Fraudsters are continuing to send victims their own passwords in sextortion scam
A sextortion phishing scam, first identified by the National Fraud Intelligence Bureau (NFIB) in July 2018, continues to be reported to Action Fraud in high numbers.
Christmas Day may have been and gone but the threat of online scams are still high.
Britons could have lost hundreds of pounds through online scams over the Christmas period – and are set to be hit by even more attacks by the presents they have managed to buy.
That is the warning from cyber security experts who see Christmas as one of the riskiest time of the year, with the rush to find bargains and last-minute deals leading people to malicious websites.
Tens of billions of pounds have been spent online in the run-up to the Christmas period, but despite the growth of internet shopping, many customers are still running the risk of buying with unidentified and often unsafe websites. Brits – who together will spend nearly £25 billion over the Christmas period – are at risk of having £725 stolen from their accounts, according to the cyber security firm McAfee.
Scams from such websites are often so significant they can lead to people cancelling Christmas, but shoppers are often enticed to them with the promise of saving money.
“The festive season can be a very busy and expensive time of year, with lots to organise in time for 25 December," said Raj Samani, chief scientist and McAfee fellow. "Shopping online is often a quicker and cheaper way to buy Christmas presents and other festive items."
"With so much going on, it’s understandable that people often want to cut corners. However with this added stress, people regularly take a more relaxed approach to their digital security which can lead to potentially risky and costly consequences."
Such scams usually arrive with an email promising a deal that is too good to be true, complete with a link to click and buy the product. But clicking that link instead takes users to a version of the website that looks identical to the genuine version but in fact is a clone that will take users' money and leave them without the products they could be depending on for Christmas.
Other scams might not include a link at all, but instead involved installing software that can load hoax deals onto otherwise legitimate websites. They are often incredibly complex and believable, leading even the most switched-on of internet users to be caught up in the attacks.
"If something looks too good to be true, just be a bit suspicious," says David Emm, principal security researcher at Kaspersky Lab. "Obviously, there are great bargains at this time of the year, and scammers can peg their offers to just below."
The most common piece of advice that cyber security experts give is a simple but slightly laborious one: rather than clicking any link that arrives in your email inbox, through a Facebook post, or another messaging platform, be sure to type the address in yourself. That way, the address will definitely be correct, and there can be no way for a hacker to cleverly disguise the URL so that it looks like the legitimate website.
In the case of any deals that can't be found on the website, or which look suspicious, cyber security experts advise getting in touch with the company directly to check whether the offer is legitimate.
They also advise that people ensure they do not browse using unprotected WiFi, of the kind your phone might connect to automatically if you are out and browsing in public. While it might be a useful way to get online and to do Christmas shopping when out and about, such connections can be intercepted and the personal information passed over it could be stolen and sold on – causing pain that will last long before Christmas, as details are distributed around the web.
Even the very fact of being away around the holiday season is a risk in itself, the cybersecurity firm Proofpoint has warned. Setting an out of office reply can be an important signal for criminals, its director of product marketing Mark Guntrip warned, suggesting it may be safer not to set one at all, but rather to ensure anyone who needs to know about your break is told directly, or to make sure it is intentionally vague.
Even as the flurry of festive buying subsides, those presents that have been bought continue to represent a danger that could last for much longer. Many of those gifts – including children's toys – represent a shockingly easy way for hackers to break into people's homes, and so could be used for scams and attacks much further down the line.
"The internet of things is a big deal this Christmas: people are hooking up their homes to the web, adding security systems, baby monitors, plug sockets and toys for the kids," says Christopher Boyd, an analyst at Malwarebytes. "And one of the things we find a lot of the time is that these toys just aren't very secure."
One popular baby monitor has a default password of 123, for instance. Since many people won't change that, especially in the flurry of Christmas, hackers are able to simply seek out those newly connected devices and find a way into people's houses with it.
Similarly, children's toys now often come with privacy policies that are at "a university standard of reading level, and on top of that couched in legalese mumbo jumbo", Boyd warns, meaning that it is hard to understand even if children or parents do manage to take a look at as the packages are ripped open.
"It's quite difficult to work out where the data's going, what they're doing with it" and whether it is been surely stored, he warns. "They don't really know, and frankly why should they?"