It happens every year. The minute the smell of turkey starts escaping ovens, retailers start announcing their deals, discounts, and door-busters. Cards, catalogs, and coupons fill up our physical mailboxes. And electronic advertisements pummel us from our inboxes, social media feeds, and every site we visit. Deals are flying around everywhere. Gifts are exchanged among friends, family, and coworkers. People are buying lots of crap, both online and in brick-and-mortar stores.
The month leading up to Christmas is a veritable feeding frenzy for retailers and shoppers alike.
It’s also a first-class, grade-A, prime-time opportunity for hackers, criminals, and other unsavory specimens to pick your pocket, hack your accounts, and otherwise ruin your holiday.
I get lots of spam email. I occasionally tweak my spam settings to cut down on it, but some of it always seems to break through the filters and reach my inbox. Most of this stuff is easy to spot. Nigerian princes who wish to leave their fortunes to you are obviously fake. So are the ones from financial institutions that you don’t deal with. But others are tricky. They look legitimate on first glance because they appear to come from people you know (that’s easy to fake) or they’re spoofing some company that you do deal with (like a bank or credit card company).
Over the last few weeks, though, I’ve noticed an increase in a couple other tactics. Tactics that are a little more alluring than the age-old Nigerian prince.
First, I’ve seen an increase in the “Click here for a deal” approach. Evildoers everywhere know Americans are throwing money around like crazy. Hell, every year there’s a story about shoppers getting trampled trying to get that $5 toaster they don’t need. Lots of retailers offer incentives for spending money ($10 Kohl’s Cash for every $100 you spend, buy this tent and get a $20 gift card, you know the drill.). I got an email this week inviting me to click a link to get a $50 Amazon reward.
This email is targeting the holiday feeding frenzy crowd. If you’ve been scouring the Internet for sales, signing up at all the deals sites, and submitting your email address to every retailer web site hoping for a coupon, then this email was meant for YOU. How many people said, “WOW, $50 at Amazon…what a deal!” and clicked that link? I bet thousands did. I don’t know what’s at the other end of that link.
- Could be malware that records your keystrokes, hijacks your camera, or steals your files.
- Could be a fake site that has you log in so they can steal your Amazon credentials and go on a shopping spree.
- Could be a porn site.
The second tactic I’ve seen a lot lately (last few months, especially) is an attempt to prey on your fears of being hacked. I’ve gotten several emails telling me various accounts have been locked or reset due to “suspicious activity.” They list some fake data to try and look legitimate, then give instructions to click a link to reset the account/restore the password/change the password/etc. If you follow the link you’re sure to find malware, data mining, or porn, just like the other email.
The vermin who author these emails hope to capitalize on fear, greed, carelessness, and distraction. And believe it or not, it works. It works very well. Thousands of people fall for these tricks every year. The good news, though, is that you don’t have to be one of them. The trick is in practicing safe Internet-browsing habits. I’m going to provide two lists: tips for spotting fake emails, and safe email handling instructions.
How to Spot Fake Emails
Although some emails are trickier than others, most of them have multiple tell-tale signs that they’re not legitimate:
- Poor formatting (look at the line breaks in the Amazon email)
- Poor spelling/grammar
- It’s often not always clear where it came from (in the Amazon email, there is no indication whatsoever of what retailer/organization is sending the offer)
- They often address you by email address instead of by name (or don’t include a name at all, like in the Facebook email)
- They are often in plain-text (most legitimate company emails will have some html/graphic content in order to look authentic)
- They often tell you to click a link. Typically, there is bad stuff at the other end of those links.
- If there’s no link to click, there might be an attachment they tell you to open. DO NO SUCH THING. Just delete the whole email.
So What Can You Do?
Keeping safe under this constant attack is actually pretty easy, especially if you treat ALL emails the same. Here’s how:
- Do. Not. Click. Any. Links. Seriously. The web site on the other end is either putting bad stuff on your computer or it’s trying to steal your login credentials.
- If it’s not obvious who sent you the email, delete it immediately.
- If you think the email might be legitimate, close the email, open your browser, type in the address of the site (like www.mybank.com), log in, and see if there is an alert in your account that mirrors the email you got. If not, find the phone number from the web site and call them (DO NOT use any phone number listed in the email).
- If you mistakenly click a link and find yourself at a site asking you to log in, DON’T. Just close the browser.
- Keep an updated Antivirus application on your computer. If you use Windows, Microsoft offers a free and top-notch application called Microsoft Security Essentials. For the Mac, you can get the free and open-source Sophos.
As I always say, there are a lot of bad people out there who will gladly steal your money. Your best weapon to fight these people is you. Be vigilant. Think long and hard before clicking a link in a random email. And spend a few minutes installing one of the awesome free tools out there to help keep an eye on your computer.
Have a happy and safe holiday, everyone!