As we approach the Christmas period the NCSC would like to take this opportunity to remind people that this is a particularity active period for cyber criminals to take advantage of unsuspecting online shoppers. In the weeks approaching Christmas and with events such as “Black Friday” and “Cyber Monday” there is a marked increase in online shopping, which in turn creates more opportunities for malicious actors and online scams.
Incidents of cyber fraud are increasing and An Garda Síochána have reported that “In the period from 1st January 2020 until 31st October 2020, 489 Online Shopping Frauds have been reported to An Garda Síochána. The average loss was e2,306 per incident representing an overall loss to Irish citizens of e1,127,972”1. Unfortunately, many incidents go unreported to An Garda Síochána so the real number may be multiples of this amount.
Whilst email phishing is still the most common attack vector for such crimes, smartphones are also tar- geted through SMS phishing (smishing) and through malicious links embedded in popular messaging & social media apps.
Another attack method used by cyber criminals is fake refund or shipment tracking sites that attempt to harvest credentials (username/passwords/credit card details etc.), from unsuspecting victims. The success of these tactics are based on the increased urgency people feel to track their purchased goods in order for them to arrive in time for Christmas.
Business Email Compromise (BEC) has also increased substantially over recent years, particularly this year during the pandemic. During the Christmas period, BEC actors may impersonate a company’s CEO or another senior executive in email requests asking a targeted employee to purchase physical gift cards, usually under the guise of staff bonuses or gifts for a client. They will then request the victim employee to send the code on the voucher to them. These details are often converted to cryptocurrency by their subsequent sale on the dark web marketplaces.
Christmas messages from untrusted sources that ask a user to click a link or play a video/audio file etc. should not be clicked. Even if the source is trusted, extreme caution should be exercised as the source itself may have been compromised or spoofed. Be particularly vigilant around New Year and Christmas Eve when the volume of messages, both legitimate and malicious, increase greatly.
It should be noted that even the most advanced threat actors use these methods, particularly at this time of year, to gain unauthorised access to networks, or at the very least steal users’ credentials. If you suspect that your details may have been compromised you should:
• Contact your bank or credit card company
• Report the crime to your local Garda station
• Reset your login details for the affected accounts
1: https://www.garda.ie/en/about-us/our-departments/office-of-corporate-communications/news-media/an-garda-siochana- and-europol-promote-safe-online-shopping-this-christmas.html
Staying Secure Online
- Before you make any online transactions research who you are purchasing from – check online reviews, sales history etc. Preferably use reputable shops and brands you know and trust. If you have any doubts about the seller, we advise you shop somewhere else.
- Use a credit card or a virtual credit card when purchasing online.
- Never send credit card details by email.
- Where possible type in URLs to sites you want to visit rather than clicking on links.
- Be alert to the existence of fake websites – When browsing, make sure each site you visit starts with HTTPS, this indicates that malicious 3rd parties cannot intercept any of the details being sent between you and the website you are currently visiting. It should also be noted than many malicious sites will have valid SSL certificates so the lock icon is not a guarantee of reputability. If the website looks poorly designed (spelling mistakes, broken buttons/links etc) use extra caution.
- Create strong complex passwords and do not use the same password across different ac- counts. Consider using a password manager.
- Please be wary of unsolicited phone calls claiming to be from banks, internet providers or any other entity requesting passwords, usernames or money for any service. Contact the retailer or service through an alternative contact method to confirm that the request is legitimate.
- Invoice re-direction/Business Email Compromise (BEC) fraud is prevalent at this time of the year as businesses are preparing for financial year end. People should be wary of this and enhanced vigilance should be practiced when receiving emails from vendors/clients notifying of a change of bank account and requesting payments made into the new account. Users should verify the change using established alternative forms of communication.
- Do not enter your account credentials if you receive an unsolicited email purporting to be an online shipment/delivery company without verifying first. In the event of users wishing to query the status of a particular item they should take note of reference numbers etc. provided at the time of original purchase and ensure these match any subsequent correspondence.
- Use caution when connecting to public Wi-Fi. Public Wi-Fi is often targeted by malicious actors and used to eavesdrop on unsuspecting users’ online activity. We recommend that you use your mobile network if in doubt.
- Secure your devices and accounts:
- – Deploy Multi-Factor Authentication (MFA) on all of your accounts where possible
- – Only install apps from the official App Store or Play Store and assess the permissions that each app requests in your phone settings
- – Make sure to update the device software and applications to the latest version
- – Use an ad blocker locally on your browser. These will often block any malvertising campaigns that aim to capitalise on shoppers looking for deals