Cybersecurity experts are warning Christmas shoppers as well as those receiving high-tech presents to be wary of how they buy and what to do with presents once opened.
With the growth in online shopping – particularly during the COVID-19 pandemic, cybercrooks have learned more about how to target people for scams, said B.C.-based tech detectives Derek Manky and David Masson.
Manky is chief of security insights and global threat alliance for Fortinet, a California-based company with a research and development centre in Burnaby, while Ottawa-based Masson is director of enterprise security at Darktrace, a global, U.K.-based company specializing in cybersecurity using artificial intelligence.
Both agree the threats posed to Christmas shoppers have increased as data thieves find new ways to steal people’s data through luring them into bogus gift buying.
Manky said the easiest way to avoid being scammed is to stick with known companies. Even then, he said, online shoppers should check to see that website addresses are correct. Watch out for typos or name modifications, he said.
For example, Masson said, if you want to use Amazon, make sure the web address isn’t ‘amazoom,’ or ‘amazona’ or some other variation.
Further, he added, “If you're looking for something, my advice would be go and look for it yourself. Don’t wait for someone to look for it for you.”
Such a ‘someone’ could be a crook looking to scam shoppers through what is known as social engineering, the use of lures that attract people via texts, email or social media.
“When you get this kind of thing people tend to – guess what – click on them,” Masson said. “That’s a bad idea.”
Instead of clicking, do a Google search, he suggested. Get the correct website on your own initiative.
Some of those clickable items might also contain ‘weaponized’ documents, Manky said.
Further, he warned, be wary of WordPress documents with shopping cart plug-ins. Many are compromised and a portal for crooks to gain access to your personal data. For secure shopping, Masson and Manky said, make sure a website address has an ‘https’ prefix or a lock icon at the address.
Even the CAPTCHA buttons that many have relied on for security are open to abuse now. Some are links that could allow crooks’ into systems. Mouse over the link and look at the website that action brings up, Manky said. If it looks to good to be true, he said, it probably is.
And, both stressed heavily, do not use credit cards in unsecured WiFi environments. If you can use a VPN or virtual private network, great. If you can’t, ‘wait until you get home,” Masson said.
Increasingly, high-tech presents are being found under Christmas trees. Both Masson and Manky said there are pitfalls associated with those gifts that could compromise people’s privacy and cybersecurity.
Both stress that any default passwords associated with such gifts should be changed on first use. Default passwords are sold around the world and cybercrooks can use them to get into users’ home computer systems. And that means potential access to things such as personal finances or other personal data stored on those systems.
What’s more, with so many people working from home as a result of the pandemic, access might also be gained to corporate systems.