Email is the number one channel scammers use to trick consumers, and it gets phishier during the holidays. If you’re shopping online, here’s how to stay safe – and the first thing to do if you click a phishing link.
As the holidays draw near, the hustle and excitement aren’t the only things ramping up. Phishing scams peak between September and November, when inboxes overflow with shopping and travel confirmations, charity requests, and marketing emails.
The consequences can be severe:
- In 2023, Americans lost $10 billion to fraud, a 14% jump from the previous year, according to the Federal Trade Commission (FTC).
- One in four people reported losing money to scams, with a median loss of $500 per person.
- Shopping fraud and impostor schemes were the most common frauds, and many were carried out through phishing emails.
- Email remains the primary contact channel for cyberattacks.
- 40% of consumers check email looking for brand discounts, which makes them more susceptible to phishing during the holidays.
But don’t panic. According to Vlad Cristescu, Head of Cybersecurity at ZeroBounce, there are steps you can take to protect yourself – even if you already clicked on a malicious link. With October being Cybersecurity Awareness Month, it’s a good time to brush up on these precautions and stay alert.
The holiday season is scammer season
“The holidays are prime time for scammers to strike,” Cristescu explains. “People are shopping like crazy, donating to causes, and spending more time online than usual. Scammers know we’re feeling generous and maybe a little rushed, so they take advantage of that.”
The psychology behind it is simple: we’re distracted. “We’re all looking for last-minute deals, eager to get things done quickly, and that’s when we let our guard down. When you’re juggling a bunch of things, it’s easy to miss those little signs that something’s off.” And that’s exactly what scammers count on.
Top 3 phishing scams to watch out for
There are many types of scams that could land in your inbox, but according to Cristescu, three types stand out during the holidays:
1. Account log-in scams: “You’ll see emails that claim something’s wrong with your account and urge you to log in to fix it. These can be convincing, but they’re just fake pages set up to steal your username and password.”
2. Fake shipping notifications: “With everyone ordering gifts, scammers send emails that look like they’re from Amazon, FedEx, or other big companies. They know you’re waiting for packages, so they trick you into clicking to ‘track your order’ or ‘fix a delivery issue’ — but they’re really just after your passwords.”
3. Bogus eCommerce or “too good to be true” deals: “These phishing emails often impersonate major retailers or brands. They can lead you to fake websites where you’re prompted to put in sensitive information like credit card details or login credentials.”
Last year, more than 1.2 million scams targeted Amazon alone, according to a Bolster AI study. To safeguard your business domain from spoofing attacks, it’s essential to implement email authentication protocols like DMARC, SPF, and DKIM. These measures help prevent hackers from breaching your domain and sending malicious emails on your behalf.
How to spot a phishing email
Phishing emails can be sophisticated, “especially with AI making them look pretty legit,” Cristescu says. But the cybersecurity expert emphasizes that there are still a few tell-tale signs.
“A big one is when the email starts with something generic like ‘Dear Customer’ instead of using your name. Another red flag is if the message is trying to induce panic by telling you that your account will be locked or that you need to act fast.”
Here are a few more red flags to watch out for, according to Vlad Cristescu:
- Weird sender email addresses: Even if the email looks like it’s from a company you know, check the email address closely. Extra letters or random numbers are usually a giveaway.
- Strange attachments: If there’s a random file attached, especially something like a .zip or .exe, be careful. Most companies don’t send attachments unless you’re expecting them.
- Suspicious links: Before you click any link, hover over it and see where it’s really taking you. If the URL looks sketchy or doesn’t match the website it claims to be from, don’t click.
- Bad grammar or awkward wording: Phishing emails often have little spelling mistakes or just sound a bit off. If it feels weird, it may be a phishing decoy.
- Asking for personal info: No legitimate company will ask for sensitive info over email. If they do, that’s a big red flag.
- Too-good-to-be-true deals: If the email offers something that sounds way too good, it’s probably a scam trying to get you to click.
Already clicked on an email scam? Here’s the first thing you should do
If you’ve already clicked on a malicious link, “don’t freak out,” Cristescu says. “It happens to a lot of people.” But here’s what you should do immediately:
- Disconnect from the internet: “Disconnecting from Wi-Fi or turning off your data can help stop any malware from spreading further.”
- Run a malware scan: “After you’re offline, run a full malware or virus scan on your device to check if anything harmful got installed. It’s better to catch it before it can do more damage.”
- Change your passwords: “If possible, use a different device that you know is safe to change the passwords on any accounts that might be affected. This helps avoid further compromise if the original device is infected. And if you’ve reused the same password on other accounts, change those too.”
- Contact your bank or credit card company: “If you gave out any payment info, let your bank or credit card provider know right away. They can monitor any suspicious activity or freeze your account if necessary.”
- Report the scam: “You should report the phishing email to your email provider, and you can also file a report with authorities like the FTC and FBI.”
- Keep an eye on your accounts: “For a little while, be extra watchful of your bank, email, and social media accounts. Scammers don’t always act immediately, so staying alert can help you catch any issues before they get worse.”
The three months leading up to December account for 20% of all phishing scams for the entire year, according to Bolster AI research. As you rush to check off your holiday to-do list, remember to pause and double-check the emails you receive. “Before you click on a link, take just a few extra seconds to ensure no scam is slipping through,” Vlad Cristescu advises.
About Vlad Cristescu
Vlad Cristescu is the Head of Cybersecurity at ZeroBounce. He has more than 14 years of experience in his field and is passionate about demystifying technology and security for companies and individuals. Previously, Cristescu provided cybersecurity consultancy services at one of the UKs’ largest cybersecurity distributors.
About ZeroBounce
ZeroBounce is an email validation, deliverability, and email-finding company that helps businesses improve their email marketing performance. A multiple Inc. 5000 honoree, ZeroBounce is the go-to choice for more than 350,000 customers worldwide.
Ensuring military-grade security, ZeroBounce serves companies of all sizes, from solo business owners to Amazon, Coca-Cola, Disney, Netflix, and Sephora.
In 2022, ZeroBounce founded Email Day (April 23), now an international holiday honoring email inventor Ray Tomlinson.
For more information, visit https://www.zerobounce.net/
***