Skip to main content

The Globe and Mail

Holiday shopping season a big opportunity for e-mail phishing scams

Getty Images/iStockphoto

The holiday shopping period in North America comes with enormous opportunity for consumers and retailers to end the year with a bang, but it's also one of the richest hunting seasons for online fraudsters invading your e-mail inbox with "phishing" schemes.

According to Adobe Analytics, Americans are projected to spend $5-billion (U.S.) online on Black Friday and $6.6-billion on Cyber Monday, and total online spending for the holiday period could top $107.4-billion.

That adds up to a lot of confirmation e-mails from a lot of sources among which scammers are hoping to hide themselves.

Story continues below advertisement

"The bad guys are getting smarter; round about Christmas time is kind of like their Super Bowl," says Raj Samani, chief scientist at digital security company McAfee Labs.

Mr. Samani says scammers are taking advantage of the moment by impersonating retailers, shipping companies and other intermediaries in messages that claim to need immediate attention.

It can be difficult to get numbers on the size of the problem, but the Enigma Software Group's SpyHunter anti-malware software recorded a 99-per-cent jump in malware infections in the Black Friday-Christmas period in 2016 over the same season the year before.

This was up from 84-per-cent increases in 2015 and 42-per-cent in 2014.

"We see a rise in mass phishing attempts tied to anything that hits the mainstream consciousness. Olympics, World Series, death of a star, big controversies et cetera," says Mark Nunnikhoven, a vice-president at security company Trend Micro.

That includes large-scale hacks of customer data, such as the ones at Equifax and Uber in recent months, which provide an opportunity to take advantage of consumer fears over privacy issues and get people to click.

The most common result of phising attempts is that ransomware will get installed on your machine, encrypting your data and demanding payment to get the keys to restore your files. After that, there is more traditional malware aimed at turning your computer into a bot that assists with any number of other cybercrimes (malvertising, denial-of-service attacks etc.), and straight up credit and payment credential theft. Even something as simple as handing over your password could lead to a scammer selling your Netflix account so someone else can watch on your dime.

Story continues below advertisement

For businesses, phishing attacks have now evolved to include "business e-mail compromise" campaigns that aim to impersonate executives or normal business partners and get a firm's employees to share data or redirect funds. The FBI's Internet Crime Complaint Center reported that in more than 40,000 incidents spread across 131 countries between 2013 and 2016 these scams accounted for more than $5.3-billion in potential losses.

Adam Levin, an American cybersecurity author and entrepreneur, identified a number of other clever consumer-aimed scams to avoid including: gift-card fraud; fake shopping apps; holiday travel scams; and fake charities.

Mr. Samani describes the manipulation of social engineering phishing schemes as "hacking the human operating system" because he says they use basic human psychology to make us abandon our common sense. They rely on things such as authority (it sure looks like my bank's website) and scarcity (it says I only have 24 hours to respond).

A 2016 Verizon report found that at least 30 per cent of phishing messages were opened and 12 per cent of users clicked on the link or attachment that launched the attack.

But Mr. Samani also says consumers shouldn't assume the person on the other end of the scam is some sort of super-hacker criminal.

"My 11-year-old daughter can go online with no technical expertise and Google for tools that will help her do this," he says. "Some [illegitimate] services have a free customer-service help desk that guides you and advises you on how to run your campaign. My dad could be the next big cybercriminal."

Story continues below advertisement

The rules for not getting phished are simple:

1. Don't click on a link sent to you in an e-mail. Don't do it. If it's from an online service you have a relationship with, go directly to their site and see if there's anything you need to pay attention to.

2. What if it looks really serious and I need to click it? Check the domain first, and if it looks different than don't trust it. Popular fake domains created to fool e-commerce shoppers include:;;;; If it looks odd, go back to rule one.

If you're curious whether you've got a known scam on your hands you can copy (but do not click) the link and check it on (part of Cisco Systems) which has a pool of 118,000 users who submitted five million examples of phishing-like e-mails, and validated 2.2 million of them as scams. Currently, about 2,000 phishing scam e-mails are being identified a day (the volume rises and falls, but about 800 more each day are being checked this week than last week).

Report an error Editorial code of conduct Licensing Options
Tickers mentioned in this story
Unchecking box will stop auto data updates
As of December 20, 2017, we have temporarily removed commenting from our articles as we switch to a new provider. We are behind schedule, but we are still working hard to bring you a new commenting system as soon as possible. If you are looking to give feedback on our new site, please send it along to If you want to write a letter to the editor, please forward to