Black Friday/Cyber Monday scams and how to avoid them

Whether this fills you with joy or dread, Christmas is now only 45 days away. Which means that Black Friday and Cyber Monday are nearly here.

Black Friday, when many stores offer huge discounts, is on the 26th November this year. It’s swiftly followed by Cyber Monday, which is the online store equivalent. But, to be honest, the two tend to merge into one big long weekend of shopping – online and offline.

It’s a fantastic opportunity to bag some bargains…but it’s also an opportunity for cyber scammers to take advantage of the buying frenzy.

In 2020 £7.5bn was spent by UK consumers over the Black Friday weekend, £5.76bn of which was online (source: statista.com). And criminals are as keen as ever to see a piece of the action.

Black Friday/Cyber Monday scams

Amazing deals by email

“Phishing” emails are one of the most common starting points for online scams. Criminals are experts at making emails look like they come from familiar brands, enticing you to click on links and enter personal details.

Image courtesy of The Defence Works

Phishing emails pretend to be from a well known company (the lure) and usually include some sort of special offer (the bait) with a website link for you to click on (the hook). When you go to the website they might ask you to enter your bank details or other personal information, which, to extend the fishing analogy, is them reeling you in.

In other cases, the link will send you to a dodgy website or download viruses onto your computer.

Order confirmation emails

This is another type of phishing email, where you receive a message which appears to come from a well known brand, such as Amazon, confirming your order.

The tactic is to encourage you to look at it and think “I didn’t order that”, so you click on the link to check at the order details.

Bank notifications

These are emails which purport to come from your bank, letting you know that a purchase can’t be processed.

They then give you a link to click on in order to complete the purchase, which then presents you with a form to enter your payment details.

“Your order has been cancelled” emails

Similar to the bank notifications, these emails pretend to be from the store and tell you that the item you ordered is out of stock. They then provide you with a link to claim your refund by entering your bank details.

Delivery notifications

Recently there’s been a spate of fake emails, texts and messages purporting to be from delivery companies. We suspect that these will increase in volume over the Black Friday/Cyber Monday season

The message will often mention a problem with the delivery and ask you to click on a link to fix it.

This is an example pretending to be from Royal Mail:

Lookalike pages

Some criminals create replicas of popular websites, such as Amazon or eBay, to make users think they’re shopping with a familiar brand.

This is easier than you might think, as they can simply “scrape” the genuine website and recreate it for themselves.

We came across one example where a scammer had registered the domain name www.next.vo.uk. They were cleverly banking on people mistyping the “co.uk” with the letter next to the c on a keyboard. When you visited the fake address it fully replicated the genuine NEXT website, including, of course, the form for you to enter your payment details into.

Tabnapping

Fraudsters can take advantage of this by “tabnapping” one of your browser tabs and redirecting it to show a fake store log-in screen. The aim is that the user will think they’ve been logged out of the shop and will then enter their username and password to get back in, inadvertently sending that information to the criminals.

The scammers can only access your browser if they have already planted code (malware) on your computer, which can happen if you click on a link in a phishing email, for example.

Using public wifi

When you use a public wifi network, such as in a shop or café, you don’t know how secure it is. Criminals can exploit these networks and intercept any data being transmitted. Which means that if you make online purchases using public wifi networks you’re at risk.

Using your mobile data is more secure, though even that isn’t 100%. It’s better to wait until you’re back home or at work in the safety of your private internet connection.

Messages from family and friends

A common use of a hacked account (such as an email, WhatsApp or Facebook account) is to send out scam messages.

So, you might be on WhatsApp, and you get a message from a friend about this great Black Friday deal at M&S. You click on the link, because it came from a friend so must be legit, and unknowingly end up on a fake website.

It’s important to remember that scammers will use any and every platform they can to steal your personal information and money.

How to shop safely online

Research the shop

If you’re buying from a store for the first time, do some basic research to make sure they’re above board. This could include:

  • Checking their reviews on independent sites such as Trustpilot.
  • Asking family and friends if they’ve used them before.
  • Making sure they have an address and phone number on their website.
  • Reading through their returns policy and other terms and conditions.

