Cyber criminals are often one step ahead of consumers, who are eager to get the latest Black Friday deal and save some money on their holiday gifts.
But these hackers are ready and prepared for the onslaught of deals and promos that will appear in people's emails and texts, making it easier for them to scam people out of their hard-earned money and gain some financial data.
Here are the top 12 Black Friday scams to be aware of this holiday season.
12 Black Friday Scams to Watch Out For
1. Credit Card Theft Malware on Retail Websites
Formjacking, aka "e-skimming," "web skimmer" or "Magecart," is a cyber attack where the hacker is able to slip a malicious script into the website of a legitimate retailer, said Jason Glassberg, co-founder of Casaba Security, a white hat hacking firm headquartered in Redmond, Washington.
This malware targets customers when they try to complete an order on the online checkout page or shopping cart. As soon as they type in their payment information into the online form, the malware captures this data and sends it to the hacker, Glassberg said.
"The customer will never know they're being scammed and the retailer will have a hard time detecting this type of hack as well," Glassberg said. "Formjacking is usually accomplished by hacking into a third-party service provider to a retail website, rather than breaching the retailer itself. This is what makes the attack very difficult for the retailer to detect since it's not happening through its controlled system."
2. E-commerce Software, Advertising Platforms and Customer Review Plug-ins Are Targets
Hackers typically target chatbots, e-commerce software, advertising platforms and customer review plug-ins such as Magento, Shopper Approved, Feedify, Inbenta, PrismWeb, Adverline.
In April 2019, 200 online campus bookstores were infected with web skimmers after PrismWeb was hacked. Last year, hackers infected over 7,300 websites after slipping skimmer scripts into Magento's code library. The Feedify breach is believed to have affected 250 to 300 business websites while Adverline's compromise impacted 277 e-commerce sites.
Formjacking malware has been around for years, but the attacks didn't really take off until last year," Glassberg said.
"It's now becoming increasingly popular among cybercriminals because it is easy to carry out, hard to detect and highly profitable," he said.
This is now one of the major threats facing retailers online. According to RiskIQ, hundreds of new website infections are occurring every day. Symantec reports seeing 4,800 websites infected every month by this attack.
Since virtually every website relies on third-party services in order to operate, these attacks will continue to "plague the retail industry over the next few years," Glassberg said.
3. New Twist on Card Skimming
Card skimmers go back over two decades and they've been a constant thorn in the side of retailers, gas stations, hotels and ATMs, Glassberg said.
The scammers are now facing a challenge with the chip-and-PIN system because it will completely block any attempt to "skim" the card information.
This is why card theft rings have begun switching to new "shimmers" which can capture data from the more secure chip-and-PIN cards, he said.
A "shimmer" is a new twist on the card skimmer and is inserted inside the card reader slot where it is much harder to detect. It is a paper thin chip and it intercepts the EMV chip as it is trying to carry out the intended transaction, Glassberg said. The information is captured by the shimmer and the attacker gets all of the pertinent information to clone the card.
4. Fake Retail Websites are Increasing
Shoppers are likely to run into another scam that tricks them with a fake web domain where they will be taken to a malicious site that could infect you with malware or steal your information. It could prompt you to enter in personal information or a payment card in order to receive the promised discount or reward.
There are two tricks in particular that shoppers need to watch out for -- typosquatting and combosquatting, Glassberg said. These are scams in which the cybercriminals register phony web domains based on subtle variations in the URLs of real websites. Take target.com as an example.
"A typo squatter might try to register tagret.com or targte.com, betting on the fact that at some point someone will accidentally mistype the web address, the so called 'fat fingers' syndrome," he said. "Similarly with combo squatting, the criminal will create variations of the domain name that may appear legitimate to a consumer. For instance, for kohls.com, a hacker could try to replace the letter "l" with the number "1" (koh1s.com) or a capital "i" (kohIs.com), or insert a domain extension like kohls-deals.com, which creates a brand new web address although it may look legitimate to the consumer."
Combosquatting may be used in phishing and smishing campaigns to lure people into clicking on the fake web domains of real retailers.
"This is particularly true during the holiday shopping season when people are eager to score deals," Glassberg said. "Consumers should be very cautious when receiving a message offering free gift cards or too-good-to-be-true savings. The hacker might use a domain extension like retailer-discounts.com to give the appearance of legitimacy."
5. Email Scams
Scammers prey on consumers by proposing fake gift card offers and phony alerts about account overdrafts, fraudulent bank activity and missed deliveries, said Alex Hamerstone, GRC practice lead at TrustedSec, a white hat hacking firm headquartered in Strongsville, Ohio.
Cyber criminals are really good at taking advantage of consumers' anxieties about money and the fear of missing out (FOMO) during the holiday season. New phishing kit services in the Dark Web make it easier than ever for criminals to impersonate legitimate companies and government services.
The emails will look like they really did come from your bank, Amazon (AMZN) - Get Amazon.com, Inc. Report or UPS (UPS) - Get United Parcel Service, Inc. Class B Report , he said. They will match their logos and in some cases use similar language to the real messages these companies send to their customers. They also spoof the email addresses of those organizations.
These phishing emails will urge you to click on a link or call a customer service number, the latter of which will be manned by criminal operators.
