Don't Let Online Shopping Threats Spoil Your Holiday Season

Bree Fowler

Updated November 27, 2019 at 3:32 PM

Consumer Reports has no financial relationship with advertisers on this site.

As millions of Americans prepare to fire up their laptops in the hopes of gobbling up Black Friday deals, security experts warn that cyber criminals have raised their efforts to steal valuable personal and financial information from unwitting shoppers.

While email scams remain popular, the fraudsters are increasingly using mobile apps and popular social media platforms to launch their swindles, too.

Earlier this month, retail giant Macy's reported that hackers had planted malicious code on its website to capture details such as the names, home addresses, email addresses, and credit card numbers of online shoppers.

Zack Allen, director of threat operations for ZeroFox, a company that specializes in social media cybersecurity, notes that people are getting better at spotting online scams, but admits it's hard to withstand the barrage of cyber attacks at this time of year.

“You could not click on 100 bad links, but the 101st will get you,” he says.

During the first 20 days of November, ZeroFox researchers identified 61,305 potential online scams targeting 26 popular retail brands. Of those, 11,741 contained language related to gift giving, 4,593 used the word “holiday,” and 637 were specifically related to Black Friday or Cyber Monday.

Here are some things to watch out for as you begin your holiday shopping. For more tips, consult our story on how to protect yourself from online shopping scams.

Feast of the Phishes

Cyber criminals love to use phishing scams during major seasonal events to hoodwink people into coughing up their info. They use emails and Facebook posts to pitch great, limited-time deals on hot holiday gifts, for example. But those emails also can masquerade as shipping notifications or pleas from well-known charities for end-of-the-year donations.

They all contain links that send you to a website made to look very much like the real thing. But instead of helping you make a purchase, showing you where your package is, or processing your donation to those in need, the site steals your information or plants a virus on your computer.

ZeroFox cites a fake Facebook page for the fashion label Michael Kors touting 70 percent off Cyber Monday discounts on handbags. When you click on the link, it takes you to a sophisticated look-alike site set up to collect payment card information.

Other social media scams bait consumers by offering the chance to win gift cards for major retailers such as Amazon or Walmart, ZeroFox says. The landing pages then ask for personal information such as names, addresses, and dates of birth.

Aaron Higbee, chief technology officer and co-founder of Cofense, which specializes in anti-phishing technologies, says cyber criminals are moving away from stealing banking credentials and logins for money transferring services such as Venmo or Paypal, because companies that offer those services are much better at detecting fraud these days.

Instead, the scammers are focusing on identity theft; going after consumer names, addresses, Social Security numbers, and dates of birth. With that information, he says, they can open up new lines of credit or even file fraudulent tax returns.

Other phishing schemes target email passwords. "This is where the dominos start to fall,” Higbee says. Criminals often can use those passwords to reset other passwords and ultimately take control of your online accounts.

And so, it's always smart to take a beat before you click on a link or download an attachment in an email—especially if it's an email from a person or retailer you don't usually do business with.

Consumers should be particularly wary of emails that look like shipping and delivery notifications, Higbee says.

“Everyone is busy during the holidays and consumers are online shopping even more,” Higbee explains. “At the same time, they’re worried about those packages being stolen.

“It’s a real opportune time for a criminal to slide in a phishing email."

Naughty or Nice?

While Apple and Google try their best to keep bad actors out of their app stores, some inevitably sneak past security.

According to RiskIQ, which maintains a database of blacklisted apps, cyber criminals are increasingly creating fake apps with the intent of fooling consumers into downloading malware or handing over sensitive data intended for well-known retailers.

The number of malicious apps in the company’s database has risen 20 percent in the last year. And, when RiskIQ researchers looked at all available holiday shopping apps, they found that 951—about 2 percent of the total—had been blacklisted.

While the vast majority of those malicious apps are found on third-party app stores, RiskIQ says, some do slip through the cracks and make it into the Apple and Google stores as well.

As part of its annual holiday report, RiskIQ also surveyed 1,000 consumers about their online habits, and 24 percent admit to downloading an app from a third-party store. Another 7 percent concede that they might have done so.

