How Online Shopping is Feeding a Phishing Frenzy

Shutterstock / William Potter

COVID-19 lockdowns, working from home and the run-up to the holiday season have resulted in an unprecedented increase in online shopping and a perfect opportunity for phishing attacks.

Thanks to COVID-19 and lockdowns, 2020 has become the best year ever for online shopping. We already loved shopping online – no crowds, no travel, no hassle – but this year convenience was overtaken by practicality as the main benefit. Living in lockdown and going through periods of self-isolation, with no non-essential purchases and many stores closed due to staffing issues, online shopping has become a lifeline for many.

Amazon has reported their third quarter sales was $ 96.15 billion, an increase of 37%. It is predict income from $ 112 billion to $ 121 billion for the fourth quarter. As the holiday season approaches, online sales will once again explode. Amazon reports that holiday shopping is already underway in November.

Of course, online shopping isn’t limited to Amazon, but it’s a useful yardstick for illustrating trends. Many consumers are still too afraid to shop in stores. They are alarmed at the thought of the crowds, they don’t believe social distancing guidelines will be followed, and they suspect that many will not wear masks. It’s so much easier to shop at home.

If you are one of those who does not work from home, you can order online and have your goods delivered to your workplace. If you are not there to sign it, one of your colleagues will sign it and take care of your delivery for you.

This is the only downside to shopping online. The delivery.

Delivery anxiety

At some point, the millions and millions of online purchases must leave the digital worlds and materialize in the physical world. This only happens when your order arrives. Waiting for a delivery can be stressful. Especially if it is a large delivery. It may not be because the item is expensive, it may just be that you are relying on the item being delivered to you on time so that you can package it and give it to the recipient on the day of. his birthday, your birthday or another building. deadline.

It is easy to have creeping discomfort when waiting for a delivery. Is it going to be late? Was it delivered to the wrong address or was there an error and it hasn’t even been shipped yet? Has there been a delay due to the clearance of payments?

And that’s where our opportunistic and seasonal threat actors come in. With millions of online sales, there are millions of deliveries. That’s a lot of people who wouldn’t be too surprised to receive an email regarding their delivery. So the threat actors take advantage of that expectation and send as many people as possible an email that is a wolf in sheep’s clothing.

Phishing emails

Phishing emails are fraudulent emails that appear to have been sent by a recognized or trusted entity such as a bank, business, or online payment platform. The most sophisticated attacks take a lot of effort to create an email that looks and feels the same as an authentic email. They want it to have the right tone, the right livery, and to be convincing. They want the recipient to think the email is genuine and click on a link or open an attachment.

The link leads to a bogus website that will attempt to harvest login information or infect your computer with malware. If there is an attachment, it will contain malware, usually in the form of a small dropper or downloader. This will install in the background and then download the biggest and most damaging malware, possibly a Remote Access Trojan (RAT) or one of the many ransomware threats.

Threat actors react to trends very quickly. They can re-skin an existing scam and put it in this season’s colors in no time. The easiest way to disguise them is to make them look like they came from a courier because they know there are millions of people waiting for a delivery. They can also appear to be from a payment service like PayPal and pretend there is something wrong with your payment. But not everyone uses PayPal. And if it doesn’t, you know right away that it is a scam. But if you wait for a delivery, you know a courier will be involved.

Taking advantage of the phenomenon of widespread delivery anxiety, threat actors hope that the average recipient will see an email regarding their delivery, heave a mental sigh of “Oh no!”, Then click on the link or open the attachment. without stopping to verify – or even consider – that the email might not be genuine. And so the delivery anxiety prevails over the base cyber hygiene.

Phishing is associated with smishing, which is phishing by SMS. Since text messages are short and concise medium, there is no need to consider the look and feel of the message. A message looks like an SMS it doesn’t matter who sends it. Threat actors don’t have to worry about finding the right font, logo, voice, and tone. And the low character limit means shortened URLs are the norm in text messages, so they don’t raise suspicion.

RELATED: PSA: Watch out for this new SMS parcel delivery scam

Everyone is a target

Using email addresses pulled from huge databases containing the hacked personal data that can be found on the Dark Web, threat actors can send their fake emails to millions of recipients. You are not distinguished. You are a target simply because your data has been included in a data breach at some point in the past. This is not sniping. This is the blind machine gun looking to see who has been hit.

You can easily check if your email has been exposed due to a data breach. the have i been pwned The website collects all data breaches and puts them into a searchable online database of over 10 billion records. If your email address is in the database, you will be notified of the company or website where the breach occurred. You can then change your password on this site or close your account.

However, there’s not much you can do about your email address. Once it’s there, it’s there. And it will likely be swept away as part of the ammunition a threat actor is feeding into their phishing campaign software.

The same principle is true with cell phone numbers. Data breaches that leak personal data often include cell phone details. These are then used as target numbers for automated SMS software used by threat actors.

RELATED: How to check if staff emails are data breach

Why organizations should be wary

There is a blur between the digital life at home of people and the digital life of their business. People bring their own devices such as cell phones to their workplace and connect to Wi-Fi. They shop online from home, but often choose to have it delivered to their workplace, if it is. where they will be during the day.

This means that if a phishing email masquerading as an email from a courier drops into their work inbox, they won’t be surprised. Their interest in the delivery will likely outweigh the awareness training of their staff on how to spot a phishing email.

They can receive the phishing email on their cell phone and forward it to their work mailbox so they can print or process it on a big screen and with a real keyboard. They can use their corporate computer to access their personal webmail at lunchtime. No matter which route a phishing email takes to reach a person’s inbox or company computer, your organization’s network is at risk of being infected and compromised. .

How to spot attacks

These actions will allow you to protect your staff and your network from phishing and smishing attacks.

  • Are you really expecting a delivery? Can you already account for everything you have ordered?
  • Check the sender’s email address carefully. Does it own the domain you expect? Otherwise, beware. Often there can be a single letter difference. There are a few well-known examples of this. One seemed to say “”, but the initial “m” was replaced by two letters “r” and “n”. At a glance, “rn” looks like “m”. The second example was “” with the lowercase “l” to one, replaced by a capital “I” always. In some fonts they look exactly the same. So take a close look at each letter of the email address. Don’t look at it and don’t read it.
  • Treat links as potential pitfalls. Hover your mouse pointer over them and check the tooltip to see where they are trying to take you. You can make the link text say whatever you want. That’s not to say that’s where the link actually points. If in doubt, do not use the link. Search the web and navigate to the site manually.
  • Despite their best efforts, threat actors can still make grammar and spelling mistakes. Genuine emails do not contain these kinds of errors, especially when they come from automated systems. If it sounds wrong, it’s wrong.
  • Does the graphics and livery look professional, or does it feel like someone used copy and paste to drop the images, and doesn’t quite match the version of white in the background?
  • No credible organization will ask you for passwords, account details, or other sensitive information.
  • Keep in mind that the data breaches that threat actors use as a source of email addresses and cell phone numbers also contain other personal data. This makes it easy to use your name in the text of the email or SMS. Just because it mentions you by name, it doesn’t indicate that the email or text is genuine. You should always be suspicious and exercise caution.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.