Amid the mad dash for bargains and inevitable stories of shop-floor brawls, Black Friday brings with it a spike in cyber security threats – and it’s easy to see why.
Despite being an American import, Black Friday is hugely popular in the UK. According to the price comparison site Finder, Brits are set to spend £3.95 billion between Black Friday and Cyber Monday, with the average consumer forking out £189.
With so many of us spending money freely and hurriedly trying to bag the best deal available, it’s inevitable that someone will visit a dodgy website or click a phishing email because they thought it was about an online order they’d made.
As Ross Martin, head of digital safety at Barclays, says: “Whilst Black Friday is a great way for Britons to save money ahead of the Christmas season, it is important to stay vigilant when making purchases.
“This year more than ever, people will be looking for the best bargains, which could lead them right into the hands of scammers, who will be advertising false offers to lure victims in. “Just remember to ignore any pressure that is being put on you, and if a deal seems too good to be true, it probably is.”
To help you avoid falling for one of these tricks, we’ve outlined three of the most common scams you might run into this Black Friday.
Bogus British Airways offer
The frequently flyer and loyalty points website Head for Points is warning holidaymakers about fraudulent WhatsApp messages claiming that users can get free British Airways tickets.
The bogus messages invite recipients to follow a link to completing an online quiz. In reality, the site is designed to capture and steal people’s personal data.
Head for Points says that “there are elements” of the scam that look real, including the modest nature of the giveaway.
“What [is] realistic is the prize. Offer 5,000 first class flights to Sydney and no one is going to believe you. Offer 5,000 economy flights to Europe over the quiet Winter period and it sounds perfectly reasonable,” the website observes.
However, it adds that there are signs that point to the bogus nature of the messages. Like many scams, the poor grammar is a clue that something isn’t right. Head for Points notes that the message uses “2” instead of “two”, it uses the clunky “Do you know British Airways?”, and addresses users with “Greetings”, which is uncommon for native speakers.
Yet, many people are eager to claim a bargain and are enticed by the prospect of a holiday at Christmastime. Making matters worse, the scam has been able to spread rapidly as ‘winners’ are requested to forward the message to twenty people in order to validate their prize.
This gives the scam an infinitely wider reach than if the crooks were relying on phone numbers they have available to them – presumably obtained in a data breach and/or purchased on the dark web.
Commenting on the scam, NordVPN’s UK country manager, Bob Brinklow, said: “With less than two weeks to go until the day itself, the BA Golden Ticket fraud has broken cloud cover to become the first high-profile Black Friday scam of the year.
“This scam […] is a prime example of how criminal gangs will be trying to exploit the cost-of-living crisis by dangling irresistible offers in front of hard-up Britons.
“It also trades on users’ familiarity, not only with BA as a brand, but also with the pop-up quizzes that have become a feature of many web pages, particularly news websites.
“As a result, people surfing the web may not think twice before clicking on the attached link and then including some personal – and valuable – details as part of their ‘competition entry’.”
Brinklow urges people to treat these offers with caution and to avoid clicking on links unless it’s clear where they are being redirected to.
“If you find yourself on an unfamiliar web page, don’t fill in any personal details unless you know that you’re dealing with a secure site,” he added.
1. Bogus order confirmation emails
Picture the scene: you’re hunched over your laptop scouring through deals, when you receive an email from Amazon confirming a purchase you’ve made.
The email doesn’t say what you’ve bought, but it does contain a link to where you can look at the order details.
This is a classic case of phishing, in which criminals send malicious emails that appear to be from trusted senders.
If you click the link, one of two things will happen. You might be directed to a bogus site that looks like Amazon’s login page but is controlled by the criminal hackers. When you enter your email and password, you’re handing your information to them.
Alternatively, you’ll download a Word document that asks you to ‘Enable Content’, which will unleash malware on your systems.
Enabling macros is almost always a huge no-no, and Word may well warn you about the dangers of doing this if you try to give the document permission.
Fortunately, you can simply close the Word document without taking any further action, and you should be safe.
If the scam directs to Amazon’s website, things are a lot more complicated. Scammers do a very good job replicating sites, and in your eagerness to find out what’s going on with your order, it’s easy to blindly follow the page’s instructions.
The only way to protect yourself is to make a habit of looking for signs of bogus websites – like URLs that look slightly off (annazon.co.uk, with two ‘n’s for example) and those that don’t have a lock symbol on the left side of the address bar.
2. Exploiting public Wi-Fi
You’re walking through your supermarket and you see a 60-inch television on sale. It seems like a good deal, but you want to check that it isn’t available cheaper online.
Luckily the shop has free Wi-Fi, so you take out your phone and, wouldn’t you know, Amazon has the same TV on sale with a further 10% off, but time is running out on the deal.
What do you do?
You definitely shouldn’t buy the TV online there and then. As a rule, it’s never advisable to buy things online using public Wi-Fi, because you can’t be sure that the connection is secure.
It doesn’t matter whether you have to enter a password or log in, as any network that’s set up for the public can be abused.
These are known as man-in-the-middle attacks, and they work by exploiting a flaw in the network to intercept traffic going to and from victims’ devices.
When you use public Wi-Fi to buy something online, there’s always a chance that a cyber criminal is monitoring your activity and logging your payment card details.
If you want to do online shopping while out and about, you’d be much better off using mobile data. It’s not 100% secure, but it’s much harder to tamper with than public Wi-Fi.
3. Instant messaging scams
An acquaintance sends you a WhatsApp message with a link to an online sale.
This is about as transparent an example of a scam as you’re likely to see, as your contacts presumably don’t make a habit of spamming you with marketing offers.
However, it’s reasonable to believe that Black Friday might be the exception, as there are a ton of deals online, and it’s nice to know that someone’s thinking of you when they discover a bargain.
But don’t be fooled – any unsolicited instant message containing a link should be viewed cautiously.
In this case, scammers begin by creating a fake website that mimics the layout and URL of a legitimate online retailer.
They then hijack instant messaging accounts by phishing their owners or sending them keylogging malware.
From here, the scam looks a lot like the Amazon phishing scam that we described earlier. You click the link, which causes your computer to download a file containing malware.
These types of scams are becoming more common as an alternative to traditional phishing scams. They require more work to pull off but bypass the main stumbling blocks for phishing emails – i.e. spam filters and the possibility that the recipient doesn’t use the service that’s being impersonated.
To understand the threat of instant message scams, you must realise that they exploit the inherent trust between contacts and the ‘instant’ aspect of the interaction.
People are far more inclined to click a link straight away when it appears to be part of an ongoing conversation, rather than when it’s sent as an email, which can be opened at any time.
The trick to staying secure is to remember that bogus links can be sent on any communication platform. Make a habit of viewing links with caution and keeping an eye out for anything that seems too good to be true.
Can you spot a scam?
Make sure your staff know how to identify and avoid scams with our Phishing Staff Awareness Training Programme.
This 45-minute course uses examples like the ones above to explain how phishing works, what to look out for and the steps you should take to avoid falling victim.
A version of this blog was originally published on 27 November 2019.