Amid the mad dash for bargains and inevitable stories of shop-floor brawls, Black Friday brings with it a spike in cyber security threats – and it’s easy to see why.
Despite being an American import, Black Friday is hugely popular in the UK. According to the price comparison site Finder, Brits are set to spend £4.8 billion between Black Friday and Cyber Monday, with the average consumer forking out £275.
With so many of us spending money freely and hurriedly trying to bag the best deal available, it’s inevitable that someone will visit a dodgy website or click a phishing email because they thought it was about an online order they’d made.
To help you avoid falling for one of these tricks, we’ve outlined three of the most common scams you might run into this Black Friday.
1. Bogus order confirmation emails
Picture the scene: you’re hunched over your laptop scouring through deals, when you receive an email from Amazon confirming a purchase you’ve made.
The email doesn’t say what you’ve bought, but it does contain a link to where you can look at the order details.
This is a classic case of phishing, in which criminals send malicious emails that appear to be from trusted senders.
If you click the link, one of two things will happen. You might be directed to a bogus site that looks like Amazon’s login page but is controlled by the criminal hackers. When you enter your email and password, you’re handing your information to them.
Alternatively, you’ll download a Word document that asks you to ‘Enable Content’, which will unleash malware on your systems.
Enabling macros is almost always a huge no-no, and Word may well warn you about the dangers of doing this if you try to give the document permission.
Fortunately, you can simply close the Word document without taking any further action, and you should be safe.
If the scam directs to Amazon’s website, things are a lot more complicated. Scammers do a very good job replicating sites, and in your eagerness to find out what’s going on with your order, it’s easy to blindly follow the page’s instructions.
The only way to protect yourself is to make a habit of looking for signs of bogus websites – like URLs that look slightly off (annazon.co.uk, with two ‘n’s for example) and those that don’t have a lock symbol on the left side of the address bar.
2. Exploiting public Wi-Fi
You’re walking through your supermarket and you see a 60-inch television on sale. It seems like a good deal, but you want to check that it isn’t available cheaper online.
Luckily the shop has free Wi-Fi, so you take out your phone and, wouldn’t you know, Amazon has the same TV on sale with a further 10% off, but time is running out on the deal.
What do you do?
You definitely shouldn’t buy the TV online there and then. As a rule, it’s never advisable to buy things online using public Wi-Fi, because you can’t be sure that the connection is secure.
It doesn’t matter whether you have to enter a password or log in, as any network that’s set up for the public can be abused.
These are known as man-in-the-middle attacks, and they work by exploiting a flaw in the network to intercept traffic going to and from victims’ devices.
When you use public Wi-Fi to buy something online, there’s always a chance that a cyber criminal is monitoring your activity and logging your payment card details.
If you want to do online shopping while out and about, you’d be much better off using mobile data. It’s not 100% secure, but it’s much harder to tamper with than public Wi-Fi.
3. Instant messaging scams
An acquaintance sends you a WhatsApp message with a link to an online sale.
This is about as transparent an example of a scam as you’re likely to see, as your contacts presumably don’t make a habit of spamming you with marketing offers.
However, it’s reasonable to believe that Black Friday might be the exception, as there are a ton of deals online, and it’s nice to know that someone’s thinking of you when they discover a bargain.
But don’t be fooled – any unsolicited instant message containing a link should be viewed cautiously.
In this case, scammers begin by creating a fake website that mimics the layout and URL of a legitimate online retailer.
They then hijack instant messaging accounts by phishing their owners or sending them keylogging malware.
From here, the scam looks a lot like the Amazon phishing scam that we described earlier. You click the link, which causes your computer to download a file containing malware.
These types of scams are becoming more common as an alternative to traditional phishing scams. They require more work to pull off but bypass the main stumbling blocks for phishing emails – i.e. spam filters and the possibility that the recipient doesn’t use the service that’s being impersonated.
To understand the threat of instant message scams, you must realise that they exploit the inherent trust between contacts and the ‘instant’ aspect of the interaction.
People are far more inclined to click a link straight away when it appears to be part of an ongoing conversation, rather than when it’s sent as an email, which can be opened at any time.
The trick to staying secure is to remember that bogus links can be sent on any communication platform. Make a habit of viewing links with caution and keeping an eye out for anything that seems too good to be true.
Can you spot a scam?
Make sure your staff know how to identify and avoid scams with our Phishing Staff Awareness Training Programme.
This 45-minute course uses examples like the ones above to explain how phishing works, what to look out for and the steps you should take to avoid falling victim.
A version of this blog was originally published on 27 November 2019.