“Your package has been delivered to the local UPS office,” says the email with the UPS logo in the banner. All you have to do is click a link to print a shipping invoice and go pick up your package – even though you don’t remember what you ordered (but you do a lot of online shopping, so it could be anything).
Chances are you’ll get one of these email messages this holiday season. Clicking that link will indeed get you a package – a virus downloaded to your computer, a worm that hijacks your address book or one that installs a keystroke logging software that lets identity thieves see everything you type. Phishing emails like this will entrap thousands of consumers in the weeks ahead.
UPS is hardly alone among shippers as a decoy in these criminal schemes; similar ploys have targeted FedEx and the U.S. Postal Service.
Fifty-three million customer email addresses were stolen in April when Home Depot suffered a data breach – and more consumers are likely to be targeted this holiday season. The number of addresses stolen from Home Depot alone represents more than one in five U.S. adults. Similar cyber-heists at Target (up to 70 million customer emails lost), eBay (up to 145 million), and the Post Office (number unknown) mean it’s a safe bet your email addresses are already in the hands of criminals. More than 650 such data breaches have happened this year, according to the Identity Theft Resource Center.
Think you’re too smart to get fooled? Think again: A study this month by Google found that on average, about one in seven people who click on fraudulent links and end up on fake web pages willingly share their personal information when asked. In the most successful scams, almost half the people who click through give up their private data.
Half the battle in not getting tricked is knowing the enemy. In addition to fake shipping notices, here are other email frauds to beware of this time of year:
One: Bogus fundraising appeals
Heart-rending messages purportedly from the senior leaders of well-known charities are common during these weeks, notes PhishMe, a security awareness education service. Trouble is, clicking the embedded link to donate will put you in need of help yourself.
Two: Fake holiday travel offers
Cyber-criminals have long used the names of legitimate air carriers to offer purported discounts and great travel deals to warm-weather destinations, notes IT security company Trend Micro. Downloading the attachment to claim your discount will get you nowhere fast.
Three: Sham shopping discounts
These invite you to click a link to save incredible amounts on your holiday shopping, says PhishMe. Trying to claim those discounts by clicking through will cost you a bundle.
Four: Pretend year-in-review invitations
Who doesn’t want to read about the best of 2014? These invite you to click a link to read about what stood out this year, says digital security company McAfee. Clicking to read more certainly will make your year memorable, though not in a good way.
Five: Scam holiday party announcements
“It’s been another great year for our company, so we’d like to celebrate in style this holiday season!” goes one phishing email targeting corporate employees collected by PhishMe. The RSVP requires clicking a link—which invites cyber thieves onto the target’s hard drive.
Six: Phony order confirmations
These appear to come from online vendor giants like Amazon or eBay. To find out what you ordered, you click a link and enter your Amazon username, password, and payment information. What you’ve actually bought is lasting trouble.
Seven: Made-up holiday e-cards
A friend has sent you a e-holiday greeting—you need to click a link to view it. But the sender is anything but a friend, notes e-card company American Greetings.
Essentially you’re better off viewing almost everything arriving in your inbox as guilty until proven innocent – and that means following some best practices.
First, don’t click links embedded in e-mails unless you’re sure of the sender. Instead, go to the organization’s website to respond to the message. That said, legitimate e-cards can be tough to distinguish because companies such as American Greetings do ask recipients to click a link to pick up e-cards. But they usually also offer another option, such as manually entering a link into your web browser and putting in a code to retrieve your card. Take the extra step – it’s worth it.
If you’re really tempted to click through, though, hover your mouse over the link first. An alt-tag should appear with the address where clicking will take you. Still not sure about the sender’s legitimacy? Plug its website address into a reputation monitoring site like Sender Score or Sender Base.
Second, avoid attachments. Open or download them only if you know the sender personally, and have your antivirus program scan them before they’re put onto your machine, advises the FBI. Don’t assume that popular document formats like .pdf (Adobe Acrobat), .xlsx (Microsoft Excel), or .doc (Microsoft Word) are safe – scammers are commonly using them today, notes website host GoDaddy.
Third, look for cyber criminals’ calling cards. You’ll often see claims of how a “great deal will end soon” or you’ll lose an ability to use a service “unless you act now.” The scammers use a sense of urgency to get you to take action without thinking, says the FBI.
Plus, scammers don’t use copyeditors. They often give themselves away with misspellings and awkward language uses.
Finally, check your credit card and financial statements frequently. If someone does steal your data, it well may show up in bogus purchases. The quicker you know it, the sooner you’ll stop them.
Top Reads from The Fiscal Times: