Wednesday, December 10, 2014

'Tis The Season To Be Wary

Holiday Scamming:

This is perhaps the time of the year where the greatest amount of shipping occurs.  Quite possibly it's also when the greatest amount of shopping goes on, too.   Christmas, Hanukkah, and other holidays get celebrated, and gifts are purchased for these.   This is in addition to the online shopping that happens year-round.  Unfortunately, with the convenience of online shopping, comes the predators.  To help you out now, and for the future, I'll be pointing out a few of the common  - and new - tactics, how to identify real from fake, and things you can do to protect yourself from becoming a victim.

Sorry, we missed you:

What it is:  Perhaps the most common bulk message sent out is "We Missed You For Delivery" email.   The alleged sender of this email is often claimed to be UPS, USPS, DHL, FedEx, or some other delivery company.   "Dear customer, we tried to deliver a package to you...." or words to that effect, will be the message they send.    In fact, they often will have company logos in their email to make things look legit.   You're asked to print out a file, listed as "invoice" or such, that comes attached with the message and bring it to your local office to pick up the package that they "could not deliver".  However, opening the attachment will open up an executable file (.exe), which will do naughty things to your nice computer.

How to know it's fake:  There are a few telltale signs that a message like this is bogus
  • It contains spelling and grammar errors.   If you notice, these messages will often have incorrect grammar, spelling errors, wrong word choices, etc.  A multi-billion dollar company like FedEx at least has a spell-check for their form letters.
  • It is addressed to "Dear Customer" or some such generic salutation.   This is an easy one, as it allows for the criminal to send out an email message to millions of people, so that even a <0.1% rate of opening the bad file will be a significant number.   if a multi-billion dollar firm had to contact you, they would do it by name, but for mass advertising
  • There are multiple people in the recipient field.   If you see that a message is addressed to you, and a bunch of other addresses, some which you probably don't know, this is an indication that this is not legitimate.   Multi-billion dollar shipping firms don't mass mail missed delivery messages.   On the same note, why would the same "ticket" be usable by all those individuals?
  • The sender information is incorrect.   This may be difficult for some folks to tell,  Sometimes you can hover the mouse above the email, and see the actual address, sometimes it's in the parentheses next to the "name", Anyhow, for this particular type of email, it will often come from either a disposable free email site, or be a forgery.  
  • Delivery services will leave a note at your door/mailbox about a missed delivery attempt.  
  • Speaking of deliveries, the delivery service is only that.  Your vendor does not provide them with your contact information.   So, if you order a movie from Amazon, and UPS delivers it, UPS is only given the package, not your contact information (except for the address).   
  • Information inside is incorrect (such as mentioning Thanksgiving approaching during December).   
  • You haven't ordered anything recently
What to do:   Generally, the best practice in these cases is to not open these.  Unless you have a pre-existing relationship with one of the delivery services, these email messages "from" them, will be malicious just about always.   The best thing to do is to report it as spam, and delete it. opening the attachment is exposing your computer to malicious code.   (Apple & Linux fans, you may be statistically less likely to be vulnerable to these, but you're not immune, as recent events have shown.

If you've been a victim:  the best thing to do is to make sure your anti-virus and anti-malware software is up-to-date and running.   This should catch the executable from the start, or nip it.  

There are questionable charges on your account:
 
What it is:  This generally takes the form of an email purporting to be your financial institution.   They claim that there are strange activities on your account recently, or unauthorized charges, and verifying information will prevent your account from being closed, suspended, frozen, etc.   
How to tell it's fake:  The telltales for this being not legitimate are similar to the previous example's:

  • Spelling and grammar errors in the message - legitimate companies aren't this sloppy.
  • Addressed to "Dear Customer" or similar.   Your true financial institution would address you by name n the event.
  • It arrives from a financial institution in which you do not belong.  If you don't have a Citi account, then it seems unlikely that they would contact you about an account.   While identity theft/fraud is a possibility, it is not as likely in these circumstances. 
  • The sender field, is incorrect (see above).
  • It's addressed to multiple addresses - Logic and privacy would suggest that such confidential matters would be communicated directly, and not in bulk.
  • The link provided does not match who they claim to be. For instance a message claiming to be from PayPal, with a link that goes to "paypal.[gibberish].biz/verify" is taking your to a non affiliated site.
 
What it does:  Clicking on the link in these email messages will take you to a site that looks like whatever the email claimed.   In fact, some of these outfits may have [address].com/cit, /hsbc, /discover, /chase, etc and run multiple phishing emails.   This page may be as simple as a login page (username/password), where clicking "submit" will store your information in their server, and forward you to the site you thought you were at (possibly logged in), granting the criminals access to your account.   Other forms ask for much greater amounts of information (account number, security questions, debit number, PIN, etc).   These often get shut down pretty quickly, but the damage can be done pretty fast.   
 
What to do:  Much like the  Missed Delivery email, this one can be deleted.   While your financial institution may communicate with you electronically, they will come from a legitimate company address (not a  free email address), address you by name, and not attempt to have you log in to a service.   Also, it's a very good idea to manually access your financial institution's site, vs following a link.   
 
What if you've been a victim: In this event, it's best to contact your financial institution at once.   It doesn't take long for an account to be emptied, or purchases to be made.   Changing passwords may be helpful, as well.   Further, you can contact your local police, 
 
We have your order:
Today, I saw one of these messages.   This one alleged to come from "Target.com" (the true address was something different, and unrelated):

As Thanksgiving nears we want to advise you that our online shop has an order addressed to you. You may pick it in any store of Target.com closest to you within four days.

Please, open the link for full order information.

Always yours,
Target.com

Because the link had already been disabled, it was impossible to tell whether it was going to attempt to install malicious code over a browser (attempt to trick a victim into a fake login page, or something else.  

How to tell it's fake:  there are some similar and simple methods to IDing a bogus email of this nature:

  • It is from a store that you either don't frequent, or from which you don't shop online.
  • It is addressed generically (Dear Customer)  A genuine order would have your name, and while maybe not having all the order details, at least an order number
  • Addressed to multiple individuals.  Do that many people actually share the same invoice number?
  • Speaking of invoice numbers, one will likely be missing from one of these email messages.
  • Spelling or grammar issues on the page/email.
  • The sender field does not match (see above)
  • Logos are wrong (In this particular email, the "Target" logo was square)

What to do:  Much like other examples, your best move is to mark it / report it as spam, and delete it.   This is especially true for a company from which you haven't ordered..  

If you've been a victim:   For this, it's best to contact your financial institution at once, and your local law enforcement for filing a report.  


In conclusion, online shopping can be very a very convenient, safe and time-saving thing.  Billions of orders have gone through  over the past twenty-odd years.   In addition, financial institutions have been working online for years, as well, offering safe and convenient services.   That there are some criminals out there that would profit at your expense does not condemn online shopping/fiance as a whole.   However one should always be wary when something seems "off" (mentioning an order or shipment you're unaware of, or an account you don't own, for instance).  Remember to watch out for the telltale signs, and there's less of a chance of you becoming the victim of one of these scams.

No comments:

Post a Comment