How to Spot Retail Scams | Black Friday Scams (2020) | Tessian
Hackers take advantage of Black Friday and holiday shopping every year. Learn which retailers they impersonate and how to avoid #scams.
New research from Tessian found that 75% of the top US 100 retailers are at risk of having their domains impersonated by phishers and scammers, a concerning discovery as a busier-than-normal online holiday shopping season approaches.
US consumers have already spent almost $22B online this year (20% more than in 2019) as shoppers avoid stores and move their purchases online due to Covid-19. This creates a ripe opportunity for cybercriminals, especially considering the majority of top retailers do not have proper DMARC records in place to protect domains on email. This means that a hacker could impersonate one of these domains in phishing campaigns, tricking people into thinking they’re opening an email from a trusted and legitimate source about a new deal, receipt or order / delivery update.
- 75% of the top 100 US retailers do not have any DMARC records in place.
- While 9% have published a DMARC record, the DMARC policies had not been set up to “quarantine” or “reject” any emails from unauthorized senders using its domains.
- Just 16% of the top 100 retailers have configured DMARC policies to the strictest settings to prevent abuse of the domain by scammers and phishers.
- In general, department and retail stores were less likely to have security protocols in place to prevent hackers spoofing the company’s domain compared to grocery outlets and restaurants – 65% versus 35% respectively. Given that department stores will be popular destinations for holiday shoppers, consumers should be wary of messages supposedly sent by these brands.
According to Tim Sadler, CEO and co-founder of Tessian, “The popular holiday shopping period – along with mega deal days like Black Friday and Cyber Monday – create the optimal environment for hackers’ phishing attempts. Consumers are expecting to receive more marketing and advertising emails from retailers touting their deals, along with email updates about orders and notifications about deliveries. Inboxes are noisier-than-usual and this makes it easier for cybercriminals to ‘hide’ their malicious messages and prey on unsuspecting victims.
“Phishing scams are even more convincing when the email looks like it has come from a trusted brand. This is why it’s concerning that so many top retailers do not have the security protocols in place to protect their domain from being impersonated by cybercriminals. To help their customers – and employees – avoid falling for the scams at this time of year, retailers must ensure they’ve taken the steps to protect their domain from being spoofed and people must be educated on what to look out for.”
Tessian shares the following tips for consumers to avoid falling victim to retail phishing scams at this time:
- Verify deals: If you’ve received a deal that looks too-good-to-be-true, visit the retailer’s website and official social media channels to cross-check that the deal has been mentioned elsewhere before clicking any links in the email to find out more.
- Cross-check sender details: Check that the sender’s display name and email address match. If you’ve received the email on your mobile, click the display name to inspect the email address.
- Question the ask: Consider whether you’d normally be asked to share this kind of personal or financial information? If you’re unsure, verify the request with the retailer directly.
- Look for the padlock in the URL bar: The padlock symbol means the website you are visiting is secure. If the page you’ve been led to doesn’t have this, then it could be a scam.