With Black Friday just hours away, many of us will be eagerly trying to hunt out bargains this weekend. However before you click on that offer or promotion that seems too good to be true, it may well be worth taking an extra few seconds to make sure you aren’t putting yourself at risk of security threats.
That’s the warning from web security experts Sophos, which says it has detected a major spike in email phishing and other scams to coincide with the holiday season, aimed at luring in unsuspecting shoppers.
Speaking to ITProPortal this week, Sophos Labs security expert John Shier warned users to be vigilant to new and devious scams masquerading as legitimate Black Friday or Cyber Monday offers.
“When it comes to this time of year, you have two kinds of threat,” Shier says, “first, you have spam, which are trying to push some sort of product...and then you have the more malicious side, which uses a brand to steal credentials through phishing, or deliver malware.”
Shier notes that the iPhone X has already become a popular theme for scam email artists, with Apple’s latest device proving a major draw for criminals to try and trick shoppers.
But with some retailers such as Amazon having already started their Black Friday sales, and sending out daily email alerts on the latest deals, Shier warns that this deluge of offers, vouchers and alerts may actually dull users to actual threatening spam.
He showed us a number of well-constructed phishing email examples, which use legitimate-looking assets from well-known companies such as eBay, Amazon and BT to create a convincing-looking login page.
However Shier warns that these sorts of scams are only set to become more and more widespread as the phishing tools needed become cheaper to make and distribute, with hackers now able to purchase the necessary tools to carry out a malware campaign for as little as a few hundred pounds.
He notes that many browser makers such as Google and Mozilla are doing a “fairly commendable job” in combating many of these threats by blocking URLs, however ultimately much of the responsibility lies with the users themselves.
“It’s difficult to tell people not to click on links,” he notes, adding that especially for office workers this can be even more difficult, as employees need to click on links and open email attachments as a basic part of their jobs.
But users can help themselves by simply taking a few more seconds to check over an email before clicking on a link or download, Shier says, ensuring that the sender is someone they recognise, or by hovering over a URL to make sure it is a legitimate link.
Shier notes that this is a particular issue for mobile devices, where screen real estate is at a premium. Criminals often create a legitimate-looking start to a fake URL, then include a redirect at the end, which all too often can be hidden when viewing on a mobile device. Many users still also simply don’t think of their smartphones as a powerful computing device that needs to be protected, as all too often it can contain much of a user’s valuable personal data.
Ultimately, it seems that staying safe online remains a joint effort, with users, vendors and businesses all needing to pull together to ensure they stay protected.
As Shier says, "Security is a shared responsibility, so don't expect others to take care of security for you, you need to take part...and the more of us that take part, and take care, the better we will all be.”