Whether this fills you with joy or dread, Christmas is now only 45 days away. Which means that Black Friday and Cyber Monday are nearly here.
Black Friday, when many stores offer huge discounts, is on the 25th November this year. It’s swiftly followed by Cyber Monday, which is the online store equivalent. But, to be honest, the two tend to merge into one big long weekend of shopping – online and offline.
It’s a fantastic opportunity to bag some bargains…but it’s also an opportunity for cyber scammers to take advantage of the buying frenzy.
In 2021 £9.4bn was spent by UK consumers over the Black Friday weekend, £5.74bn of which was online (source: statista.com). And criminals are as keen as ever to see a piece of the action.
Black Friday/Cyber Monday scams
Amazing deals by email
“Phishing” emails are one of the most common starting points for online scams. Criminals are experts at making emails look like they come from familiar brands, enticing you to click on links and enter personal details.
Phishing emails pretend to be from a well known company (the lure) and usually include some sort of special offer (the bait) with a website link for you to click on (the hook). When you go to the website they might ask you to enter your bank details or other personal information, which, to extend the fishing analogy, is them reeling you in.
In other cases, the link will send you to a dodgy website or download viruses onto your computer.
Order confirmation emails
This is another type of phishing email, where you receive a message which appears to come from a well known brand, such as Amazon, confirming your order.
The tactic is to encourage you to look at it and think “I didn’t order that”, so you click on the link to check at the order details.
‘Account verification’ emails
Yet another kind of phishing email, this time you receive an email that plays on our worries about online security. The message claims that someone tried to hack into your account and will provide a link for you to log in and verify your account information. They’ll use convincing looking branding and logos, to help persuade you to share your account details and password.
Gift Card Scam
Did you know that gift card purchases can’t be tracked? Similar to cash, once the money has been used there’s no way to recover it and hence they’re a popular target for scammers.
An online store will ask you to pay for something using a digital gift card, encouraging you to type in the gift card number and PIN. Once they have this, they can spend your money from your card.
A legitimate online retailer will never instruct you that you must use a gift card to pay for your purchases, so always be wary of any suggestion that you have to pay using a giftcard.
Fake product reviews
How often do you check online reviews to help guide your purchases? With so many of us relying on those reviews, the scammers have now turned their attention to them. Bots can be used to write a swathe of glowing reviews to try and trick consumers into buying poor quality products. Unsurprisingly the number of fake, bot-written reviews tends to boom around Black Friday and Cyber Monday when online sales also tend to peak.
You can usually spot review from bots because they use a lot of technical jargon and often contain awkward and unusual phrases.
These are emails which purport to come from your bank, letting you know that a purchase can’t be processed.
They then give you a link to click on in order to complete the purchase, which then presents you with a form to enter your payment details.
“Your order has been cancelled” emails
Similar to the bank notifications, these emails pretend to be from the store and tell you that the item you ordered is out of stock. They then provide you with a link to claim your refund by entering your bank details.
Recently there’s been a spate of fake emails, texts and messages purporting to be from delivery companies. We suspect that these will increase in volume over the Black Friday/Cyber Monday season
The message will often mention a problem with the delivery and ask you to click on a link to fix it.
This is an example pretending to be from Royal Mail:
Some criminals create replicas of popular websites, such as Amazon or eBay, to make users think they’re shopping with a familiar brand.
This is easier than you might think, as they can simply “scrape” the genuine website and recreate it for themselves.
We came across one example where a scammer had registered the domain name www.next.vo.uk. They were cleverly banking on people mistyping the “co.uk” with the letter next to the c on a keyboard. When you visited the fake address it fully replicated the genuine NEXT website, including, of course, the form for you to enter your payment details into.
Malicious browser extensions
Third party browser extensions for use with Google Chrome and Microsoft Edge can also be a source of scams. Because they are listed as add-ons for these well known browsers, it’s easy to be taken in.
According to a report released by Guardio Labs in October 2022, the most recent wave of malicious extensions seem harmless enough, in offering options to customise the colour palette on your device. Cleverly, the initial download and installation has no malicious code, so it’s difficult to detect and has been given the name “Dormant Colours.” It isn’t until later that the extension redirects the user to web pages that then covertly load the malware to your device.
If you install a malicious browser extension it could redirect you to phishing sites so you then fall victim to one of the other scams listed here or even directly steal your personal data. While there’s no evidence of this yet, experts warn that the malware could potentially gather Microsoft 365, Google Workspace or even banking log-in details.
Fraudsters can take advantage of this by “tabnapping” one of your browser tabs and redirecting it to show a fake store log-in screen. The aim is that the user will think they’ve been logged out of the shop and will then enter their username and password to get back in, inadvertently sending that information to the criminals.
The scammers can only access your browser if they have already planted code (malware) on your computer, which can happen if you click on a link in a phishing email, for example.
