For the weather’s outside is frightful, I choose to stay inside and add more stuff to my wish list. Yes, you’ve guessed it – Black Friday’s drawing closer. Ready to break that piggy bank for some awesome stuff you’ll probably forget about in a couple of weeks? Me too. The hype’s all too real and, unfortunately, Black Friday, just like any other seasonal ballyhoo, attracts all sorts of crowds, including scammers. Still thinking about buying that new 4K TV or some more PS4 games? Well, that’s what Black Friday is for; I’m just here to tell you how to avoid Black Friday scams. Let’s start.
Why Black Friday?
Is water wet or winter cold? So, I ask you: why to pass up a perfectly good opportunity to rip-off a couple of naïve users who haven’t a clue about online shopping. It doesn’t matter if it’s Father’s Day, Christmas, Easter, Thanksgiving, or the winter solstice – the thicker the crowd, the most likely it is for a pickpocket to be there.
Although the whole shopping fever lasts for only one day, there are plenty of people who are willing to spend serious cash. It makes sense: why give in to the impulse, when you can wait out for a better deal? And, I have to admit, that some of those deals can run pretty hot.
Anyway, scammers are out there and they’re just jumping at the chance of empty your bank account. So, this article being about Black Friday scams, let’s take a closer look at the most common and uncommon scams.
Black Friday scams roundup
Ready? Let’s get this show on the road.
1. Website (insistently) asks you to download its own application
As you probably know, most major retailers have their own apps: AliExpress, Amazon, Barnes & Noble, Walmart, Rakuten, etc. Not much room left for the ‘little guys’, but they keep trying nonetheless. Most of them manage to attract customers by offering items at jaw-dropping discounts or other facilities like free shipping, extended warranty, cashback, and more.
Now, some of these websites will probably ‘talk’ you into downloading their mobile apps. Nothing wrong about. However, not all these retailers are legit. The same goes for the apps. One of the most common tactics scammers use is to create a fake website. Of course, the items listed here would have unrealistically low prices.
So, what happens is that they trick you into giving them by your own free will some of that personal information (debit\credit card number, CVV code, name, address). Once you confirm the order, your data will be forevermore compromised, and that’s the end of the road. That high-value item you’ve waited so long to buy will never arrive. The same thing goes for bogus apps.
2. Website looks (ph)fishy
A variation on the same theme. Cloned websites are the norm when it comes to stealing credentials. They’re very hard to identify and that usually happens only when it’s too late. Phishing with spiked websites is a year-round practice, but they usually bloom during the festive season. Since Black Friday, Cyber Monday, and Thanksgiving are just around the bend, you can be sure that scam sites will increase in number. There are a couple of ways to figure out if a website is real or fake, but I will be discussing them in the upcoming section.
SECURE YOUR ONLINE BROWSING!Get Thor Foresight
3. Unrealistically low bargains
We already covered the fake websites/apps that reel in their victims with incredibly cheap items. This isn’t exactly what you might call brand-spanking-new. The technique’s been around for centuries and still in use because guess what? It works! The approach is not rocket science: using fake apps or websites, the scammers post ads for items belonging to big brands (Nike, Addidas, Fossil, Cartier, Hugo Boss, etc.) at incredibly low prices.
So, if an item, say an iPhone 11 Pro, goes for $100 whereas the regular price is around 1G, then you’re probably dealing with a scam. Last week, I was looking to buy a pair of Bluetooth in-ears for my phone. I would have loved nothing more than to get my hands on a pair of Bose or JBLs, but can’t really afford them. Anyway, while casually looking at my newsfeed on Facebook, I came across this ad from some auto shop or whatever offering JBL wireless in-buds for free!
In exchange for your phone number, email & physical address you would get a free pair of headphones, which usually run for 200 bucks! This is one of many examples. In fact, if I were to fire up my Facebook right, I’ll probably run into two or three of those fake websites. The Romans had a saying for this: caveat emptor!