Like other security experts, RiskIQ researchers say consumers should keep their purchases to the major app stores and to think first before granting apps excessive permissions like access to contacts, text messages, or credit card information.

Hackers (Not Santa) Watching You

For many consumers, the Macy's hack is a clear example of the need for better protection of personal data collected by online retailers and services.

Macy’s says the malicous code that threatened people who used its website existed for about nine days in October before it was discovered and removed. The banking and credit card numbers of those affected have been reported to the respective issuers. Macy’s is also offering the shoppers free identity protection services.

But those consumers are now at risk for credit card fraud, identity theft, and other cyber threats, says John Shier, senior security advisor for the U.K.-based cybersecurity company Sophos.

“And, unfortunately, on the consumer side, there’s really nothing you can do to protect yourself from these kinds of attacks,” he adds. The malicious code, which is tied to a rapidly growing cybercrime syndicate known as Magecart, would not have adversely affected the buying experience or made Macy's site look any different to shoppers, he explains.

In its annual Black Friday and Cyber Monday threat report, RiskIQ notes that Magecart breaches are detected on an hourly basis. In total, the company has spotted Magecart skimmers in the wild more than 2 million times.

“This detection rate is a clear indication that the group is extremely active and will continue to be a critical threat to consumers, especially over the Thanksgiving shopping weekend,” the researchers write.

Given all the threats to online shoppers, tech companies and retailers need to do more to protect consumers, Allen argues.

“They are so apt to blame the consumer for making mistakes," he says. "Instead they should really be looking inward and asking themselves why they designed a system that would allow them to do that.”

Consumer Reports is an independent, nonprofit organization that works side by side with consumers to create a fairer, safer, and healthier world. CR does not endorse products or services, and does not accept advertising. Copyright © 2019, Consumer Reports, Inc.

Yahoo Sports
Former NBA guard Darius Morris dies at 33
Former NBA guard Darius Morris has died at the age of 33. He played for five teams during his four NBA seasons. Morris played college basketball at Michigan.
Yahoo Sports
Timberwolves coach Chris Finch calls Jamal Murray's heat-pack toss on court 'inexcusable and dangerous'
Murray made a bad night on the court worse during a moment of frustration on the bench.
Yahoo Finance
The FDIC change that leaves wealthy bank depositors with less protection
Affluent Americans may want to double-check how much of their bank deposits are protected by government-backed insurance. The rules governing trust accounts just changed.
Yahoo Finance
Former House Speaker Paul Ryan says he’s not voting for Trump : 'Character is too important'
Ryan says he would be writing in a Republican candidate instead of voting for Donald Trump.
Yahoo Sports
Post-draft NFL fantasy power rankings: Offenses we love, like and want to stay away from
With free agency and the draft behind us, what 32 teams look like today will likely be what they look like Week 1 and beyond for the 2024 season. Matt Harmon and Scott Pianowski reveal the post-draft fantasy power rankings. The duo break down the rankings in six tiers: Elite offensive ecosystems, teams on the cusp of being complete mixed bag ecosystems, offensive ecosystems with something to prove, offenses that could go either way, and offenses that are best to stay away from in fantasy.
Yahoo Sports
Ranking the best situations for the rookie quarterbacks: Start with Michael Penix in Atlanta at No. 1
It’s key to note that we’re not saying the “best team” or “best roster.” Instead, we’re talking about the best confluence of factors that can outline a path for survival and then success.
Yahoo Finance
These 3 stocks are poised to benefit from the massive energy transition
The energy transition will benefit companies providing electrical needs for surging demand. Analysts point to these three stocks as a Buy.
Yahoo Sports
Phil Mickelson on the majors: 'What if none of the LIV players played?'
Phil Mickelson hints that big changes could be coming to LIV Golf's rosters, and the majors will need to pay attention.
Yahoo Sports
Blockbuster May trade by Padres, MVP Ohtani has arrived, Willie Mays’ 93rd birthday & weekend recap
Jake Mintz & Jordan Shusterman discuss the Padres-Marlins trade that sent Luis Arraez to San Diego, as well as recap all the action from this weekend in baseball and send birthday wishes to hall-of-famer Willie Mays.
Yahoo Sports
NBA playoffs: Officials admit they flubbed critical kick-ball call in controversial final minute of Pacers-Knicks
Tuesday's last-2-minute report should be interesting.
Yahoo Finance
Social Security just passed Medicare as the government's most pressing insolvency risk
An annual government report offered a glimmer of good news for Social Security and a jolt of good news for Medicare even as both programs continue to be on pace to run dry next decade.
Yahoo Sports
No one was airing Angel Reese and Kamilla Cardoso's WNBA preseason debuts, so an X user livestreamed it
The quality was choppy, but it was better than what the WNBA had.
Yahoo Sports
The Scorecard: Andy Pages looks set to go down as one of the best fantasy baseball waiver wire pickups of 2024
Fantasy baseball analyst Dalton Del Don delivers his latest batch of hot takes as we enter Week 6 of the season.
Yahoo Sports
Ex-Ole Miss QB and Denver Broncos draft pick Chad Kelly suspended at least nine games by CFL
Kelly allegedly harassed a female strength and conditioning coach who sued him and the Toronto Argonauts in February.
Engadget
The best budgeting apps for 2024
Budgeting apps can help you keep track of your finances, stick to a spending plan and reach your money goals. These are the best budget-tracking apps available right now.
Yahoo Finance
Fed’s Kashkari: Rates will stay high for 'extended period' and can't rule out a hike
Minneapolis Fed president Neel Kashkari said interest rates will likely stay at current levels for an "extended period" and didn't rule out a hike if inflation stalls near 3%.
Yahoo Sports
NBA playoffs: Predictions for Celtics-Cavaliers and every second-round series
Our NBA staff makes its picks for Knicks-Pacers and every second-round series.
Yahoo Sports
NFL Power Rankings, draft edition: Did Patriots fix their offensive issues?
Which teams did the best in the NFL Draft?
Yahoo Sports
The best RBs for 2024 fantasy football according to our analysts
The Yahoo Fantasy football analysts reveal their first running back rankings for the 2024 NFL season.
Autoblog
Edmunds bought a Fisker Ocean, warns others not to make the same mistake
Edmunds bought a Fisker Ocean and details the highs and lows of ownership while warning others not to make the same mistake.