Using public wifi
When you use a public wifi network, such as in a shop or café, you don’t know how secure it is. Criminals can exploit these networks and intercept any data being transmitted. Which means that if you make online purchases using public wifi networks you’re at risk.
Using your mobile data is more secure, though even that isn’t 100%. It’s better to wait until you’re back home or at work in the safety of your private internet connection.
Messages from family and friends
A common use of a hacked account (such as an email, WhatsApp or Facebook account) is to send out scam messages.
So, you might be on WhatsApp, and you get a message from a friend about this great Black Friday deal at M&S. You click on the link, because it came from a friend so must be legit, and unknowingly end up on a fake website.
It’s important to remember that scammers will use any and every platform they can to steal your personal information and money.
How to shop safely online
Research the shop
If you’re buying from a store for the first time, do some basic research to make sure they’re above board. This could include:
- Checking their reviews on independent sites such as Trustpilot.
- Asking family and friends if they’ve used them before.
- Making sure they have an address and phone number on their website.
- Reading through their returns policy and other terms and conditions.
Use your credit card or third party providers
Most major credit card providers insure your online purchases. So, even if things do go wrong, you can still get your money back. Check your credit card’s terms and conditions to find out what you’re insured for.
Equally, many third party providers, such as PayPal, will refund you for any fraudulent charges. Plus using them gives you the advantage of not needing to enter you bank details into the store’s website.
Never pay by bank transfer and try to avoid using debit cards.
Install security updates
Don’t put off installing updates on your devices, many of these will include security updates to help protect you from online scams.
Be particularly careful to ensure that your anti-virus and anti-spyware software are up to date, and that you switch on the tools in your browser to block dodgy sites (often these are automatically enabled).
Use secure passwords and two-factor authentication
Make sure all your passwords are:
- Unique (so if one is stolen it doesn’t give the criminals access to anything else).
- At least 8 characters long.
- Not obvious, so avoid family names, pets, birthdays, the word “password”, etc.
- Fairy random, avoiding numerical sequences (12345) or other easily recognised patterns (qwerty).
The current advice is to choose three random words for each password, as this gives it a good length as well as being ‘unguessable’. You can also add a number and/or special character to it for additional security.
If you have trouble keeping track of your online passwords, there are secure password management applications available and you can also save them to your browser.
Perhaps the most secure thing to do is to write them down in a notebook that you keep somewhere safe at home, so they are never recorded online.
Where possible, set up two-factor authentication (2FA), particularly for your online payments and your email address.
Don’t click on links unless you’re 100% sure
When you receive emails, texts or messages including links, don’t click on them unless you’re absolutely certain they are legitimate. This applies to any emails from stores, your bank, delivery companies, friends, etc.
If you’re at all unsure, contact the sender by phone to ask them about it first.
Scrutinise website addresses
Check website addresses carefully to make sure that a letter hasn’t been switched or missed, or an extra one added. Also, be more cautious of websites which don’t have a “.com” or “.co.uk” suffix.
Note that this isn’t absolutely foolproof as fraudsters who have planted malware on your device can display a legitimate address when you’re actually on a fake website.
Make sure the website is secure
Any website you purchase from should have SSL encryption, which means that the data you send to them is encrypted. Sites with SSL will have a padlock symbol next to their address in your browser. For example, this is how the padlock appears in Microsoft Edge:
Don’t trust sites that ask you for too much information
Online shopping should not require you to enter your mother’s maiden name, your first pet’s name or which primary school you went to. They should only ask you for personal information which is absolutely necessary to complete your purchase.
Don’t create accounts unless you shop there a lot
Minimise your digital footprint by declining the option to set up an account with an online store, unless it’s one that you use frequently.
The fact that a store gives you the option to set up an account isn’t necessarily a bad thing (in fact it’s very convenient if you shop there a lot). But you should avoid setting up unnecessary accounts, otherwise it’s just another company that’s holding your personal data and therefore is at risk of losing it to criminals.
FOMO, or “Fear Of Missing Out”, is a tactic used by many scammers. They want you to feel that you must act now, or miss out on a great deal.
Don’t allow yourself to be played in this way. Always take any purchase decisions slowly and carefully, particularly when they are online.
Trust your instincts
If a website looks not quite right (poor quality photos, bad spelling) or an email doesn’t quite ring true, then trust your instincts.
And use the old adage:
What to do if you think you’ve been scammed
First of all record the full name of the website address and, if possible, take a screen shot of it. Then close down your internet browser.
If you have entered your payment details then contact your bank and let them know what has happened.
You should then report it to the police, using their Action Fraud reporting form.
If you entered a password, immediately change this password on all the sites you use it on.
If you’ve received a suspicious email but haven’t clicked on anything, you can report it by forwarding the email to the police’s Suspicious Email Reporting Service at email@example.com. Then delete the email.