Online Shopping Scams

This article accompanies our How-To Guide: Shopping & paying online privately, but where the guide focuses on privacy this article is more concerned about securing yourself from some of the common online shopping scams.  Naturally there is common overlap because both resources strive for a similar end goal (just from different priorities).  It’s recommended you read both resources before starting your online shopping this festive season!

It’s that time of year again!

It’s certainly the time for online shopping – Black Friday and Cyber Monday sales start this week and deadlines for guaranteed delivery before Christmas are looming.  This particular shopping period is when consumers expect the year’s best offers over a short period of time.  Unfortunately, a hot offer and urgency are two salient elements of a successful online scam.

It’s the season for scams because chasing those big discounts on each item on a family Christmas shopping list leaves people stressed and under pressure.  Bad actors know many people will let their guard down during the rush and it’s their time to take advantage of that.

There are online shopping scams you will notice such as paying for items that never arrive as the site was fake.  Similarly, the product may arrive but be of a smaller size, inferior quality, or a knock-off version of the brand represented.  However, there are also scams which you may not notice have taken place for some time or at least not immediately.  These are scams where your credit card number or PII (personally identifiable information) has been stolen to be repurposed or other scams (such as sale on the Darkweb or identity theft).

Common online shopping scams

Phishing attacks

Phishing spikes at this time of year with attractive offers or strong discounts masking malware or linking to imposter websites.  Our precautions listed in our Phishing 101 article linked here apply – your best bet is to visit the website of the offer manually without clicking any link to it.  All retailers you’ve signed up with will bombard your email with their festive season deals but these are not exclusive to those registered on a mailing list.  The offers are all public so simply use the email draw your attention to it but visit the website manually.  If the deal isn’t on the legitimate website – that’s a red flag that the email was a phishing attack!

During this Black Friday, Cyber Monday, and general festive season period bad actors know that most people are expecting multiple deliveries every week until Christmas.  They are now imitating delivery companies with missed delivery messages claiming there is a delay or issue with the delivery of a recent purchase.  Usually, it requires you to provide them your personal details to identify you and pay a small fee.  Naturally you can see where this is going if it’s a phishing scam!  Again, as recommended in our Phishing 101 article – call the delivery company and verify the authenticity of the email, call, or SMS.

Fake online stores

Fake online stores pop up and are short lived once they are found out, reported, investigated, and shutdown.  However, that process still takes some time (around for 2-4 months) we say ‘short lived’ in the context of an online business.  These are similar to ones linked form phishing scams but don’t imposter well-known online stores.  They usually have vague and unknown names (some combination of big / amazing / unbelievable / massive / bargain / offers / wholesale / deals dot com) and have products at ridiculously low prices (the ridiculousness is the flag). 

These fake online stores rely on a high volume of transactions over a short period as they know they will be shut down once the scam is found out.  So, they offer products at prices well below a typical Black Friday / Cyber Monday discount price.  If a $300 product is discounted to $200 at five well-known retailers for Black Friday, yet one you’ve never heard of is offering it at $89, it’s definitely a red flag – this goes back to the saying if it’s too good to be true it probably is.

Magecart attacks

Magecart attacks is where bad actors breach either the server side or browser side of a website and inject malicious code or malware (such as a keylogger).  Typically, it will be designed to harvest personal and credit card details of customers transacting on the website’s online store.  A good way to think about it is that Megecart attacks are the online version of traditional card skimming.  We’ll come back to this one further on.

---

Of course, these three aren’t exhaustive by name but rather by nature (or approach), there are plenty of other scams not named above (Adware, Formjacking, etc,.).  We haven’t listed them because their approach is similar to one of those main three which we have listed;

1. Like Phishing you will be unknowingly linked somewhere you thought is / appears legitimate but is in fact a fraud or imposter site
2. Like fake online stores you knowingly purchased from an online vendor (including third party) which you didn’t vet or who did a good job to convince you that they’re legitimate
3. Like Magecart attacks the seller’s side (such as transaction infrastructure) has been breached and infected with malware to steal your data.

Warning signs, checks, and tips to secure your shopping

Part three of our How-To Guide: Shopping & paying online privately has some great tips which go hand in hand with the ones below.  We won’t list them here so as to not repeat ourselves, but please read the guide and combine those tips with those below to beef up your approach to online shopping. 

