CISA Warns Against Online Holiday Shopping Scams

The Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory calling for increased consumer vigilance as malicious actors attempt to take advantage of unsuspecting holiday shoppers through malicious links, fake websites and other forms of cybercrime. 

The CISA outlined a handful of preventative actions for consumers, including checking personal devices, shopping from trusted sources, using safe purchasing methods and following basic cybersecurity hygiene like multifactor authentication (MFA). 

The CISA and the FBI also released guidance aimed at helping organizations improve their security posture during the holiday season, when cybercriminals are out in force looking to deploy malicious software, steal identities and hijack bank accounts. 

Holiday Shopping Security

Joseph Harris, vice president of intelligence collection management at Intel 471, explained there are several pitfalls that can impact consumers seeking a bargain over the holiday shopping season, including offers that are too good to be true.

“Malicious actors are quite adept at copying legitimate trading practices to portray an offer that seems amazing and viable at first glance but is intended to distract customers from being as careful as they might otherwise be,” he said.

He said the old adage holds true: If it seems too good to be true, it probably is. “Any time there is an offer that seems to be too good to be true, your guard should be up and you should seek to trust but verify that it is a legitimate offer from the correct source,” he said.

“Retailers have many tools at their disposal to prevent malicious activity and frequently deploy many of these in a defense-in-depth strategy to protect shoppers,” Harris said. “There will always remain a responsibility for consumers to be conscientious shoppers and to exercise sensible precautions as they seek to spend their hard-earned incomes.”  

He adds mobile malware has been increasingly observed in the criminal underground as well as malware targeting Microsoft Windows and Apple Mac products.

“Keeping your systems up-to-date and using good security controls is part of the solution, though one of the most effective protections is the application of common sense when exploring the internet,” he said.

That means using trusted links only and being wary of unsolicited communications in texts or emails, or as descriptions or comments on videos on YouTube, TikTok and Facebook.

“Threat actors are becoming well-practiced at trying to bypass MFA controls, so if you ever receive such a prompt without requesting it, be alert to the fact that your details may have been exposed or placed at risk,” Harris said. 

He pointed out that using the same password for many websites is also a dangerous practice, and advised investing in a password manager to safely store high-quality credentials that will make it tougher for criminals to guess.

“Consider also that smaller companies typically do not have large security teams and that their security controls may not be as strong as those of larger businesses,” Harris noted. “Consider this when you make a decision on where and with whom to share your financial details.”

Craig Lurey, CTO and co-founder at Keeper Security, said some of the most common security mistakes shoppers make online revolve around the ease of online shopping and streamlining the process.

“This includes storing financial information on a store’s website, saving login information to web browsers, reusing passwords for multiple accounts and shopping while on public Wi-Fi are just a few of the ways online shoppers are exposing themselves to cybercriminals,” he explains.

Another big mistake shoppers make is using a debit card instead of a credit card, the latter of which offers more protection and less risk in the event your information is stolen.

Stick With the Familiar

“With an ever-increasing number of businesses creating online storefronts, there are endless opportunities for cybercriminals to go after your information,” Lurey said. “Shopping at familiar stores can cut down on your exposure.”

He advised that when you shop at a new store, check the company’s Better Business Bureau profile and look for reviews on social media, industry forums and through a web search.

“Also, be aware of phishing scams from cybercriminals posing as legitimate businesses,” he says. “If a message looks suspicious or contains a deal that seems too good to be true, avoid clicking any links or responding.”

He added that the key is to ensure the URL of the destination website matches the authentic website—when a password manager is used, it automatically identifies when a site’s URL doesn’t match what’s contained in the user’s vault, which provides a critical extra layer of security.

Bud Broomhead, CEO at Viakoo, pointed out that consumers must also be aware of the network they are connected to and should avoid using public Wi-Fi where confidential information could be intercepted.

“While both are generally safe, shopping using a store’s app is safer than using that store’s website,” he said. “It’s better to log out after shopping than just close a browser window.  When you log out, it ends the session with the retailer immediately and eliminates risk of session credentials being stolen and used by a bad actor.”

He added it’s important to always check to make sure the website is using SSL encryption—the browser URL bar will have a padlock icon to show that the traffic is being encrypted.

From Broomhead’s perspective, practices like MFA, maintaining computers and mobile devices on the latest/safest firmware, rotating passwords, not reusing passwords and other basic cybersecurity hygiene protections are not just for shopping but general internet use. 

“Maintaining these practices prevents bad actors from gaining confidential information, planting malware or monitoring your internet activity,” he says.

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 243 posts and counting.See all posts by nathan-eddy