Amid the mad dash for bargains and inevitable stories of shop-floor brawls, Black Friday brings with it a spike in cyber security threats, as cyber criminals take advantage of people desperate for bargains.
In this blog, we look at some of the scams you should look out for and what you can do to protect yourself.
Why Black Friday is primetime for cyber crime
Many people in the UK will know ‘Black Friday’ as the last Friday before Christmas, which was ‘black’ because of the number of people who got blackout drunk and needed police or ambulance intervention.
But in the US, Black Friday refers to the discounts that retailers offer the day after Thanksgiving – and thanks to the rise in online shopping (which will be even more prominent this year with COVID-19), it has become a global custom.
A Finder report estimates that UK customers are set to spend £6 billion over the course of the Black Friday weekend, with the average consumer forking out £296.
You can see why this is a perfect opportunity for scammers; we’re busy spending money freely, making dozens of purchases and in a hurry to bag the best deal available.
It’s inevitable that someone will visit a dodgy website in pursuit of a bargain or click a phishing email because they thought it was about an online order they’d made.
How are the criminals catching us out? Here are three common scams:
1. Bogus order confirmation emails
Picture the scene: you’re hunched over your laptop scouring through deals, when you receive an email from Amazon confirming a purchase you’ve made.
The email doesn’t say what you’ve bought, but it does contain a link to where you can look at the order details.
This is a classic case of phishing, in which criminals send malicious emails that appear to be from trusted senders.
If you click the link, one of two things will happen. You might be directed to a bogus site that looks like Amazon’s login page but is controlled by the criminal hackers. When you enter your email and password, you’re handing your information to them.
Alternatively, you’ll download a Word document that asks you to ‘Enable Content’, which will unleash malware on your systems.
Enabling macros is almost always a huge no-no, and Word may well warn you about the dangers of doing this if you try to give the document permission.
Fortunately, you can simply close the Word document without taking any further action, and you should be safe.
If the scam directs to Amazon’s website, things are a lot more complicated. Scammers do a very good job replicating sites, and in your eagerness to find out what’s going on with your order, it’s easy to blindly follow the page’s instructions.
The only way to protect yourself is to make a habit of looking for signs of bogus websites – like URLs that look slightly off (annazon.co.uk, with two ‘n’s for example) and those that don’t have a lock symbol on the left side of the address bar.
2. Exploiting public Wi-Fi
You’re walking through your supermarket and you see a 60-inch television on sale. It seems like a good deal, but you want to check that it isn’t available cheaper online.
Luckily the shop has free Wi-Fi, so you take out your phone and, wouldn’t you know, Amazon has the same TV on sale with a further 10% off, but time is running out on the deal.
What do you do?
You definitely shouldn’t buy the TV online there and then. As a rule, it’s never advisable to buy things online using public Wi-Fi, because you can’t be sure that the connection is secure.
It doesn’t matter whether you have to enter a password or log in, as any network that’s set up for the public can be abused.
These are known as man-in-the-middle attacks, and they work by exploiting a flaw in the network to intercept traffic going to and from victims’ devices.
When you use public Wi-Fi to buy something online, there’s always a chance that a cyber criminal is monitoring your activity and logging your payment card details.
If you want to do online shopping while out and about, you’d be much better off using mobile data. It’s not 100% secure, but it’s much harder to tamper with than public Wi-Fi.
3. Instant messaging scams
An acquaintance sends you a WhatsApp message with a link to an online sale.
This is about as transparent an example of a scam as you’re likely to see, as your contacts presumably don’t make a habit of spamming you with marketing offers.
However, it’s reasonable to believe that Black Friday might be the exception, as there are a ton of deals online, and it’s nice to know that someone’s thinking of you when they discover a bargain.
But don’t be fooled – any unsolicited instant message containing a link should be viewed cautiously.
In this case, scammers begin by creating a fake website that mimics the layout and URL of a legitimate online retailer.
They then hijack instant messaging accounts by phishing their owners or sending them keylogging malware.
From here, the scam looks a lot like the Amazon phishing scam that we described earlier. You click the link, which causes your computer to download a file containing malware.
These types of scams are becoming more common as an alternative to traditional phishing scams. They require more work to pull off but bypass the main stumbling blocks for phishing emails – i.e. spam filters and the possibility that the recipient doesn’t use the service that’s being impersonated.
To understand the threat of instant message scams, you must realise that they exploit the inherent trust between contacts and the ‘instant’ aspect of the interaction.
People are far more inclined to click a link straight away when it appears to be part of an ongoing conversation, rather than when it’s sent as an email, which can be opened at any time.
The trick to staying secure is to remember that bogus links can be sent on any communication platform. Make a habit of viewing links with caution and keeping an eye out for anything that seems too good to be true.
A version of this blog was originally published on 27 November 2019.