How to avoid stress during Christmas shopping? SK-CERT recommends what to watch out for

14. December 2020

On-line shopping is a great alternative to going to shops, especially during a pandemic. However, it is also a popular target for Internet scammers.

During the holiday season, people are much more prone to be deceived, because they can be easily lured to discounted goods and are also pushed by time – Christmas is just around the corner.

Many offers, e-shops, websites or e-mails seem trustworthy and attractive at first sight, but in fact they contain links to fake websites, malicious attachments and are also a means for scammers to obtain, for example, login details to various services (for example banking), or to pay for goods that you never receive.

The National Cyber Security Centre SK-CERT introduces information on the most common scams in the pre-Christmas rush, as well as some helpful hints on how to identify the scammers who try to rob you.

Phishing

The most common are fraudulent e-mails targeting on-line banking. Victims will receive an e-mail or message asking them to enter or verify payment or personal information.

Both the e-mail and website to which you are directed look highly legitimate. Keep in mind that your bank will never contact you to request personal information or login information. Therefore, if you suspect that it’s a scam, please contact your bank.

For example, if you provide an unknown person with your Internet banking login details, you can very easily lose money.

Some e-mails contain links or attachments with malicious software. If such software gets into your device, you have a problem. Without your knowledge, an attacker can access your device, either your computer, mobile phone or tablet.

The attacker can read and download your documents or do much more interesting things, for example record all keystrokes and read from them where you are logging in, what your login details are and simply misuse them.

You can lose access not only to any of the social networks, but also, for example, to an e-mail box, Internet banking or work systems.

But it doesn’t end there. The attacker can use your device for other attacks, such as spamming or DDoS attacks that disable targeted types of services (websites and services of government organizations, private companies and so on).

Phishing e-mails may contain attractive offers, but these fraudulent e-mails are often disguised as important requests from your boss or government institution. During Christmas time, it’s common for phishing e-mails to be thematically tuned, so be very wary. No one will give you anything for free and too attractive offers smell of a problem.

Another variant of scam is that attackers offer gift vouchers or other offers “too good to be true” in malicious phishing e-mails.

These e-mails try to lure you to click on links that promise free or favourable gift vouchers. It’s often a scam again, and with a single click on such a link, you put your device and personal information at risk. It is therefore very important that your personal information is not disclosed to any unauthorized persons.

Just imagine what would happen if the attacker obtained your personal information, such as your personal number, ID card number, address of residence, and so on.

Using your name, he could for example purchase something or make contracts… And who would pay for it?

Secret Santa/ Secret Sister/ Secret Wine Bottle Exchange

Many names, but the meaning is the same – masqueraded pyramid schemes. If someone tags you on a social network to join a gift exchange, be vigilant and ignore this request. Pyramid schemes involve funnelling money from bottom to top of the pyramid, benefiting mainly those at the top and not many others.

Secret Santa

“Secret Santa” can be fun around the office, or with family and friends, but exchanging gifts among online users can have more serious consequences. While these gift exchanges look like innocent fun, they are in fact disguising a pyramid scheme that is illegal.

The most common idea of the game is to send 10 euros or a gift of this value to a person who is the last one in the list, regardless of whether you know the person or not.

Afterwards, you add your name to the list and sent it to other people, each of whom should send you a gift or money. However, it is more than unlikely that you will receive a large number of gifts.

This game abuses people’s trust in other users involved in the game. It is usually well thought-out and targeted at more trustful users.

Secret Sister

The “Secret Sister” campaign became popular as early as 2015 and gradually spread to Europe via social networks. Every year during the Christmas season, the campaign returns, and the scenario is always the same. It is about an on-line exchange of gifts according to lists.

The concept seems harmless: social network users recruit participants into a “secret sisterhood” with the promise that they can receive up to 36 gifts, provided they buy a gift for the last participants on the list and provide own personal details such as name, address and e-mail.

In fact, it is again an illegal scam that could allow an attacker to gain access to your personal information. It is highly unlikely that you will simply receive up to 36 gifts. You may get in trouble instead. By providing your personal data, you risk identity theft.

Even seemingly innocent data can be misused by an attacker very easily and get you into trouble. Losing your personal data is not trivial, abuse of your identity may have serious consequences. You can figure in orders for expensive goods or services, or in unfavourable loan agreements of various kinds, and so on.

Users often do not know to whom they are buying gifts, or whether this favour will be paid back to them. They also do not know what will happen to their personal data, which they have willingly provided.

As with any pyramid scheme, also this one performs well, especially during the Christmas holidays. The larger the number of participants, the greater the assumption that the game will continue.