6. Text Message Phishing Scams
Text message phishing, which is known as smishing, is even trickier for the consumer because there is not much information in determining if the message you've received is authentic. Unlike with email, there is no header or return-path for you to check to verify the authenticity of the sender.
"The language used in the text message may be very similar to legitimate messages from retailers, mobile carriers and other companies," Hamerstone said. "Also, because it's a text message, the use of a tiny URL will not strike the consumer as odd or suspicious."
Smishing is increasingly popular among cybercriminals for these reasons and the scams are only going to get more sophisticated.
"It's easy for criminals to spoof the mobile version of a company's log-in page, to trick you into sharing your credentials," Hamerstone said. "They may also offer a mobile app to install directly onto your phone, which will plant malware on your device that will steal your information. Even the phone numbers they provide you for 'customer service' will likely go to a fake call center, where the operators are trained to steal your information."
Never respond to these messages, click on the links or download the attachments. Never install a mobile app sent to you via a text message link.
7. Criminal Call Centers
Criminal call centers are fake operators that are trained to impersonate the customer service department of a real company or government agency and they will trick you into sending a payment or sharing your personal and financial information.
"These call centers can be very sophisticated and they may even play fake office sounds in the background to give the impression of a busy call center or office," Hamerstone said. "They will also spoof the publicly-listed phone numbers of real companies to make the call more convincing."
Criminal call centers are often used in conjunction with email or text message phishing, because the scam will be more convincing if you've received multiple communications from a fake company or if you are enticed to call the number yourself.
"However, these call centers can also operate indecently of those efforts and simply call you up directly to warn you about suspected fraud on your account, a past due IRS bill or something else that is urgent in nature and preys upon your natural fears and anxieties," Hamerstone said.
8. WiFi Spying ("Man-in-the-Middle")
Consumers should avoid using public WiFi because it is never safe to use.
Criminals can create fake network access points that imitate the real ones such as "Starbucks (SBUX) - Get Starbucks Corporation Report Guest Network 1" which will trick you into connecting to it or they will hack into legitimate WiFi networks if they don't use strong encryption and thereby intercept your data.
There is also the possibility that the router itself has been previously hacked or infected with malware, and the owner of the router doesn't realize it.
"For instance, the local coffee shop probably doesn't have a crack IT security team working around the clock to ensure its network connection is secure," Hamerstone said. "The same is also true for hotels and other local venues that provide public WiFi."
It's best to avoid public WiFi altogether and instead stick with your cellular connection or use your phone as a mobile hotspot.
9. Fake Offers on Social Media
Social media scamming goes into overdrive during the holiday season and there are incredible fake offers out there such as a Nintendo (NTDOY) Switches for $150.
Criminals will advertise for popular items, offering ridiculously low prices that will be hard to resist, Hamerstone said.
They may also offer gift cards and reward points, but require you to share your card number to receive them. Charity scams are also common on social media this time of year.
"No matter which scam it is, the ultimate goal is to get your money or your information," Hamerstone said. "They will try to trick you into making a card payment or wiring funds, they will also solicit your personal information. In some cases, these criminals may also try to infect your device or browser with malware, often through tiny URLs."
10. Virtual Money Fraud and Identity Theft
Criminals can rip you off without ever touching your bank account. Virtual money fraud is a growing threat to consumers and businesses, said Randy Pargman, senior director of Binary Defense, a cyber threat intelligence firm headquartered in Hudson, Ohio.
These days, criminals are increasingly targeting customer loyalty rewards programs, including retail rewards and airline frequent-flyer programs. Many of these accounts are only protected by a password associated with an email address.
The recent Disney+ (DIS) - Get Walt Disney Company Report account compromises demonstrate that attackers have lists of billions of previously-compromised passwords associated with email addresses from thousands of prior breaches. If customers re-use the same passwords or even similar passwords across multiple websites, they are at risk of attackers taking over their loyalty program account and spending all of their rewards, points or miles fraudulently.
"I recently discovered that my Hilton Honors points could be used like cash to make purchases at Amazon.com," Pargman said.
Although these account takeovers can occur through social engineering, such as phishing emails, text messages or phone calls that trick the user into handing over his or her credentials, in the majority of cases the attacker is simply hijacking the account directly by guessing the password.
"Hackers use 'credential stuffing' attacks to crack these accounts," Pargman said. "This is when the hacker has a database of old passwords gathered from previous data breaches and then runs them against any number of other online accounts until they get a hit. They also use password cracking tools which can guess weak passwords."
11. Signing Up for a Retail Rewards Program at a Third Party Site
If you've never heard of a third-party website, avoid signing up for it, said Chris Morales, head of security analytics at
, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyber attackers. Since all shoppers are seeking discounts, when people register for these websites, they often use the same password and email as they would for many other sites.
"Be suspicious of that too good to be true deal again," Morales said.
If you're going to sign up for one, use different passwords than you have in the past. It is hard to remember every password, so use a password manager like LastPass to provide a secure method of storing and remembering those passwords.
12. Be Aware of Counterfeit Goods
Don't make the mistake of buying counterfeit goods. Fraudsters may use the excitement of Black Friday or Cyber Monday to push fake products, said Alex Guirakhoo, a strategy and research analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions.
"Be suspicious about sales, prices, and deals that are well below the typical going price, even on Black Friday and Cyber Monday," Guirakhoo said.