COVID-19 lockdowns, working from home, and the run-up to the festive holiday season have driven an unprecedented rise in online shopping—and a perfect opportunity for phishing attacks.
The Rise of Online Shopping
Thanks to COVID-19 and the lockdowns 2020 has become the best year ever for online shopping. We already loved online shopping—no crowds, no travel, no hassle—but this year the convenience was overtaken by practicality as the main benefit. Living in lockdown and going through periods of self-isolation, no non-essential shopping, and many stores closed due to staff problems, online shopping became a lifeline for many.
Amazon has reported their Q3 revenue was USD 96.15 billion, an increase of 37 percent. It is predicting revenues of USD 112 billion to USD 121 billion for Q4. As we approach the festive holiday season, online sales will soar once more. Amazon reports holiday purchasing is already underway in November.
Of course, there is much more to online shopping than just Amazon, but they are a useful yardstick to demonstrate the trends. Many consumers are still too fearful to shop in-store. They are alarmed at the thought of crowds, they don’t believe social distancing guidelines will be observed, and they suspect many will not wear masks. It’s so much easier to shop from home.
If you are one of those who are not working from home, you can order online and have your goods delivered to your place of work. If you’re not there to sign for it, one of your colleagues will sign for it and look after your delivery for you.
That’s the only drawback of shopping online. The delivery.
At some point, the millions and millions of online purchases have to leave the digital worlds and materialize in the physical world. That only occurs when your order arrives. Waiting for a delivery can be stressful. Especially if it is an important delivery. It might not be because the item is expensive, it could simply be that you’re banking on that item being delivered to you in time for you to wrap it and give it to the recipient on their birthday, your anniversary, or some other immovable deadline.
It’s easy to have a creeping unease when you’re waiting for a delivery. Is it going to be late? Has it been delivered to the wrong address, or was there a mix-up and it hasn’t even been shipped yet? Has there been some hold up because of payment clearance?
And that’s where our opportunistic and seasonal threat actors come into the picture. With millions of online sales, there are millions of deliveries. That’s a lot of people who wouldn’t be too surprised to receive an email about their delivery. So the threat actors leverage that expectation and send as many people as they can an email that is a wolf in sheep’s clothing.
Phishing emails are fraudulent emails that look like they have been sent by a recognized or trusted entity such as a bank, a business, or an online payment platform. The more sophisticated attacks take great efforts to craft an email with the same look and feel as a genuine email would have. They want it to have the right tone, the right livery, and to be persuasive. They want the recipient to believe the email is genuine and to click a link or open an attachment.
The link leads to a bogus website that will try to harvest login credentials or to infect your computer with malware. If there is an attachment it will contain malware, usually in the form of a small dropper or downloader program. This will install itself in the background and then download the larger and more damaging malware, perhaps a Remote Access Trojan (RAT) or one of the many ransomware threats.
Threat actors are very quick to react to trends. They can re-skin an existing scam and trot it out in this season’s colors in no time whatsoever. The easy way to disguise them is to make them look like they have come from a courier—because they know millions of people are waiting for a delivery. They may also appear to be from a payment service such as PayPal and claim there is an issue with your payment. But not everyone uses PayPal. And if you don’t, you know straight away that this is a scam. But if you are waiting for a delivery, you know there’s going to be a courier involved.
Taking advantage of the phenomenon of wide-spread delivery anxiety, the threat actors are hoping that the average recipient will see an email about their delivery, give a mental sigh of “Oh no!”, then click the link or open the attachment without stopping to check—or to even consider—that the email may not be genuine. And so delivery anxiety overrides basic cyber hygiene.
Allied to phishing is smishing, which is phishing by SMS text message. Because text messages are a short and terse medium, there is no need to consider the look and feel of the message. An SMS looks like an SMS no matter who sends it. The threat actors don’t need to worry about finding the correct font, logo, voice, and tone. And the low character limit means shortened URLs are the norm in text messages, so they don’t arouse suspicions.
Everyone’s a Target
Using email addresses taken from the huge databases containing the breached personal data that can be found on the Dark Web, the threat actors can send their bogus emails to literally millions of recipients. You’re not being singled out. You’re a target simply because your data happens to have been included in a data breach at some point in the past. This isn’t sniping. This is blind machine-gunning then looking to see who’s been hit.
You can easily check if your email has been exposed because of a data breach. The have I Been Pwned website gathers all the data breaches and puts them into a searchable online database of over 10 billion records. If your email address is found in the database you’ll be told which company or website the breach occurred on. You can then change your password on that site or close your account.
There’s not much you can do about your email address though. Once it’s out there, it’s out there. And probably it will be swept up as part of the ammunition a threat actor feeds into their phishing campaign software.
The same principle is true with cellphone numbers. Data breaches that leak personal data often include cellphone details. These are then used as the target numbers for the automated SMS software used by the threat actors.
Why Organizations Need To Be Wary
There is a blurring taking place between people’s home digital lives and their business digital lives. People bring their own devices such as cellphones to their place of work and connect to the Wi-Fi. They do their online shopping at home but often choose to have it delivered to their place of work, if that’s where they’re going to be during the day.
That means if a phishing email masquerading as an email from a courier drops into their business inbox, they won’t be surprised. Their interest in the delivery will likely override their staff awareness training on how to spot a phishing email.
They may receive the phishing email on their cellphone and forward it to their business email so that they can print it, or deal with it n a large screen and with a real keyboard. They may use their corporate computer to hop onto their personal webmail at lunchtime. Regardless of the route that a phishing email takes to arrive in someone’s business inbox or corporate computer, it is your organization’s network that is at risk of being infected and compromised.
How To Spot Attacks
These actions will help keep your staff—and your network—safe from phishing and smishing attacks.
- Are you actually expecting a delivery? Can you already account for everything you’ve ordered?
- Carefully check the sender’s email address. Does it have the domain that you’d expect it to have? If not, be suspicious. Often there can be a difference of a single letter. There are some well-known examples of this. One appeared to say “microsoft.com” but the initial “m” was replaced by two letters “r” and “n.” At a glance “rn” looks like “m.” The second example was “apple.com” with the lower case “l” ell, replaced with a capital “I” aye. In some typefaces, these look exactly the same. So look carefully at each letter of the email address. Don’t glance or skim-read it.
- Treat links as potential traps. Hover your mouse pointer over them and check the tooltip to see where they are trying to take you. You can make the text of the link say whatever you like. That doesn’t mean that’s where the link actually points. If you have any doubts, don’t use the link. Perform a web search and navigate to the site manually.
- Despite their best efforts, threat actors can still make mistakes with grammar and spelling. Genuine emails don’t have these types of errors, especially when they come out of automated systems. If it looks wrong, it is wrong.
- Do the graphics and livery appear professional, or do they look like someone has used cut and paste to drop the images in, and not quite matched the version of white in the background?
- No creditable organization will ask you to provide passwords, account details, or other sensitive information.
- Remember, the data breaches that the threat actors use as the source for email addresses and cellphone numbers also have other personal data in them too. So it is easy to use your name in the email or SMS text. Just because it mentions you by name, it is no indication the email or SMS is genuine. You must still be wary and exercise caution.