‘Tis the Season for Online Shopping Scams

Learn how to recognize common attacks and shop safer this holiday season

The biggest online shopping days of the year are almost here, but hidden amidst the Black Friday and Cyber Monday deals are cybercriminals hoping to make a profit. Cyber Monday was the busiest online shopping day of 2021 with $10.7B in sales,¹ and this year it is expected to reach a record $11.2B.²

The massive amount of spending during the holidays attracts scammers hoping to take advantage of the shopping frenzy. Let’s look at some of the most prevalent holiday shopping threats and how to avoid them.

Fraudulent websites hope to trick consumers

Zscaler’s ThreatLabZ observed a spike in new domain registrations related to Thanksgiving, Cyber Monday, and Black Friday in 2021.³ F5 Labs also saw the number of unique fraudulent domains jump 157% last November compared to the rest of 2021.⁴ These fraudulent websites can be used to steal payment information from unsuspecting consumers by posing as legitimate storefronts offering tempting deals.

Skimmer groups have also been infecting legitimate websites with malicious code. These sites either steal payment information when a consumer enters their details at check out or redirect the user to a malicious site.

Avoid these scams by sticking to reputable retailers. It’s great to support small businesses, but take steps to ensaure they’re legitimate:

• Do they use HTTPS/secure connections?
• Is the URL correct or is it a similar, spoofed one?
• How old is the domain name? (Check this easily using Whois Domain Lookup)
• Is a deal too good to be true?
• Are there retailer reviews?
• Can you verify their contact information, such as a physical address and phone number?

If you notice something suspicious, like an unexpected redirect, don’t give the site any information. Even completely legitimate retailer sites can be compromised, and retailers need to be vigilant about their website and application security.

Smishing is the new (and riskier) phishing

Holiday-themed scam text messages (“smishing”) nearly doubled in 2021 over 2020.⁵ Much like a phishing email, these text messages pretend to be from a known retailer or shipping company or are vague enough to make you think it’s a company you’ve done business with. However, while people are becoming wise to phishing emails, smishing isn’t as well known.

According to Proofpoint research, even businesses are falling victim to smishing attacks, with 81% of U.S. companies getting hit. Text messages have a 98% open rate and 8x the click-through rate of email,⁶ making them an attractive and successful attack vector.

Frequently, these text messages will include a URL asking for information to correct a payment or shipping issue. And when people have been busy ordering items from a variety of retailers, they may not think twice about whether the message is legitimate.

To avoid getting smished this holiday season:

• Don’t respond to unsolicited text messages—it lets scammers know the number is in use
• If you receive a text message with a link, don’t click it. Instead, go to the retailer website or app to see if there’s really an issue
• Forward spam or smishing messages to 7726 (SPAM)
• Sign up for online tracking notifications through known carriers, such as USPS Informed Delivery, to let you know when packages are on their way—which can also help you avoid becoming a victim of holiday package theft

Online retailers are also under attack

While many holiday shopping scams target consumers, retailers themselves are at risk. F5 Labs found that phishing attacks against online retailers experienced a 200% spike in November 2021, with Amazon as the top target.⁷ Ransomware is also a huge threat, as missing out on any part of Cyber Week could put a huge dent in the quarter’s sales.

Retailers should expect to see the same types of attacks they experience year-round, such as account takeover or bot scraping. However, in November and December, attackers are counting on people being distracted and missing things they would normally catch.

It’s a great reminder to stay vigilant in our work and personal lives. A little healthy skepticism can protect you from attackers and extra stress this holiday season. Shop safely!

1. Tech Crunch, Cyber Week online spending down 1.4% to $33.9 billion as U.S. consumers shopped earlier this year, November 2021
2. BusinessWire, Adobe Forecasts $209.7 Billion Holiday Season Online (U.S.); Cyber Monday to Top $11 Billion, October 2022
3. Zscaler, Black Friday Shoppers Once Again Scrooged By Cyber Attacks, December 2021
4. F5 Labs, Holiday Phishing Trends for 2021, December 2021
5. Proofpoint, Holiday Shopping-Themed Mobile Attacks Increase Dramatically, November 2021
6. Ibid.
7. F5 Labs, Holiday Phishing Trends for 2021, December 2021