to new and improved tablets and even smart toys for your kids.

According to a recent industry survey, Indians are demonstrating both cautious and risk-taking tendencies during the festive season with 88 percent checking online seller ratings before making purchases, though 19 percent admit to be willing to purchase from a questionable website, resulting in the average amount lost in India to holiday shopping scams to be over ₹20,000.

Scammers target people in multiple ways, which we now explore to help you and yours avoid a heartbreaking holiday season.

10 common holiday scams and how to avoid them

1. Deceptive social media advertisements. These direct users to fraudulent online stores that pinch credit card information and personal details. Falling prey to such schemes can result in monetary losses and identity theft.
   
   How to avoid: To safeguard against scams involving social media ads and fake online shops, conduct research on a given store (look for customer reviews, ratings and testimonials from reputable sources), be skeptical of deals that seem too good to be true, install security software to protect devices, and monitor financial statements for any unauthorized transactions, reporting suspicious transactions immediately.
2. Deceptive delivery notification texts can easily fool people who aren’t paying enough attention. These fraudulent messages falsely say that there will be a delay in shipping a product that you ordered, or they demand a payment fee under the pretext that it’s required for a package’s delivery.

How to avoid: To skip out on scams involving fake delivery notifications, verify the message source (confirm the legitimacy of the text message sender). Rather than clicking on links embedded in a notification, visit the official website of the delivery service; input the tracking number to access accurate and up-to-date information. Further, you can always contact a delivery company directly, using their official contact details, to verify the status of your package.

3. Scammers have been known to create phony charities in order to profit or to steal personal information. Some of these fake charities have been observed on GoFundMe.

How to avoid: To steer clear of these types of scams, check on the legitimacy of the charity by investigating the charity’s website. For crowdfunding campaigns, confirm the authenticity of the cause and the organizer – look for details such as the purpose of the campaign, how the funds will be used, and see if you can get a sense of the organizer’s credibility.

4. Fraudulent offers on airline tickets or scarce items. Numerous scams focus on the holiday surge in travel-related purchases or exploit the demand for sought-after products, enticing people to accidentally buy counterfeit tickets or merchandise.

How to avoid: Don’t fall victim to bogus deals. Ahead of making a purchase, research the seller and/or the website, exercise caution if the deal seems too good to be true (unrealistic prices, especially for tough-to-find items, can indicate a scam), ensure that the website has a secure connection (HTTPS, not HTTP), carefully read the terms and conditions of the deal, and trust your instincts.

5. Watch out for phishing emails that mimic emails from reputable brands. Scammers sometimes try to pose as representatives of familiar companies (Amazon, Walmart…etc.,). These deceptive emails employ social engineering tactics in an effort to illicitly obtain passwords, personal data and financial information. A recent example is shared here.

Our Check Point Research (CPR) observed a malicious phishing email that was sent from a webmail address “amazon@somecards[.]net” that was spoofed to appear as “Amazon” and contained the subject “You have cash remaining on your Amazon Christmas Card”. The mail content urged the recipient to click on a malicious link which is now inactive.
The link – “us[.]farenheit[.]net”

How to avoid: Precautions such as reviewing sender information, remaining skeptical of unsolicited communications, and the avoidance of suspicious links can help. Verify giveaways or promotions by visiting an official company website. Install and regularly update reputable security software to enhance protection against phishing attempts.

6. While job scams are a growing concern year-round, they tend totarget individuals who wish to make extra income around the holidays. Fake job postings may promise substantial earnings for minimal effort. The scammers typically aim to pilfer personal information under the guise of a hiring process. Or, they try to deceive people into sending them money for ‘supplies and training’.

Here in India, it has been reported that around 56 percent of job seekers face scams during their job hunt process according to Hirect, a chat-based direct hiring platform, with millennials aged between 20-29 being most exposed to scams and fraudulent job offers.

How to avoid: To steer clear of job scams, people should exercise caution if there appears to be an unrealistic compensation structure. Also, individuals should be sure to confirm the legitimacy of the organization by checking its official details. Legitimate companies provide transparent and easily verifiable information online.

Further, a generic email address may indicate a job scam, as honest employers maintain a professional online presence. If a job requires payment for supplies or training, it’s best to avoid it. Don’t proceed with any job opportunity that raises doubts or concerns.

7. ‘Grandparent scams’ predominately prey on senior citizens, and involve impersonation of a distressed grandchild. The ‘grandchild’ typically requests money. In 2022, nearly 400 senior citizens fell victim to grandparent scams, leading to over $4 millionin losses.

How to avoid: People with senior relatives can warn them about this scam. Seniors should question urgent requests for financial assistance, especially if they involve wire transfers or gift cards. If in doubt, those on the receiving end of suspicious messages are encouraged to directly contact other family members, using known and trusted phone numbers, to account for the seeming situation.

8. Hacking over public Wi-Fi is a persistent problem.While airports, hotels, cafes and other frequented locations may offer free public Wi-Fi, these networks are known for being easily hackable. Scammers leverage a method known as man-in-the-middle (MiTM) to intercept data.

How to avoid: Keep your credit card numbers, passwords and personal details private by avoiding the temptation to shop online while out-and-about. Shop from safe and secured networks only. If you’re concerned about your home network security, consider a VPN, which can encrypt your internet connection and protect data from interception.

If conducting a transaction while out, you may want to use your cellular data network for the transaction, rather than public Wi-Fi. Cellular connections are considered more secure.

9.  Connected IoT and Mobile entertainment risks.If you have a seven-hour flight head of you, with a two-hour layover, a mobile game can make the time pass quickly. However, take care in choosing a mobile game – some may compromise device security. Or if you are gifted an IoT device as a present, do be prepared to ensure stronger security measures to promote safety. For example with smart toys,cybercriminals could eavesdrop on your children, webcams could be used to record you while you change clothes, and voice assistants could spy on your home.

How to avoid: Before downloading any app, conduct a quick online search to gather information about it. Meticulously review the permissions that it requests. Note that a legitimate game should not require permissions to send text messages or to share information with third-parties. To further protect your IoT devices, secure everything properly out of the box, ensure you use strong passwords and MFAs, install firewalls and update devices eliminating other unused IoT devices and where possible, use a VPN. And if your child gets a new device, make sure you carefully educate them about the benefits and risks and help them secure the device, understand what threats lurk online and how to respond in the event of an attack.

10. Business email compromise (BEC) scams. Fraudsters have found success in impersonating company executives though email and text messages. These scams resulted in losses of over billionsof dollars annually. They exploit urgency and authority, attempting to persuade individuals to pay invoices for events like holiday parties or to respond to phony billing requests.

How to avoid: If you think that you might have encountered a BEC scam, check for red flags, look at the sender’s email address again, and confirm requests with executives (via separate and verified communication channels).

Further, keep software, operating systems and security systems up-to-date. Report suspected BEC scams to your IT department or other relevant persons. Efficient reporting can help prevent similar scams from affecting others.

The rules of cybersecurity apply doubly during this holiday season. Stay alert and protect yourself using the tips above to keep your season fun and festive, instead of forgettable and frenzied.

(The author is Managing Director, Check Point Software Technologies, India & SAARC, and the views expressed in this article are his own)