Black Friday Cyber Safety: Protecting Against Festive Scams

It’s the festive time of year and one of most highly anticipated shopping days of the year is upon us, Black Friday.

Over the course of this weekend retails offer big discounts on a range of goods and typically with Christmas coming up soon we flock to the shops. Or in this new age which is more common we jump online to try and get the best deals possible. However, cybercriminals are also aware of this as well which means that there is a significant increase in scams occurring during this period.

CDS Defence & Security have teamed up with the West Midlands Cyber Resilience Centre (WMCRC) to offer some guidance on Scams to look out for this year to help keep you and your family safe from cybercriminals. As well as some scary statistics, there is a checklist at the end that can be used to keep yourself safe over the Black Friday weekend.

How much is lost per year in these scams?

Barclays have conducted a study they said last year the was a surge of 22% during black Friday and cyber Monday. 

Roughly 91% of the British public don’t check if a dodgy/unknown company is registered on Companies House.

Last year during the festive period there was over £10 million lost to cyber criminals, and it was found that people aged 25-34 were most likely to be a victim to this.

During the period of Black Friday and Cyber Monday, there was an average loss of £970 per victim.

What scams are popular this time of year?

Fake Order Scams 

This scam is typically seen during the festive period, because as we know when shopping online for gifts it’s often hard to keep track of all your orders. Scammers are aware of this and will leverage the situation. This might include sending you fake order confirmations or requests for information via email or text. These are legitimate methods used by organisation; however a malicious actor will include either malware or phishing links that can be used to steal your personal information. Likewise, there are also spin-off variants which may say “you need to pay an additional delivery charge” which may include a link that results in us having to make payment. These scams are often put together in a very professional manner and can appear very convincing at first glance. 

Fake Tracking Numbers 

This method is similar to the one mentioned above, as the scammers will send fake tracking notification as either an attachment or link.  However, a legitimate business will never send your tracking numbers as an attachment. Essentially, if you follow a ‘dodgy’ link it will take you to a dodgy website which will do dodgy thing to your device so criminals can steal money/data/identities. 

Phony Websites

This tactic is when an attacker creates a fraudulent website, mimicking a legitimate site, and luring a user into shopping for goods that don’t exist.

On these websites there may also be a ‘Hot Deals’ section. This is a method that attackers will employ by creating websites offering items that are really popular and scarce during this time. This typically results in shoppers paying for products that they will not receive and the scammer gaining access to your payment details. 

It’s important to remember that if you find these scams in the UK then you should ensure that you report this to the appropriate authorities as a means to help prevent others from falling victim to fraud.

• National Cyber Security Centre (NCSC) if a website is found to be posing as a government website or service, then you can use their online report service.
• You can also report fake websites to ActionFraud, which is the UK’s national reporting centre for fraud and cybercrime.
• Citizens Advice can be contacted for general advice and reporting scams, likewise they can also provide you with guidance on what to do next and how to get your money back if you’ve been scammed. 

Fake Social Media Advertisements 

These kinds of scams are designed to look like they are legitimate promotions on various social media platforms such as Facebook, Instagram and Twitter but the attackers have been created for malicious intent. There are billions of people that use social media and lots of big brands advertise their product on the various sites. Therefore, it makes it easy for attackers to create mock versions which will appear legitimate to a lot of users that are not aware of these scams. These sites may contain malicious software that executes upon visiting to steal user data, or could have links that upon clicking execute the malicious code.

Fake Charities 

It’s quite sad to say but this is a method that is employed by attackers during this time of year. As we start coming up to the festive period there is typically a surge in charitable donations which malicious actors will try to capitalise upon. The method they will use is setting up fake charities and then use high pressure tactics to get as many donations as possible. Therefore, it is worth being wary during this time of year of charities which are overbearing in their pursuit of charitable donations. 

False Discounts 

Typically occurs when scammers will try to lure victims in with advertisements where they offer very appealing discounts to popular products. By clicking on this it will take a user to a fraudulent website which will allow an attacker to steal personal and financial information. 

Gift Cards

An attacker will send texts and emails to unsuspecting people, in an attempt to tricking people into thinking they have received a gift card from someone they know. Within the message will be hidden links, that upon clicking will install malware on the device which will mean personal information can be stolen.

How to stay protected during this period?

Now you’re aware of the threats that are out there, what are the best practices to help you spot a scam and keep you safe when shopping during this period?

Think about it: If you find a deal that’s too good be true, it more than likely is. So, ensure that when shopping online you take time to research products and suppliers to ensure you get what you want, and that you get it from a reputable seller. Often scammers will use hard to obtain and in demand items to help maximise their profitability, so make sure you stop and think for a second if these are your target items and conduct some additional due diligence on the seller, and how authentic they may be. 

Be cautious: Caution should be exercised when doing online shopping during this period. 

• When it comes to big and desirable discounts being offered, this should be cross referenced against other sites, and don’t forget to see if the seller provides contact information; if they do, test it out.
• If there is a lack of information regarding the organisation, then this should be considered a red flag. 
• When it comes to gift cards you should always verify the source before clicking on any of the links. Therefore, if you have received a message saying that your family or friends has sent you a gift card then you should contact them and verify.
• Finally, as with any messages which contain links, proceed with caution and do not click on the link/attachment unless you 100% trust the origin.

Look out for Phishing emails/Smishing: There are various signs that will help you identify a potentially malicious message: 

• Signs of a phishing email:
  • If the email is sent from a public email domain, such as Gmail, Outlook and so on then it is highly unlikely to be a legitimate organisation. 
  • Another way of checking if it is a phishing email is by checking to see if the domain is misspelt. An example of this might be an email coming from account@payepal.com.
  • If the email is written poorly, it can be a telltale sign of a phishing email. NB. It’s worth noting though that tools like ChatGPT are making phishing emails much more convincing, so this is become a less effective method of identifying malicious emails. 
  • Be wary of messages which create a sense of urgency, this is typically a method attackers will try to use so individuals will be more likely to click on their malicious links.
• Signs of SMS phishing (SMishing)
  • If you don’t have text alerts enabled for banking or utility accounts but have received texts claiming to be them then these messages should be considered with a high degree of caution. 
  • Be mindful of the tone the messages are sent in. Look out for grammar and spelling in messages.
  • If messages require you to response/act quickly or if ignoring the message would result in undesirable consequences then be very cautious.