Skip to content

Beware the grinch: how cyber criminals target Christmas shoppers

Security pros offer gift-buying, techie present-receiving tips.
Cybersecurity experts are warning Christmas shoppers as well as those receiving high-tech presents to be wary of how they buy and what to do with presents once opened.

With the growth in online shopping — particularly during the COVID-19 pandemic — cybercrooks have learned more about how to target people for scams, says B.C.-based tech detectives Derek Manky and David Masson.

Manky is chief of security insights and global threat alliance for Fortinet, a California-based company with a research and development centre in Burnaby, while Ottawa-based Masson is director of enterprise security at Darktrace, a global, U.K.-based company specializing in cybersecurity using artificial intelligence.

Both agree the threats posed to Christmas shoppers have increased as data thieves find new ways to steal people’s data through luring them into bogus gift buying.

Manky says the easiest way to avoid being scammed is to stick with known companies. Even then, he says, online shoppers should check to see that website addresses are correct. Watch out for typos or name modifications.

For example, Masson says, if you want to use Amazon, make sure the web address isn’t ‘amazoom,’ or ‘amazona’ or some other variation.

Further, he adds, “If you're looking for something, my advice would be go and look for it yourself. Don’t wait for someone to look for it for you.”

Such a ‘someone’ could be a crook looking to scam shoppers through what is known as social engineering, the use of lures that attract people via texts, email or social media.

“When you get this kind of thing people tend to — guess what — click on them,” Masson says. “That’s a bad idea.”

Instead of clicking, do a Google search, he suggests. Get the correct website on your own initiative.

Some of those clickable items might also contain ‘weaponized’ documents, Manky continues.

Further, he warns, be wary of WordPress documents with shopping cart plug-ins. Many are compromised and a portal for crooks to gain access to your personal data. For secure shopping, Masson and Manky say, make sure a website address has an ‘https’ prefix or a lock icon at the address.

Even the CAPTCHA buttons that many have relied on for security are open to abuse now. Some are links that could allow crooks into systems. Mouse over the link and look at the website that action brings up, Manky advises. If it looks to good to be true, it probably is.

And, both stress heavily, do not use credit cards in unsecured Wi-Fi environments. If you can use a VPN or virtual private network, great. If you can’t, “wait until you get home.” 

Change default passwords on your tech

Increasingly, high-tech presents are being found under Christmas trees. Both Masson and Manky say there are pitfalls associated with those gifts that could compromise people’s privacy and cybersecurity.

Both stress that any default passwords associated with such gifts should be changed on first use. Default passwords are sold around the world and cybercrooks can use them to get into users’ home computer systems. And that means potential access to things such as personal finances or other personal data stored on those systems.

What’s more, with so many people working from home as a result of the pandemic, access might also be gained to corporate systems.

[email protected]