Over this Thanksgiving holiday, more consumers will shop for deals online than ever before. At the same time new — more secure — point of sale systems in stores will push more criminals to stalk potential victims in cyberspace. In other words, it's a perfect storm for cybercriminal attacks.
"It's scam central during the holidays," said Stu Sjouwerman CEO of KnowBe4, a firm which advises on cyberesecurity awareness. Sjouwerman predicts hackers will hijack the hype around "Star Wars: The Force Awakens" to deliver a slew of movie merchandise and ticket offer scams.
Here's some advice from the FBI and cybersecurity companies on how best to protect yourself as you fill up your virtual shopping cart.
Pro tip No. 1: Start this New Year resolution early: Think before you click
Online shoppers will spend an estimated $3 billion on Cyber Monday alone, and $83 billion over the entire holiday season, according to Adobe. That makes the holidays prime time for phishing emails, campaigns waged by cybercriminals to gain access, or establish control of personal or company computers. "Your email address is in every hacker's database," said Marc Boroditsky, vice president and general manager of Twilio's Authy, an app that powers two-factor authentication for companies including Dell and Amazon's Twitch.
The FBI puts it like this, "If a deal looks too good to be true, it probably is." This was something cybersecurity experts repeatedly emphasized. It's not rocket science, but a great holiday deal catches a lot of people off guard.
Be especially wary of unsolicited emails. "One of the most common themes we see is fake delivery emails," said the director of Symantec Security Response, Kevin Haley. "If you receive an email with an attachment that purportedly has details about a package that couldn't be delivered, don't open it. That attachment is malware."
"Don't try to determine if links are malicious or not. Just don't click on them," said Palo Alto Networks CEO Mark McLaughlin. "This should be adopted as a year-round practice you need to implement most critically around the holidays," he said. "If you really must get that 'once in a lifetime deal,' look up the website directly."
Pro tip No. 2: Looks can be deceiving: Check domains
Hackers can register a site that looks exactly like a big-brand retailer, but is really a front to steal information.
"Make sure the website has a secure Web address and it's the actual address of the website," said Tim Chen, CEO of DomainTools. "Someone can register, say Amaz0n with a zero instead of an o — if that were one of the example cases — register that domain name for $10 at GoDaddy and set up a site that looks like Amazon and send it out likely through email, to an email list of people that are potentially shopping over the holiday season," said Chen.
"If you're not sure if the email that you have got is legitimate or if the link that you're going to is legitimate, you can take the domain name, enter it into DomainTools, look up the 'who is?' record," said Chen. A quick search using Nike's U.S. Web address shows it was registered in 1995. That said Chen, is a good sign.
"Most compromised sites, most attacks are very, very recent — they just register the domains and then do something with them," he said. Scroll down to the "who is" record and Chen says the information checks out. "You see all the proper information. The email address is actually @nike.com, it's in Beaverton, Oregon," he said. "There's a lot here to tell you this is likely a legitimate website."
Pro tip No. 3: 'Google' brands
The real site is likely to be the top result, say experts. Here's what the FBI advises: "Log on directly to the official website for the business identified in the email instead of linking to it from an unsolicited email. If the email appears to be from your bank, credit card issuer, or other company you deal with frequently, your statements or official correspondence from the business will provide the proper contact information."
None of this is fail-safe — there's a reason phishing emails are the most common trick hackers use to target their victims — but employing these tools can these help you navigate the Wild West Web.
Pro tip No. 4: Activate 2-factor authentication
"Why do I need this? Passwords can get stolen, especially if you use the same password for multiple sites. Adding two-step verification means that even if your password gets stolen, your Amazon account will remain secure."
"How does it work? Sign-in will be a little different. You'll enter your password as usual, and then a security code will be sent via text message to your phone, or you will generate a code using an app. You will then enter the code and complete your sign-in. You can also choose to 'trust' devices, so that you will not have to enter security codes on those devices."
Despite its advantages, most retailers do not offer two-factor authentication.
"Consumers have not yet been willing to accept really rigid strict security measures in order to shop," said Lauri Floresca, senior vice president and partner at Woodruff Sawyer & Co., an insurance services and risk management firm.
"Any decisions companies make to increase security, they have to view against customers finding it too burdensome and not bothering to shop, right? So there's that tension or that trade-off that companies make," she said. "That's some of the basis behind why you aren't seeing more companies have really aggressive security policies online — it's because they're afraid that it will lead to fewer sales."
We reached out to Target, Walmart, Nordstrom and did not hear back. Macy's told us: "We maintain a very active program to protect data. We will not comment on specifics, knowing that anything we say will only serve to help the bad guys."
Pro tip No. 5: Be your own detective
Boroditsky suggests monitoring credit updates and statements with extra diligence around the holidays. "Don't wait until Jan. 15 you pay the bill to check your accounts," he said.
"This allows you to both detect if your account was recently compromised, or if attackers with your credentials have been waiting for a time when there is a flurry of legitimate activity as people buy presents," said McLaughlin.
Pro tip No. 6 Don't let cybercriminals take your personal data hostage
The hottest cybercrime tactic plays right into humans' greatest weakness: criminals compromise devices, encrypt the files and demand hundreds of dollars to unlock the encrypted files. "Usually only Microsoft Office, Adobe PDF and graphics files are targeted," writes Intel's McAfee Labs 2016 Threat Predictions report.
"The groups behind most current ransomware campaigns are going for 'fast cash' by using spam campaigns and exploit kits such as Angler, and targeting wealthy countries in which people can afford to pay the ransom," the report finds. "With upcoming new variants and the success of the 'ransomware-as-a-service' business model, we predict that the rise of ransomware that started in the third quarter of 2014 will continue in 2016."
Apple fanboys beware: "The Mac security honeymoon is over," said Sjouwerman. McAfee agrees: "Attacks will continue on Microsoft Windows. We also expect ransomware to start targeting Mac OSX in 2016 due to its growing popularity."
To avoid being at the mercy of ransomware, McLaughlin suggests adopting a prevention mindset. That means backing up all your files to a cloud service provider, like Google Drive, DropBox or Box and backing up files offline. "Doing so will allow you to deny the payment," he said.
Pro tip No. 7 Protect passwords
All the experts agree: if you have not changed you passwords for key accounts in a while, change them before the holidays. "I define key accounts as anything that handles my money and anything that might hold personal information about me that I do not want broadcast to the world" said McLaughlin. "There are a range of free apps from companies with strong reputations who can help you protect your technology and identity. Better yet, now might be the time to start using a password manager," he said.
Pro tip No. 8: Practice cyber-hygiene
People put preventative maintenance off for as long as possible, and hackers know that. "Take an hour, read that nagging message that your computer has been sending you about upgrading to the latest patch level and push the start button," said McLaughlin. Criminals are well-aware that they can often use techniques that already have well-known prevention controls, because victims procrastinate over maintenance. "Before the holidays, don't procrastinate. Push the button," he said.