Thanksgiving con artists lurking in consumer inboxes, analyst warns


Black Friday is nigh upon us – and cyber fraudsters are already dusting off their festive seasonal playbooks to try and con consumers out of their money, digital watchdog Avanan warns.

Thanksgiving is typically a time when most US citizens will be gearing up for the festive spirit that tends to suffuse the run-up to Christmas, and it’s no surprise that many start buying gifts for loved ones.

Naturally, retailers both on- and offline are happy to cater to this growing demand for goods with cut-price offers – but sadly, this furnishes the less scrupulous with a fresh attack vector to exploit.

The latest such scam uncovered by Avanan entails sending fake order confirmation notices from big delivery firms to lure e-shoppers into applying for refunds on purchases they never made in the first place.

In fact, the purchase never paid for either – but by the time they have clicked on the link in a panic, it will be too late for them to realize this, and their credentials will have been harvested in a classic social engineering attack that aims to play on a target’s confusion.

The crook’s gift that keeps on giving

Credential harvesting via bogus web links is a tried-and-tested method by which low-level cybercriminals can earn a dishonest buck, selling on sensitive information such as email addresses and account passwords that can be used in subsequent con-tricks by their fellow crooks.

The scam highlighted by Avanan impersonates delivery service USPS and curiously enough, appears to target victims in the UK, where Black Friday has taken off in recent years after being promoted there by large American firms.

Black Friday phishing scam screenshot
This scam highlighted by Avanan appears to have targeted UK consumers - note the fake bill in pounds sterling

“This email looks like a standard shipment notification,” said Avanan. “It shows an order confirmation, as well as shipping details, including a tracking number. When searching that tracking number, you’ll find it’s not legitimate, but rather associated with similar scams.”

It added: “The email is also for a brand that, when going to their website, leads to a malicious link. What the hackers want you to do is click on the Issue a Refund button. That redirects to a credential harvesting site. The hackers assume that you know you didn’t order from this site – that would encourage you to click on getting a refund.”

Avanan urges online shoppers on both sides of the Atlantic to remain extra wary in the next couple of weeks, particularly around emails purportedly sent from big delivery companies such as USPS, DHL, or Amazon.

“Black Friday and the holiday season are just around the corner,” it said. “This has always been associated with an increase in phishing scams that take advantage of these events. Some of the more clever scams will include a phone number to call. These attacks not only steal web-based credentials but also get your phone number, which can be used for further attacks.”

Avanan said it expected to see a rise in Black Friday phishing attacks, citing research from 2020 that saw “special offer” phishing campaigns double in the month of November that year.

“We’ll see a large increase this year,” it added. “And remember – these attacks happen on both business and personal emails. That increases the room for error on the end-user’s side. Between shipping notifications, special offers, refund notices, and more, we are inundated with legitimate emails around our holiday shopping. Hackers, always one to get in on the latest trends, love to take advantage.”