However, when users stop participating in the game, the gifts won’t be delivered and all participants waiting for their gifts will be at least disappointed.

Secret Wine Bottle Exchange

The same scheme as in the previous cases. The invitation is sent by an e-mail or via a social network. You are asked to provide your personal details (name, surname and address) as well as the details of your friends so that they can be included in the list.

Afterwards, you should send a bottle of wine or a small gift to 6 people who are at the bottom of the list. The game continues and you should send gifts and hope to receive a gift as well.

However, this won’t happen because, like all pyramid schemes, they rely on recruiting more and more participants. When people stop joining, the gift exchange stops and only participants without the promised gifts will remain.

Phone scams

Computer criminals won’t be satisfied with attacks only through the Internet, they can also contact you by phone. If someone calls you and claims to be a customer or sales support, check it out – ask the caller from where they have your phone number, who they are, and how they know what help you need. Under no circumstances should you provide any personal data, card numbers or passwords to anyone calling you.

For example, a card number is a highly sensitive information. If you provide it to anyone, their intentions are certainly not good. They can happily do the shopping for your money, having the information from your card, and you may not even notice it because some on-line stores do not require verification of the purchase via a confirmation code.

The best defence is to hang up and not communicate with the attacker. Further recommendations on phone scams can be found in this article: https://www.sk-cert.sk/en/do-you-have-calls-from-microsoft-tech-support-it-could-be-a-scam/index.html.

Lottery scams

During the Christmas holidays, there are many Christmas lottery jackpots and similar competitions, on the Internet as well. However, lottery scams also circulate at this time of the year and often ask you to pay initial fees to release your winnings or to provide the bank details according to which the winnings will be sent.

However, the card number or login details for Internet banking won’t help in this case, because from provided information it is not possible to determine the account on which the money is to be sent. It is a cheap trick where the attackers use the people’s confidence and their euphoria from the “winnings” not being real.

Remember that if you didn’t take part in any competition, you can’t win. If you receive an e-mail or message informing you that you have won the lottery, it is most likely a scam and ignore the message. Also keep in mind that the real lotteries don’t work on the principle of payment of initial fees before the winnings is sent.

On-line shopping

Time stress before the Christmas holidays can lead to reckless behavior when shopping on-line. You have to be careful. Scammers post fake ads and run fake websites.

If you get caught by a scammer, you may lose your money and receive the purchased items with difficulties. Most fraudulent e-shops require payment in advance or payment by a card via unsecured and fictitious payment systems.

So, you may never see your items and at the same time you provide the attacker with enough data to steal more money from you by misusing the card details.

How to behave when shopping on-line can be found in this article: https://www.sk-cert.sk/en/advices-regarding-shopping-on-black-friday-and-cyber-monday/index.html.

Recommendations

Avoid the inconvenience and loss of your money. There are a few simple rules:

Ignore posts which are obviously pyramid games. Though they have an international reach and spread rapidly, remember that they are illegal, involving either money, gifts, wine bottles or something else.
Report such posts on social networks.
Never share your personal data or the personal data of your friends with strangers.
Don’t believe any promises in on-line games, even if they guarantee that they are approved by official bodies.
Under no circumstances trust strangers on the Internet who are trying, no matter how, to obtain your sensitive information – payment card number, access to Internet banking or personal data from your identity card.
If a website offers various services and products that promise high profits in a short time, it is necessary to be very careful and ignore such sites.
It is more than likely that all games of this kind will not fulfill the commitment they claim, because after all pyramid games always run out of participants and finally fail.

The pre-Christmas period can bring more stress at work, and also in personal life, hence the distraction of people, so they are more likely to click without thinking on a link that can, among other things, promise various discounts and bargains. Therefore, follow these recommendations:

During the holiday season (not only), people are prone to believe in discounts and bargains.More than ever, however, a famous phrase “trust, but check”is true. Be naturally distrustful of offers that cannot be turned down and selectverified shops for shopping.
The same should be applied to normal communication.Make sure the e-mail you received comes from the source provided.It’s technically possible to check whether the e-mail address is real or just hidden, or much simpler way is to call the person who have sent the e-mail.
Never click on links and attachments in e-mails unless you verify they come from a trusted sender.Avoid clicking on e-mail attachments, such as .zip or .exe files.
Back up your important data and files.
Your device applications and their operating system must be regularly updated.
Use specialized software applications for your protection, such as antivirus software, software firewall, and so on.Don’t forget to set them well.
Be wary of what to share on-line and what type of information to provide.