You’ll see a lot of these until the whole Black Friday fever subsidies. In more common terms, bait-and-switch is when a scammer attempts to harvest your personal information by flashing an expensive item before your eyes. The item will be everything you ever dreamed of. However, once the order is placed you will discover, much to your discontent, that the shop’s out of stock. The vendor feels so ‘bad’ about your misfortune, that he’s ready to give you a very special discount on a similar item. Do not accept this compromise: in all foreseeable outcomes, you will end up with a low-quality item. Also, if you choose to pay online by credit or debit card, there’s a fair chance that the item won’t be delivered.
The same thing may happen in brick-and-mortar stores, although I’m not inclined to call this a scam. It’s more like a misunderstood marketing practice – a salesperson will tell you that the item you were looking for is out of stock and will direct you to a similar one. It’s the same routine – you will be offered a low-quality or fake item.
5. Spoofed electronic discount cards
It’s the season to be jolly (well, not that season), and nothing spells out “bliss” than a discount card. Don’t get me wrong; there’s nothing more satisfying opening up your email inbox and saw a gift card from your favorite shop, but can you really trust such a God-sent gift? The answer’s obviously “no” and you would do well to steer clear of PBF (pre-Black Friday) SMS, IM, or email discounts. Some are legit, no doubt of that. But they’re really hard to tell apart from spoofs. For instance, you might receive a redeemable code from what appears to be a legit vendor, but clicking on it will lead you nowhere. I will tell you more in the second of this article.
6. Farming on Facebook
No, this isn’t a new FB game. It’s a sophisticated form of scamming, based on reverse-engineered Facebook pages. Why reverse-engineered? Normally, vendors use Facebook pages to advertise their products. It makes sense – by increasing your ‘fandom’, you have more chances to score more sales. More than that, Facebook rewards high-performing pages with a better PPC (pay-per-click) rate. Win-win!
Well, it would seem that scammers got wind of this and began to exploit Facebook’s ‘rewards’ system. That’s not the end of it. Apart from nursing these pages, which they do by coaxing users with outrageous discounts, fake products, and freebies, scammers also tend to auction personal info on the dark web. How can they do that, you ask? It’s simple: those pages collect a truckload of data from the users, including PII (Personally Identifiable Information) like your email address or your birthday. It may seem irrelevant, but this info’s pure gold on the dark web.
7. Issues regarding delivery or order
Another method used by the scammers to steal your credentials is to send fake emails or phone messages about delivery or transaction issues. The most know are the “failure to deliver package” and “order confirmation” spoofs. What do they exactly mean? The first method involves sending a spoofed email or SMS to a user who bought something an online retailer. It may be something generic like “dear Amazon customer” or can even have that personal touch to reinforce the illusion.
You’ll be casually informed about a bungled delivery, and asked to reconfirm your address (yeah, right!). No legit vendor will ask you to reconfirm the delivery address. As for the second method, well, it works more or less like the first one: you will receive an email or phone message with an order confirmation link. If you click or tap on the link, you will be taken to what appears to be the vendor’s website (it isn’t, trust me on this one). Once you fill out the mandatory fields with your address, email, name, and order ID, the info gets sent to the scammer.
8. Placing items on hold
This is not exactly Black Friday related, but it does tend to flare up during that period. As you know, many brick-and-mortar stores can accommodate on-hold demands. It’s usually for 24 hours, but some stores can place items on hold for a longer period, provided that you supply some sensitive info.
In my experience, retailers shouldn’t ask for more than your name and address, although some of them can be, ahem, cheekier, especially if they are scammers acting in the name of a legit vendor. So, how does this work? Websites impersonating those vendors, of course. They usually put up fake phone numbers or item-holding forms on these websites. Guess what happens if you decide to have a small that with them or fill out those forms with your personal information?