• Legitimate online stores operating for the long run will invest in security and will want to look professional.  Spelling mistakes or the absence of a Privacy Policy indicates a hastily put together website which may be fake or vulnerable.  Open the Privacy Policy if there is one and run your eyes over it – some bad actors running fake online stores may have just copy and pasted without basic editing.  You may even find the name of the business they copied from!
• Investigate their refund / returns policy, dispute handling process, and warranty conditions.  Again, legitimate online stores will have these and they should be professionally written (free of spelling and grammar errors).  Not having these policies available or having short, unconvincing ones is a warning sign
• As stated in our How-To Guide credit cards are preferred methods of payment over debit cards as they typically have more buyer protections in place regarding fraud.  Subsequently online stores that don’t offer credit card payment options and insist on money orders or transfers should arouse suspicion
• Lookup the legal / trading entity behind the business name and see if they have been around for a long time and be cautious if not.  Most countries have a free public register for this which lists the incorporation date
• Physically verify the business – which may not be possible for custom or bespoke products made by individual traders working at home.  However, in most cases you should be able to check the listed business address on street view and verify by the external signage if they operate there. 
• At checkout most retailers will encourage you to open an account and store your personal and payment details for faster checkout next time.  This is discouraged at any time of year but leading into the festive season in particular due to the rise in fake online stores.  This comes back to limiting your attack profile, the fewer places that store information about you, the better
• Read customer reviews and keep an eye out for repeated language or phrases.  This and too many excessively positive reviews, especially for young online stores may indicate they’re not legitimate
• Scrutinise the photos of the product to determine if the website is simply using stock photos rather than their own photos of their product
• Make your Christmas shopping list early allowing you time to research the sellers who stock the products you intend to buy.  Just about everyone with an online store will have deals over Black Friday / Cyber Monday.  That way when the deals go live you have a select basket of sellers who you have vetted to ensure they are legitimate
• Don’t buy online if you don’t have to!  While we were locked up during the COVID-19 pandemic shopping online became the default.  However, if you do a regular weekly shop at the mall which has the retailer you’re purchasing from – just buy it physically in person.  This is how it was done ‘in the olden days’, most festive season deals are not online-only and delivery fees tend to be inflated during this period to compensate the discounts

It takes two to tango

Unfortunately, the methods and threats are always evolving so there isn’t an ideal list we can give you of ‘do these 8 things and you’ll be safe!’ (as much as we would love to).  This is also because we’re talking about transactions which by nature involve more than one party, so it’s not just you who influences your vulnerability.  You also rely that the seller has taken the security of their online store seriously which is why we’ve waited to address what you can do about Magecart attacks until now.  These attacks happen on the seller’s side which means your best chance to limit this threat is by ensuring the data has limited value.  Sure there are browser tools and script blockers out there but they’re not perfect.  So when you do your online shopping you have two options when you reach checkout:

Option 1	Option 2
Alexander Baker 55 Lakewood Crescent Brisbane, QLD, 4000   Alexander.baker1981@emaill.com   Paid using real credit card number	James Baker PO Box 2545 Brisbane DC, QLD, 4000   Mary.baker02703@emaill.com   Paid using virtual credit card

In the example above there is not a lot of value in the second option for a bad actor because:

• You haven’t used your real name or residential address for delivery
• You’ve used a ‘burner’ email account which doesn’t have your real name or year of birth
• The virtual credit card number can only be used one time which it already has

In the example above we have kept the surname the same in the interest of prospective warranty claims (you can claim it was a gift for a family member named James).  Using a completely fake name may lead to some complications regarding returns, refunds or other similar claims (and it isn’t legal everywhere) especially if your name, the delivery name, and the email name don’t match up.  Your name without other correct information with it is mostly useless anyway so if you’re using a PO Box, burner email and virtual credit card you should be safe to use your full name.

Conclusion

The key takeaways from this article are:

• Before the Christmas sales kick-off with Black Friday / Cyber Monday deals refamiliarize yourself with our Phishing 101 article and the How-To Guide which we’ve linked and referred to throughout (as well as this article in subsequent years). 
• Remember if it’s too good to be true, it probably is.  Yes, there are strong discounts during this period, but not absurdly so.
• Remain calm and level-headed, don’t let the rush get to you.  Stay alert even beyond the purchase knowing there are now post purchase / delivery scams happening.  It’s really about applying everything you’ve learned from us and other cybersecurity news or articles you’ve seen throughout the year. 

If you’re still stuck for Christmas gift ideas, you know what we think is the best gift of all?

Cybersecurity! (maybe we’re a little biased) but give your tech-resisting parents a subscription to a reputable antimalware provider or password manager!  While you’re visiting them spend some time with them on their laptop / desktop to ensure they have a password lock on the device and are storing photos and documents securely.  During conversation share with them some examples of various scams (especially Phishing) that they should focus on. 

Safe shopping everyone!

This article is written in line with our Terms & Conditions and Disclaimer. As such all content is of a general nature only and is not intended as legal, financial, social or professional advice of any sort. Actions, decisions, investments or changes to device settings or personal behaviour as a result of this content is at the users own risk. Privacy Rightfully makes no guarantees of the accuracy, results or outcomes of the content and does not represent the content to be a full and complete solution to any issue discussed. Privacy Rightfully will not be held liable for any actions taken by a user/s as a result of this content. Please consider your own circumstances, conduct further research, assess all risks and engage professional advice where possible.