Holiday shopping occurs most prominently in November and December. Many shoppers rush to buy their best friend, significant other, or family the perfect gift before deals disappear. However, a thoughtful consumer isn’t the only one on the hunt for deals—cybercriminals take the opportunity to hunt for your personal information. Their methods? Social engineering attacks designed to trick you into handing over your credit card, SSN, and any other methods of personal information to help them score their biggest deal.
This holiday season, be aware of the different kinds of social engineering attacks: phishing, vishing, smishing, and quishing.
Phishing
Phishing is a social engineering attack through email. These emails contain language such as “urgent” or “important information.” This may not always be the case, but they are always designed to elicit an emotional reaction—something a consumer must do immediately. During the holiday season, this is specific to deals that will go away in 24 hours; phishing emails are sent to consumers with links saying the deal is closing soon, and the link in the email is a chance to get more bang for the buck.
Suspicious links are a staple of phishing emails. If a link is sent to your email, and you aren’t expecting it, hover your mouse over the email address to make sure it’s legitimate. When in doubt, don’t click on the link, and report it as phishing.
Vishing
Vishing is a social engineering attack through phone calling. Everyone has gotten a robo-call at least once, sometimes multiple in a day, with how frequent they happen. While those have become a means to joke on social media, vishing is very serious. Scammers have social media accounts as well, so they’re adapting their schemes. During the holiday season, a phone call about missing packages or a problem with your online credit card payment may be more common, but any vishing call can use familiar sounding names or places to trick you.
If you are called about a lost package, use the tracking number provided to you first to confirm if what they are saying is true. You can also check the shipping customer service webpage and call those numbers directly. If you suspect a vishing scammer on the other line, hang up and report them.
Smishing
Smishing is a social engineering attack through text messages. These are written with urgent messaging about something going wrong or needing to click on a link to solve a problem. While some websites update package delivery via text message, not every text will come from their system. If you receive a text from an unknown number, without expecting one, that has a link attached to it, do not click the link.
Sometimes scammers use multiple numbers; slow down and read incoming text messages to determine if it is legitimate. Typically, there will be spelling or grammatical errors that are easy to spot; an official company messaging system would be less likely to have these errors. Should you receive messaging asking for personal information, such as financial or health related information, report it to a trusted source.
Quishing
Quishing is a social engineering attack through QR Codes. QR Codes are everywhere nowadays and are used to scan for virtually anything, but scammers have taken advantage of this and can create QR Codes designed to steal your information. When scanning for deals on Black Friday, confirm the QR Codes being scanned are legitimate. If you’re shopping in person and are unsure, ask an employee before you scan.
QR Codes are easy methods for scammers because many shoppers assume they are tested, reliable, and safe. Unfortunately, that isn’t always the case. Protect your technology by having a VPN against malicious sites, checking the QR Code for any stickers that might be out of place, and reporting it to the nearest employee if you are suspicious.
Stay safe this holiday season by remembering these three key points.
- Trust your gut. When in doubt, report it.
- Always confirm with a trusted source before acting on urgent matters.
- Look for clues. Even the best scams are not without error.
Marty Serro - Chief Information Officer, Chief Security Officer
Marty joined AQuity (formerly M*Modal) in 1998 and has over 35 years of diversified technology management experience in support, development, security, and implementation across varied industries. During Marty’s tenure with the company he has built AQuity’s global support infrastructure through innovative tools and a high-touch customer supporting infrastructure. Under his leadership, our security team has built an industry leading security framework that ensures client data protection at all times. Marty leads the company’s SOC2, ISO 27001, and HITRUST annual certifications and has established a robust security education and training program for all staff.
