Don't be a Hacker's Secret Santa
Anne Locke and Pieter Van Hiel
The holiday season is just a few weeks away and many of us will find ourselves on the hunt for the perfect presents for loved ones, online or in-stores. Black Friday (November 29) has become the unofficial kick-off of the holiday shopping season, with many people hoping to snag great gifts and bargains.
Hackers are also looking for opportunities this season, devising ways to take advantage of shoppers who may not be keeping security top-of-mind during a hectic time of year. To avoid becoming an involuntary Secret Santa who gifts a hacker with a credit card number, keep these tips in mind while shopping.
Don’t be blinded by bargains
We’ve all grown wary of suspicious emails from Revenue Canada or your bank, but you might not be as attentive when it comes to getting a too-good-to-be-true deal. Hackers know legitimate retailers often distribute emails inviting customers to take advantage of upcoming sales. As a result, hackers will often send out phishing emails designed to look like genuine messages from popular stores. Unfortunately, when you interact with these malicious messages, either by clicking a link or opening an attachment, you could end up falling for a phishing attack. Take a moment to confirm the email comes from the right address, or simply look up the product you want on the retailer’s site.
Should you trust that text?
Another growing trend is SMSishing – a phishing scam delivered as a text message rather than an email. The goals of SMSishing messages are the same – to gain access to sensitive information – but hackers know a text message is harder to double-check than an email, and many people are more likely to trust them. If you get a suspicious text, treat it as you would an unexpected email. Do not click on any links or reply with sensitive or personal info.
Fruitcakes last forever, passwords don’t
Need some inspiration to keep your secure password resolution? One in five visits to North American retail sites in 2018 were ‘bad bots’, automated programs designed to crack passwords and take over a user account – and three-quarters of those were advanced bots, sophisticated enough to mimic human activity and penetrate common anti-bot filters.
Hackers use bots to try to break into secure websites using a method known as credential stuffing. This technique uses usernames and passwords, often stolen via phishing schemes or data breaches, to try accessing a secure site by trying out different usernames and passwords. Hackers know many people reuse the same password for different accounts, making it all the more likely they will be able to use stolen login info to break into different sites. With hundreds of millions of these credentials available for sale on the Darkweb, there’s a chance one of your standby password/username combinations is already out there. Before you go shopping online this Black Friday, take some time to learn how to create strong, unique passwords and refresh your credentials! Or better yet, always check out as a guest and decline the option to create a profile or account when shopping online.
Only buy from trusted retailers
It’s unlikely you would buy your New Year’s Eve shrimp ring from a stranger in an alley. Similarly, you shouldn’t buy items or gifts from a website you’ve never heard of. If you find a product on an unknown, new site, it’s a good idea to vet that site first with a quick Google search. This is especially true if the site is selling goods at a substantially lower, too-good-to-be-true price versus other retailers. If the site and/or price is suspicious and you can’t confirm the store is legitimate, it’s a good idea to err on the side of caution and buy the item from a retailer you already know and trust.
Hackers use HTTPS too
A common piece of security advice given at this time of year is to ensure your transaction occurs on a site with an HTTPS prefix in the URL. The S stands for secure and indicates the information sent to and from the page is encrypted. However, that in itself is not a guarantee of security. Fake sites can use the same technology. According to one industry source, more than half of scam sites now use HTTPS! Since hackers are becoming more sophisticated, it’s important to both keep an eye out for sites that use HTTPS and to only shop from known, trusted stores.
TELUS Wise wishes you, your family and friends the happiest of holiday seasons. May you find great deals and shop securely!