9. Freebies? Not on your life!
What’s the best way to attract new customers or keep the ones you already have? By offering freebies. I bet if you open your inbox right now, there’s at least one promotional email, urging you to redeem a free item. I wouldn’t put the kibosh on all of them; some of those freebies are useful to keep around the house and why should you bother buying them when you can get them for free? In the case of legit vendors, the only danger of redeeming freebies is the amount of junk mail you receive afterward. Watch out for scammers though; just like the legit vendors, scammers also send out emails promoting free items. The only difference is that those emails are engineered to steal your credentials and nothing else.
How to protect yourself against Black Friday scams
‘Tis the season to be swindled, but have no worries. The best way to stay safe is to be one step ahead of the scammers. Here are a couple of tips to get you started.
1. Check the website’s credentials before buying
If you plan on doing your Black Friday shopping online, take a good look at the shop before entrusting it with your personal data. The tell-signs of fraud lack of encryption (isn’t marked down with the “https” attribute), pop-up ads by the dozen, and limited payment methods (doesn’t accept cash on delivery, PayPal or anything that would ordinarily have to be processed through a secured service). You can also tell by the site’s design if it’s legit or fake. Usually, scammers have neither the time nor the resolve to piece together something appealing and coherent. Apart from those annoying ads, a couple of headers, tons of pics, and product descriptions that make no sense whatsoever, you’ll only encounter filler content.
2. Vendors aggressively pushing own apps
In every conceivable universe, “no” means no; same thing for apps. If I don’t want to download your app, that’s the end of the story. Lesson learned here: if a website insists on you downloading its Android or iOS app, then it’s definitely a scam. Not only it will still your credentials, but the app itself could be engineered to deploy malicious code in your device. How can you prevent that? Well, not downloading it in the first place helps, however, if you did take this step, you can easily figure out whether it’s real or fake by reviewing the app’s permissions. So, if a shopping app requests multiple permission (camera, microphone, contacts list, external & internal storage), there is an accident waiting to happen.
3. Double-check the prices
The best way to avoid being scammed by a bogus website that flaunts outrageous discounts is to check the prices with major retailers. Sure, some of them can have some pretty high discounts, but not all. So, if a website has products at outrageous prices, it’s obviously a trap. Steer clear and purchase only from legit vendors.
4. “What do we say to the God of bait-and-switch?”
The correct answer is: “not today!” It doesn’t matter if you do your Black Friday shopping online or in a brick-and-mortar -if someone tries to offer you a similar product, kindly say “no” and move on. Chances are that you will find the item you were looking for in another shop.
5. Refrain from clicking on every link you find online
Yes, I know that this isn’t the first I said this, but I’ll keep saying it because despite everyone saying than random link-clicking is bad, Internet users still don’t listen. So, if you come across any link, whether it’s in an email, phone message, or IM, the best thing to do would be to close the chat window, send that message to a junk or forget about ever seeing it. Believe me when I say that your PC or smartphone will thank you from the bottom of their motherboards.
6. Keep track of your orders
Want to avoid getting scammed by spoofed messages? Easily avoided – just keep track of the stuff you’ve ordered. There are plenty of ways to do that: virtually every e-merchant supports online tracking. Okay, it may not be the best way to eyeball your package, but at least it will give you an idea of what’s going on. It may also be a good idea to check with your shipping and delivery company. Most major retailers have outsourced this kind of service. Also keep in mind that companies making deliveries on behalf of the retailers have their own tracking platform that can usually be accessed using the right credentials. So, if you receive an email or SMS about a failed delivery or re-confirmation, first check your account and then inquire with the delivery company.
Black Friday is here to stay. Watch out for spammy messages, track your orders, and don’t be afraid to use the junk folder if an email looks fishy. As always, all comments, rants, and beer donations are more than welcome. Safe shopping!
The post Black Friday Scams 101: How to Recognize Them and Stay Safe appeared first on Heimdal Security Blog.