News

Life

Entertainment

Finance

Sports

New on Yahoo

Don't Let Online Shopping Threats Spoil Your Holiday Season

Feast of the Phishes

Naughty or Nice?

Hackers (Not Santa) Watching You

Recommended Stories

Former NBA guard Darius Morris dies at 33

Timberwolves coach Chris Finch calls Jamal Murray's heat-pack toss on court 'inexcusable and dangerous'

The FDIC change that leaves wealthy bank depositors with less protection

Former House Speaker Paul Ryan says he’s not voting for Trump : 'Character is too important'

Post-draft NFL fantasy power rankings: Offenses we love, like and want to stay away from

Ranking the best situations for the rookie quarterbacks: Start with Michael Penix in Atlanta at No. 1

These 3 stocks are poised to benefit from the massive energy transition

Phil Mickelson on the majors: 'What if none of the LIV players played?'

Blockbuster May trade by Padres, MVP Ohtani has arrived, Willie Mays’ 93rd birthday & weekend recap

NBA playoffs: Officials admit they flubbed critical kick-ball call in controversial final minute of Pacers-Knicks

Social Security just passed Medicare as the government's most pressing insolvency risk

No one was airing Angel Reese and Kamilla Cardoso's WNBA preseason debuts, so an X user livestreamed it

The Scorecard: Andy Pages looks set to go down as one of the best fantasy baseball waiver wire pickups of 2024

Ex-Ole Miss QB and Denver Broncos draft pick Chad Kelly suspended at least nine games by CFL

The best budgeting apps for 2024

Fed’s Kashkari: Rates will stay high for 'extended period' and can't rule out a hike

NBA playoffs: Predictions for Celtics-Cavaliers and every second-round series

NFL Power Rankings, draft edition: Did Patriots fix their offensive issues?

The best RBs for 2024 fantasy football according to our analysts

Edmunds bought a Fisker Ocean, warns others not to make the same mistake