Proofpoint closes acquisition of Tessian.

Request a demo
Request a demo
Request a demo
Request a demo
Request a demo

How to Spot Retail Scams

Tessian • Monday, November 16th 2020
How to Spot Retail Scams

Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises.

Bargain hunters beware. The popular shopping period leading up to the holidays – along with mega online shopping days like Amazon Prime Day, Singles Day, Black Friday and Cyber Monday – are creating the optimal environment for hackers’ phishing attempts. 

And with more people staying home and shopping online due to the COVID-19 pandemic, there are even more opportunities for cybercriminals this year. In fact, 51% of UK consumers and 47% of US consumers told us they have done more online shopping in 2020 than in 2019. 

Why do hackers prey on targets during peak shopping times?

Consumers expect to receive more marketing and advertising emails from retailers during this time, touting their deals, along with updates about their orders and notifications about deliveries. Inboxes are noisier-than-usual and this makes it easier for cybercriminals to ‘hide’ their malicious messages and prey on individuals who are not security savvy

What’s more, attackers can leverage the ‘too-good-to-be-true’ deals people are expecting to receive, using them as lures to successfully deceive their victims. When the email looks like it has come from a legitimate brand and email address, people are more likely to click on malicious links that lead to fake websites or download harmful attachments

Impersonating a trusted brand or organization is a tried and tested method that cybercriminals use to successfully hack humans. It’s so effective that 68% of IT decision makers at UK retailers and 53% at US retailers told us, in a report we published last year, that they were worried about their brand being impersonated during the holiday shopping season. 

Despite these concerns, though, our researchers this year reveal that 75% of the top 100 retailers in the US are not using Domain-based Message Authentication, Reporting & Conformance (DMARC) records – meaning that an overwhelming number of retailers are potentially at risk of having their brand’s domain impersonated by scammers in phishing emails. 

Only 16% of top 100 US retailers were found to have DMARC policies set at the strictest settings. 

To learn more about phishing emails – including what they look like and how to prevent them – click here.

“Our researchers this year reveal that 75% of the top 100 retailers in the US are not using Domain-based Message Authentication, Reporting & Conformance (DMARC) records - meaning that an overwhelming number of retailers are potentially at risk of having their brand domain impersonated by scammers in phishing emails. ”

How do hackers impersonate brands and people?

Without DMARC records in place, or without having DMARC policies set at the strictest settings, hackers can easily impersonate a company’s email domain in phishing campaigns, convincing consumers that they are opening an email from a legitimate sender. 

From that phishing email, hackers could lure their targets to a fake website that has been set up to steal account credentials or personal and financial information. 

Against the backdrop of holiday shopping deals, it wouldn’t seem out of the ordinary for someone to a ‘too good to be true’ deal that encourages them to click a link to ‘find out more’. 

But it’s not just consumers that need to be wary. 

Employees, customers, suppliers and vendors of these retailers also need to be aware of the threats that could be present in their inboxes during this time. 

By spoofing the domain, a hacker could convincingly impersonate a senior executive asking an employee to share customer information or even pretend to be the CFO of an organization, requesting that the account details for invoicing be changed.

Vendor impersonation (also called vendor email compromise)  is a persistent threat that many businesses are facing right now – one that has increased since the shift to remote working. In fact, Tessian research revealed that over a third (34%) of the phishing attacks organizations received between March – July 2020 purportedly came from an external supplier, while 26% supposedly came from a customer. 

Hackers prey on the people-heavy nature of the retail industry. Using sophisticated social engineering techniques and clever impersonation tactics, they’re counting on people making a mistake and falling for their scams. 

Looking for real-world examples of social engineering attacks? Read this article: 6 Examples of Social Engineering Attacks.

How can you protect yourself from phishing scams?

Retailers need to do everything they can to protect people from phishing scams. 

Configuring email authentication records like DMARC and setting strict policies are both necessary first steps for preventing attackers from directly impersonating the business’s email domain.

Education on the threats is incredibly important, too.

 So if you suspect that you have received a phishing scam this shopping season, here’s what can do about it:  

  • Always check the sender and verify that it’s a legitimate email address. Scammers will often take advantage of the fact that mobile email only shows a display name, as opposed to the full email address. This means that a bad actor could send a message from an unknown email address, but change the display name to “Amazon” to make it appear legitimate.
  • Visit the retailer’s website and official social media channels to cross-check that the deal in question has been mentioned elsewhere.
  • If you receive an email or text that has an associated action or a sense of urgency or deadline, it’s most likely a scam. Ask yourself, does this request make sense?
  • Check for spelling or grammar mistakes. Legitimate messages from large companies will rarely have errors.
  • Look for the padlock in the URL bar. The padlock symbol means the website you are visiting is secure. If the page you’ve been led to doesn’t have this, then it could be a scam.