As the vast majority of customers shop
from the safety of their homes amid another surge of Covid-19 cases, online
shopping is seeing its biggest season ever. Amazon, for example, saw
$4.8 billion in third-party sales in the days after Thanksgiving, a
60% increase from last year. But as online sales surge,
so have the scams. I got an email: "Oh,
your package is almost here. It couldn't get delivered. Click on the following link to get a
status update so it can be delivered." I clicked on the link and then all
of a sudden my whole computer screen went blank. Hackers are impersonating Amazon,
FedEx, UPS and other major shippers texting and emailing fake
package tracking links to launch malware or mine
for personal information. And then I get this big pop-up screen
on my computer that said, "OK, well, we've hacked your computer. Pay us, and I don't remember how many
bitcoin it was, to this account and then we will unlock your computer."
And I mean, I freaked out. Check Point, a cybersecurity firm that
secures consumers and Fortune 500 companies, found that messages impersonating
shippers were up 440% from October to November and up 72%
from this time last year. We have our mind on other things
like pandemic and our kids getting remotely educated and dealing with the
pressures of exposure to a pandemic. So looking for shipping impersonations
is the lowest thing on our priority list. This is a look into
why delivery fraud is on the rise, what's at stake for victims of the
scams and how to stop phishing attacks from flooding our devices. Foot traffic at regional malls on Black
Friday this year was down more than 70% according to S&P
Global Market Intelligence. Meanwhile, Amazon's third quarter sales increased
by 37%, with profit up almost 200%. Wal-Mart's e-commerce sales were up 79%
and Target's were up 155%. Fourth quarter is expected
to be even bigger. Everybody ordered over the
Black Friday weekend. And here we are in the shipping phase
of the holiday season, the first one where people are expecting their packages
and might be expecting an email from Amazon. And it's a perfect time
for these bad actors to prey on consumers that are not
paying close attention. The phishing message includes a fake link
to track or reroute your package and clicking it will launch ransomware or
take you to a site that mimics one of the big shipping companies,
tricking you into entering financial or personal details. In the U.S., Check Point
found that 65% of those were impersonating Amazon. They're successful because most of us
are doing business with Amazon. We're ordering on Amazon. And for us to get an email from
Amazon about a package we ordered would be perfectly normal and expected. You're very likely to click on that,
not knowing that, in fact, it takes you to a bogus non-Amazon website that's
in place simply to steal your username and password that they
can then use for profit. They could sell it. They can
use it on other websites. Chances are you reuse that
password like most people do. The phishing messages also commonly
impersonate UPS, FedEx and DHL. It's so easy for them to send
out these messages to hundreds of thousands or even millions of numbers that even if
they only get a percentage of 1% of people responding to it, it
still makes money for them. The link may redirect to a counterfeit
branded page promising a reward for filling out a survey, or it could
trigger a ransomware attack, as it did for Hoehn. One person clicks on the
wrong link could launch a massive ransomware attack that we've witnessed over
and over, bringing down large companies completely and causing
massive financial damage. The guidance has always been
never entertain these payments. Always send a message to the attackers
that we don't play play along with you. Well, that's how
bad it's gotten. The FBI is sometimes, in some
cases, saying pay the ransom. When Hoehn didn't pay the ransom of
some 150 bitcoins, the equivalent of more than $66,000 dollars at the
time, he lost everything from his computer. So I lost all my family pictures
that I had on my hard drive, all my business contacts
and my business information. Months later, Hoehn was the
victim of identity theft. They had my address and my my
Social Security number and all my tax information. And then I got this letter from
the IRS when I filed my taxes and they said, "Oh, you've already filed
your taxes and you got your refund." And I was like, refund? And when someone clicks once it signals
to scammers that it could work again. We have heard horror stories
from consumers who start getting so inundated with these text messages and
phone calls that they're then forced to change their phone number. For Hoehn, the attacks did not stop after
the IRS told him his identity had been stolen. It started sending emails
to everybody in my contact list with, "Open the following attached file." And
I had to spend like three days just reaching out to a thousand
people saying, you know, don't open the email. Another form of delivery
fraud involves scammers leaving fake missed delivery tags, enticing users
to call and leave personal information to reschedule
the delivery. And popular on social media now
are fraudulent gift exchanges, what's known as secret sister scams. The problem is, is that this scam that
is running on social media is not coming from your friends. You're being tacked on to a list
that is generated from who knows where and that's collecting personal information
by a complete stranger. Even unknowing users re-sharing gift exchange
scams can be subject to penalties such as jail
time and fines. Chances are if you send the gift, you're
not going to get 30 gifts in return. That's a classic sign
of a pyramid scheme. And pyramid schemes are illegal
in all 50 states. More general shopping-related scams are
also on the rise. According to Check Point, early November
saw more than double the "special offer" phishing campaigns than early October,
making up one of every 826 emails. You maybe get an email that tricks
you into clicking on a link to a Pandora website that isn't real, where
things are too good to be true. But you fall prey and you do business
on the fake website, give up your credentials, all the way through to the
shipping and then maybe even into the return process. Don't click on any links