Use your credit card or third party providers

Most major credit card providers insure your online purchases. So, even if things do go wrong, you can still get your money back. Check your credit card’s terms and conditions to find out what you’re insured for.

Equally, many third party providers, such as PayPal, will refund you for any fraudulent charges. Plus using them gives you the advantage of not needing to enter you bank details into the store’s website.

Never pay by bank transfer and try to avoid using debit cards.

Install security updates

Don’t put off installing updates on your devices, many of these will include security updates to help protect you from online scams.

Be particularly careful to ensure that your anti-virus and anti-spyware software are up to date, and that you switch on the tools in your browser to block dodgy sites (often these are automatically enabled).

Use secure passwords and two-factor authentication

Make sure all your passwords are:

  • Unique (so if one is stolen it doesn’t give the criminals access to anything else).
  • At least 8 characters long.
  • Not obvious, so avoid family names, pets, birthdays, the word “password”, etc.
  • Fairy random, avoiding numerical sequences (12345) or other easily recognised patterns (qwerty).

The current advice is to choose three random words for each password, as this gives it a good length as well as being ‘unguessable’. You can also add a number and/or special character to it for additional security.

If you have trouble keeping track of your online passwords, there are secure password management applications available and you can also save them to your browser.

Perhaps the most secure thing to do is to write them down in a notebook that you keep somewhere safe at home, so they are never recorded online.

Where possible, set up two-factor authentication (2FA), particularly for your online payments and your email address.

Don’t click on links unless you’re 100% sure

When you receive emails, texts or messages including links, don’t click on them unless you’re absolutely certain they are legitimate. This applies to any emails from stores, your bank, delivery companies, friends, etc.

If you’re at all unsure, contact the sender by phone to ask them about it first.

Scrutinise website addresses

Check website addresses carefully to make sure that a letter hasn’t been switched or missed, or an extra one added. Also, be more cautious of websites which don’t have a “.com” or “.co.uk” suffix.

Note that this isn’t absolutely foolproof as fraudsters who have planted malware on your device can display a legitimate address when you’re actually on a fake website.

Make sure the website is secure

Any website you purchase from should have SSL encryption, which means that the data you send to them is encrypted. Sites with SSL will have a padlock symbol next to their address in your browser. For example, this is how the padlock appears in Microsoft Edge:

Don’t trust sites that ask you for too much information

Online shopping should not require you to enter your mother’s maiden name, your first pet’s name or which primary school you went to. They should only ask you for personal information which is absolutely necessary to complete your purchase.

Don’t create accounts unless you shop there a lot

Minimise your digital footprint by declining the option to set up an account with an online store, unless it’s one that you use frequently.

The fact that a store gives you the option to set up an account isn’t necessarily a bad thing (in fact it’s very convenient if you shop there a lot). But you should avoid setting up unnecessary accounts, otherwise it’s just another company that’s holding your personal data and therefore is at risk of losing it to criminals.

Avoid FOMO

FOMO, or “Fear Of Missing Out”, is a tactic used by many scammers. They want you to feel that you must act now, or miss out on a great deal.

Don’t allow yourself to be played in this way. Always take any purchase decisions slowly and carefully, particularly when they are online.

Trust your instincts

If a website looks not quite right (poor quality photos, bad spelling) or an email doesn’t quite ring true, then trust your instincts.

And use the old adage:

“If it seems too good to be true then it probably is.”

What to do if you think you’ve been scammed

First of all record the full name of the website address and, if possible, take a screen shot of it. Then close down your internet browser.

If you have entered your payment details then contact your bank and let them know what has happened.

You should then report it to the police, using their Action Fraud reporting form.

If you entered a password, immediately change this password on all the sites you use it on.

If you’ve received a suspicious email but haven’t clicked on anything, you can report it by forwarding the email to the police’s Suspicious Email Reporting Service at report@phishing.gov.uk. Then delete the email.

Scroll to Top