Recently, I received notification from a company which had processed an annual auto-renewal payment. The next day, I received a second invoice appearing to be from the same organization for a significantly greater amount and for products I had not agreed to purchase.
Everything on the invoice appeared legitimate but closer inspection revealed the invoice number was too long compared to the legitimate order, my product licence was incorrect and payment information related to the credit card used was inaccurate.
As a cybercriminologist, it is second nature for me to check suspicious emails and texts. Sure enough, a closer examination of the email quickly revealed the methods used to attempt to trick me into believing the invoice was valid.
First, the creator of this communication included the company’s logo, various products I could have purchased and valid price points. The invoice closely resembled the format of the one I had received from my legitimate purchase the day before.
Second, the invoice included fine print stating I had 48 hours to dispute any amounts charged to my credit card on file with the hope that fear and urgency would cause me to immediately react without further investigation.
Third, if I chose to dispute this invoice, I was to call the number provided to receive a refund within 48 hours. Had I called, the first requirement would have been to provide my credit card details, including the three-digit CVV code, thus providing the necessary information for future illicit purchases.
Finally, when hovering over the sender’s email name, I noted a convoluted email address that was clearly not from the indicated company.
I immediately checked my credit card to see if the company had charged this amount to my card — it had not. Next, I contacted the company which confirmed they had not forwarded this invoice. I requested the company’s spam-reporting email address and forwarded the fraudulent email for them to investigate.
Most curious was the timing of the communication, given I received this invoice one day after the company had processed a legitimate annual renewal for their services.
I wondered: Is someone monitoring my computer; are they monitoring emails from that company to their customers; has someone hacked the company’s database of customers or accounting department; or have they, while highly unlikely, infiltrated the credit card company’s systems and are monitoring transactions? Given the timing of the fraudulent email, I began to wonder if it was related to the holiday season.
In the U.S., online holiday purchases will exceed $200 billion. Canadians will spend almost $30 billion.
During this year’s holiday season, more than half of all purchases will occur online — often after hours of scanning the internet for the perfect item and best deals.
In the U.S., online holiday purchases will exceed $200 billion. Canadians will spend almost $30 billion.
Cybercriminals love the holiday season too, as internet shoppers spend increasing time surfing for gifts, often unaware of the wealth of personal information disclosed with each search, communication and online purchase.
Every search reveals our interests, our favourite websites, financial details when paying for items, shipping and billing addresses, and more. It’s a treasure trove of information for cybercriminals who collect this information, or, using our email addresses, subsequently forward creatively designed scam messages.
Cybercriminals have become experts in camouflaging malicious emails by emulating organizations and government agencies. Additionally, our need to acquire information about COVID-19 continues to provide cybercriminals with unlimited opportunities to provide malicious websites that prompt us to “click here” to learn more.
By monitoring our search histories (clearing the cache regularly can help alleviate this), email and text communications, online purchases and reviews, cybercriminals are able to send realistic looking messages to disguise malicious cyberattacks.
Text messages have surpassed emails as the most common method of delivering phishing attacks — aimed at accessing a victim’s personal or financial information — and malware, due to the exponential increase in smart phone usage and apps. Simple messages with a link recipients can respond to continue to fool the most cyber-savvy recipients.
Given the dramatic increase of online shopping and providing payment information for purchases, an increasingly successful tactic involves fake notifications from an organization whose website you visited.
Be extra diligent while e-shopping this holiday season, and keep the Cyber Grinch at bay.
Chris Kayser is a cybercriminologist and founder, president & CEO of Cybercrime Analytics Inc. He is the author of two books: Cybercrime through Social Engineering – The New Global Crisis and How to Master an Online Degree – A Guide to Success.” He can be reached at ckayser@cybercrimeanalytics.com, or www.cybercrimeanalytics.com.