in that text or email. Don't press one to speak
to a customer service representative. Hang up the phone, go to FedEx.com
or USPS.com or DHL.com and put in tracking information yourself. But as scammers get better at
impersonating brands, fraud gets harder to spot. It may have the logo on there
that may even be structured to look like the actual website for real. Still, there are some warning
signs to watch out for. If they're asking you to click on a
link to get more information, that's a big red flag. You want to be
on the lookout for, you know, urgent! Warning, urgent. We have some money for you. If you look closer, maybe it's
Amazon.co instead of Amazon.com, or maybe there's an ever-so-slight misspelling like the Z
and the A are reversed in the domain name. There are also ways
to prevent the scam messages from reaching you in the first place. You're going to make sure your devices are
up to date on all the security updates. That's how that providers
are protecting consumers is through those updates. Operating systems do
have built-in security protections and so does each mobile provider. And apps like Nomorobo
offer additional blocking features. Because hackers may still make it
through, though, back up your machine and change passwords often. Turn on two-factor authentication and use
a variety of different email accounts and passwords for
different online activities. For my kids, I use
one account for them. They have their own and it
has parental controls on it. They're not on a machine with
my credentials because there's so many things that can go wrong with that. Statistically, many people
are reusing passwords. Don't do that. Use different
passwords across your different logins. And if you do click a link, check
the site is encrypted before entering any personal information. If it's not https and there's no
s on the end, it's not encrypted. You can also look for the little lock icon,
which is going to be up in the left-hand corner. But if you do fall victim
to one of these scams or even just come across one, report it
directly to the Federal Trade Commission or through the Better Business
Bureau's scam tracker tool. And that information is actually used
by the Federal Trade Commission, by state, local and federal
law enforcement agencies. So perhaps somebody on their IT team can
go back and look at that if they're working on a particular case and
try to trace down the bad guys. You can also file complaints with
the Internet Crime Complaint Center Fraud.org or your
state attorney general. Inform your carrier of a spam text
by forwarding it directly to SPAM. Once a phishing attack
is reported, the U.S. Postal Service and the FBI can get
involved, but it's largely up to the FTC to investigate. I think it's really important that
we empower and adequately fund the agencies that go
after these scammers. Number one, the Federal Trade Commission,
they have a huge responsibility to police unfair and deceptive
practices across the entire economy. And yet their workforce and their funding
is only a fraction of what it was in the 1970s. Enforcement is also difficult because
scammers often leave little trace. These are scammers who, chances are, have
set up hundreds or thousands of look alike sites so that even if one
of them gets shut down, they just move on to the next
one. These are organized criminals. We've seen a lot of them coming out
of places like Eastern Europe, out of places like the
Philippines, West Africa. Sometimes we see them coming
out of the Caribbean. The companies being impersonated by
scammers are also fighting back. Amazon told CNBC it will go after
scammers working with the FTC or the Better Business Bureau. In a statement,
Amazon said, "Any customer that receives a questionable email, call or
text from a person impersonating an Amazon employee should report them
to Amazon customer service. Amazon investigates these complaints and
will take action if warranted." FedEx told CNBC it does not send
unsolicited text messages or emails to customers requesting money or package
or personal information, and it asked customers to report fraud. UPS has similar policies and a
dedicated reporting email, as does DHL. DHL also told CNBC it partners with,
"A technology company to help us detect trademark infringements, counterfeit
sales, phishing attacks, bogus recruitment ads, other types
of fraud and more." People call them up looking for
the package that never showed up. And they have to, unfortunately, it
ends up being these companies' telephone representatives who often have to
break the bad news to consumers that they
have been defrauded. The companies that make our
devices are also on guard. Microsoft, for example, has a digital
crimes unit that works with law enforcement and claims to have rescued
more than 500 million devices from cyber criminals since 2010. In its recent digital defense report,
Microsoft said it stopped more than a billion phishing emails in 2019, with
attacks up 35% overall in the first half of 2020. Apple, meanwhile, offers public recognition and
even bounties up to a $1 million to users who
report security issues. As long as people have been
exchanging things between each other, people have been scammed. Just be aware
that the ways that scammers are contacting victims and getting victims to
pay continually changes with the technology. So what's the next
scam to watch out for? Scammers have figured out what works
and our suspicion is, along with government officials, is they will take a
real hard look at the Covid vaccines. Check Point, found fake vaccines
being sold online for bitcoins equivalent to around $300 dollars
and phishing emails containing a malicious file with vaccine language in
the name that if clicked on, installs software that mines usernames
and passwords from the device. Organized crime is really gearing up to
try and exploit people's desire to get this vaccine. So consumers should
really expect to start seeing messages on social media, emails, phone
calls, text messages offering to get you to the front of the line
for the vaccine if you'll pay some money up front. That is a big worry for us. And I think certainly in the coming
months, we'll be doing everything we can to educate consumers because definitely
there's the potential for for many, many people to
get hurt by this.
