From Tim Sadler, CEO and co-founder of email security firm Tessian:
Online shopping is booming this holiday season, and it’s a big opportunity for cybercriminals. Why? Because hackers can take advantage of noisier-than-usual inboxes – crowded with deals, shipping updates and delivery notifications – to hack humans via phishing attacks. By convincingly impersonating a trusted retailer or logistics firm, shoppers may unwittingly download a malicious attachment or click a link that leads them to a fake website. Given that 75% of the top 100 retailers in the US have not properly protected their email domain against phishing, spoofing or fraud, it’s actually quite easy for hackers to impersonate a retailer and trick people into thinking they’ve received a legitimate email.
But it’s not just consumers they’re targeting; retail staff also need to be aware of the threats in their inboxes. Hackers cash in on the people-heavy nature of the retail industry by using social engineering techniques or by impersonating someone in an employee’s trusted network such as a customer, vendor, supplier or colleague. If the sender’s display name and email address looks like the real thing, why would a busy, distracted and stressed employee question its legitimacy?
This holiday season, we need to protect people from the phishing scams. Here are four simple checks you, your employees, colleagues, friends and family can do to avoid falling victim:
- Check #1: Check the sender and email address. Scammers often take advantage of the fact that, on mobile, email only shows a display name so they can send a message from an unknown email address but change the display name to “Amazon” to make it look legitimate. Click the display name to reveal the email address.
- Check #2: Check for spelling or grammar mistakes. Legitimate messages from large companies will rarely have errors.
- Check #3: Cross-check whether the ‘too-good-to-be-true’ deal also appears on the retailer’s website and official social media channels
- Check #4: Ask yourself whether you were expecting this email and whether the request makes sense. If you receive an email or text that has an associated action or a sense of urgency or deadline, it’s most likely a scam