Most people love the holiday season. That includes cybercriminals, who see it as an ideal time to make money. Thanks to the pandemic, people are doing more of their holiday activities online.
Hackers, scammers, and other online criminals expect to make a killing — but we don’t have to make things easy for them. There’s a lot we can do to defeat cybersecurity threats and make this a bad year for the bad guys.
This article will help you defend yourself as we identify the major threats you’ll face this year and how to defeat them. The most likely holiday cybersecurity threats for 2020 include:
- Account takeover fraud
- Non-delivery of orders
- Shipping notification scams
- Charity donation scams
- Formjacking of legitimate sites
Here’s a quick rundown on each of them.
1. Account Takeover fraud
Credit card fraud is so last year. Account Takeover (ATO) fraud is the big new threat. According to Threatpost.com, ATO attacks cost consumers and retailers almost $17 billion in losses in 2019.
The goal of an ATO attack is to get access to at least one of your accounts. Once they get into your account, the attacker will mine it for everything of value. Finding your credit card information is always nice.
But the real target is your personal information. With that, all sorts of mayhem is possible. They can commit identity theft, destroying your finances and wrecking your reputation. They can also use the information from this account to break into your other accounts.
Imagine some creep logging in to all your online accounts. Impersonating you on social media. Draining your bank accounts. Not good.
Here’s how to reduce the damage an ATO attack can do to your life:
- Use different login credentials (user name and password) on every account, and keep everything secure with a good password manager. This makes it difficult for the creeps to get into your other accounts after hacking the first one.
- Don’t store your credit card info or other personal data on your favorite store’s website. Why leave your data right there for an attacker to find?
- Use 2FA. I’ll tell you more about this later on.
2. Non-delivery of orders
When you order something from a major retailer like Amazon or Target, you can expect it to arrive and the site security to be locked down. But ordering from an obscure site without verification can come with the risk of being billed for a product that never gets sent to you.
Such scam sites have offers that are too good to be true. They may also demand that you pay for your order using a gift card, rather than a credit or debit card. Either of these is a big red flag.
According to the FTC (Federal Trade Commission), “Anyone who contacts you and demands that you pay them with a gift card, for any reason, is always a scammer.”
The only real defense against this is to shop at the big name, reputable online retailers.
3. Shipping notification scams
Expect lots of emails about problems shipping a package you supposedly ordered. The email will look real enough, but it will be a trap. Click a link in the message and you are in trouble. You will either end up someplace unpleasant or receive a malvertising attack.
Here’s how to see if there is a problem with an order you placed:
- Go to the website of the shipping company or the vendor.
- Once there, check the status of your order, or contact customer service for help.
4. Charity donation scams
Cybercriminals try to take advantage of people’s generosity this time of year. They send out phony emails requesting donations to well-known charities.
As with shipping notification scams, the goal is to get you to click a link in the email. Doing so can expose you to numerous attacks, while also exposing your personal and financial data.
If you want to donate to a charity, ignore the email and go directly to the charity’s official website.
5. Formjacking of legitimate sites
Formjacking is an emerging cybersecurity threat that is pretty tough to defeat. It happens when bad guys inject malicious JavaScript code into a legitimate website.
The code gets added to the order page of the site and sends your personal information to the hackers. Minor things like your name, address, and credit card number. Stuff you definitely don’t want some random creep using or selling on the dark web.
You can’t install a defense against formjacking. But you may be able to dodge the attacks. The websites of large retailers are likely to be better defended than those of mom and pop shops. Again buying from major online retailers is the best way to stay safe.
General holiday cyber security tips
Those were specific defenses for specific attacks. Here are more general ways to protect yourself against cybersecurity threats.
Install defenses
Our #1 goal is always to avoid a cyber attack, but that is getting harder by the day. It is wise to have certain defenses installed and active on your computer just in case. Here’s what we recommend:
- Antimalware – Antimalware can detect, block, and sometimes remove all sorts of nasty code that cybercrooks want to install on your computer.
- Firewall – A firewall can prevent unauthorized messages traveling to and from your computer.
- VPN – A VPN (Virtual Private Network) hides your actual location and prevents online snoops from tracking what you do online. Some, like NordVPN, have strong built-in antimalware capabilities. This lets them do double duty in your defense.
Use different passwords (and a password manager too)
To be safe online, you must use a different password for each website and account. But remembering more than a handful of different passwords is hard. That’s why you need a quality password manager. One option I like is Bitwarden, a reliable, free, open-source product with excellent security.
If you want even more options, here’s an analysis of the best password managers.
Enable 2FA wherever possible
2FA (Two-Factor Authentication) boosts your security by requiring a second-factor to log into an account. The second factor is usually an app on your smartphone. The most commonly-used 2FA app is Google Authenticator:
The key thing to know is that with 2FA, someone who steals your password still won’t be able to log into your account. Only you will be able to do so, since only you have access to the second factor. Use 2FA whenever possible.
Conclusion: You can defeat holiday cyber security threats
This holiday season’s cybersecurity threats are worse than ever before. But now you know how to defeat the ones you are most likely to run into.
Put these defenses to work today and enjoy a safer online holiday season.
I apologize for my off topic question, but my issue has been driving me bonkers for a while and now I have had enough.
I use Google News frequently to get news items. I would like to see where exactly I am going but those ridiculously long URLS can’t be exposed where they actually go. I tried various URL revealers and cleaners and none of them can crack those Google URLS.
I’m hoping someone here might know or offer suggestions? Thanks
Sorry for the delay on answering. I was waiting to see how an update would come out, and I am not disappointed.
If you use Brave, they have unveiled Brave Today. I have been playing with it four a little.
They Will be adding more resources online plus adding a way to add your own sources.
This will solve two things:
1) no more doubts about where Google sends you.
2) You start to leave the Google conglomerate.
https://brave.com/brave-today/
9009LE’s not worse & not better than a??le , m$, and all the other giants together with their supply chains. there may be differences in howdo’s , but generally they are all doing what they have been told to do, which is to gather as many data from consumers as possible and integrate easier access to data systems for gov agencies, often the services offered to customers can be used to spy on them without their knowledge or consent. kind of a phishing operation.
generally, customers are selves their gratest enemies because they support or just willingtly ignore what govs agencies are doing to them, kind of a “resistance is futile” attitude because of fear to peak up the legal fight collectively, a very divided consumer society controlled by minority-report psychos, paid by the Money Masters .
Google is killer of privacy and security that is the most down range of search security , because its a fake and lier majolar , spying and snooping from the customers and so is one of best partners of the spying services .
Best cheers
Good luck .
Good info, Bill, but one comment…
Google? Really?
I know 2FA apps don’t phone home, supposedly, but do you trust them?
I use Aegis, which is open source and independent.
We can look into Aegis, but have not yet tested it.
@Sven,
Sounds good. I just am very much anti-Google and skip it as much as I can.
Thanks a lot!