© 2021 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Dave Hatter's tips for safe online shopping: you are a target


Online shopping has taken an uptick even before the pandemic. Consequently, there’s been a spike in cybercrime. CyberNews spoke to cybersecurity consultant Dave Hatter about what to expect from criminals this year and how to protect yourself while shopping online.

So you’ve come across this deal online that seems too good to be true. Well, it most likely is not.

Another shop is closing, and it feels like your last chance to get some boutique items with 50% off? Well, that shop probably never existed in the first place.

“The folk need to be extra vigilant and extra careful as they go into the shopping season online,” Dave Hatter from intrustIT told CyberNews.

Scammers are always changing their tactics, but they still mostly rely on the same basic techniques, so 99% of the attacks can be prevented by turning on multi-factor authentication.

“You are a target, no matter how small you are,” reminded Dave Hatter.

What’s your prognosis? Will people shop online more because of the pandemic?

If you look at the trends of the last several years, online shopping seems to take an uptick. More and more people are comfortable with it, and more and more people have access to various digital devices, whether it’s phones, tablets, or PCs. And more people have internet access. 

Many retail stores are closed or have limited hours. Some, unfortunately, have gone out of business. Also, you have people who were forced to work from home, who have time on their hands, and you’ve got kids spending more time on their devices.

It’s a natural upper trend of shopping online because it’s convenient, it’s easy, it’s relatively safe if you take precautions. You can get some incredible deals without leaving your house, coupled with the pandemic and the fact that some people don’t want to leave for health reasons. 

You have less brick and mortar retail stores as options, and it will lead to another substantial uptick in online sales.

The cybersecurity-related organizations have reported on giant spikes they are seeing, especially since the pandemic started. There were a bunch of warnings around Amazon Prime Day, warning people about phishing attacks. The writing is on the wall, so the folk need to be extra vigilant and extra careful as they go into the shopping season online.

Will we also witness an uptick in cyberattacks as the holidays get closer?

You can count on that. You don’t have to go too far to find a bunch of headlines recently from a variety of cybersecurity-related organizations. Here’s one Crowdstrike: More Cyberattacks in the First Half of 2020 Than in All of 2019. That’s just one company. Others like Baracuda have said that they’ve seen a huge spike in crime, and here’s the headline from Fortinet: New global threat landscape report reveals unprecedented cyberattacks

The FBI has reported a huge uptick in reported crimes. Now, I’ve seen stats from the FBI, and they claim they only get from 10 to 12% of cybercrime reported for a variety of reasons. 

There’s already ample evidence, whether it’s been phishing and scams related to the PPP (Paycheck Protection Program), the stimulus program, people posting bogus jobs, and asking people for money around training for those so-called jobs, or just trying to monger fear around the pandemic. You get an email that says that you’ve been exposed to something infected and asks to download this file, which, of course, has some type of malware, maybe ransomware.

Ransomware has become a huge problem here. People are working from home, in environments that typically are much less secure than they would be in a corporate network. They don’t have the same types of routers, firewalls. People might be using their equipment at home that may or may not have patches installed, may or may not have firewall software, may or may not have antivirus software, they may or may not have their kids using the same devices. The bad guys know this. They know that people working from home are spending more time online in a much less secure environment. And, of course, they are capitalizing on that.

The cybersecurity-related organizations have reported on giant spikes they are seeing, especially since the pandemic started. There were a bunch of warnings around Amazon Prime Day, warning people about phishing attacks.

The writing is on the wall, so the folk need to be extra vigilant and extra careful as they go into the shopping season online.

Black Friday: Online shopping threats, tips & tricks to buy online safely
video screenshot

Are scammers getting smarter and more sophisticated?

They are always changing their tactics. Still, they mostly rely on the same basic techniques. When you get down to it, it’s relatively easy to go and buy a list of names, email addresses and launch a phishing attack. You can buy space on a cloud-based server in some foreign country, which makes it difficult for the US to try to prosecute. It’s inexpensive to spin up a web-based server, to send a bunch of emails, run it for a couple of hours, a couple of days, and tear it down, and do the same thing somewhere else. I can pay for it with bitcoins, it’s hard to trace, and it uses encrypted communication.

It has never been easier for the bad guys to take advantage of the technologies that are out there not only to cover their tracks but to launch these attacks. And you get ransomware as a service now. 

With the scale that this can be done at - if I can send a million emails, and only one percent of these people are defrauded, let’s say, for a hundred bucks, I just made a lot of money. If I’m not in the United States, and I’m using things like bitcoin and encryption, I can make it really hard for you to track me down and very difficult to prosecute.

The bad guys are making a lot of money. They are able to do it very quickly. The bad guys still rely on the same basic techniques - phishing or social engineering. They are increasingly turning to things like smishing, or SMS-based phishing. It’s more difficult for the average non-technical person to look at a text and know that it’s fake. I don’t think most people even realize smishing is a thing.

Criminals will try to search your network looking for vulnerable IoT devices and use those to get into your network, and to get your data or take over that device, maybe plant ransomware. A huge score for a cybercriminal is if he can get into your network and then leverage that to an attack on the corporation you work for. He might be able to get a much larger ransomware score, steal some trade secrets.

They evolve their tactics and take advantage of the news of the day. One of the devious attacks that were really popular in the pandemic, when people were being laid off, or their companies were going out of business, and the bad guys were posting jobs on legitimate sites. You click on a link, and it takes you to a look-alike site, where they scrape the content of some real website. So it appears as it is a legitimate job, like a real company, and they get you into their trap, they interview you. In the end, when you think you are going to get a job, they say that you need to take this training, and it’s going to cost this much money, or we need your bank account so that we can set direct deposit, and then you are out of that money.

The bad guys are going to do things like send you an email that appears to be from FedEx or UPS, claiming that a package has been delayed, and try to get you to click on that link so that they could steal your credentials or to download some ransomware.

There are so many retailers to choose from when shopping online. What should I be vigilant of? What are the first red flags I should be looking out for? Should I treat certain narratives, such as ‘going out of business’ tales, as red flags?

My first advice would be to stick to well-known reputable sites and initiate the transaction. Around Amazon Prime Day, there was a warning that Amazon doesn’t typically use sites like Groupon to create coupons. If you get emails that purport to be coupons from Amazon, it’s probably fake. It’s a 99% likelihood that it’s fake. The first thing is to be skeptical. 

The bad guys are going to do things like send you an email that appears to be from FedEx or UPS, claiming that a package has been delayed, and try to get you to click on that link so that they could steal your credentials or to download some ransomware.

Don’t click on links that are too good to be true. Go to Amazon, go to Target on your own, open your browser, and look for that deal.

Stick to reputable sites. If a website you’ve never heard of before is trying to sell you something, you can’t just assume that the reviews are accurate. People post fake reviews all the time to create legitimacy. 

Make sure you have antivirus software on your computer and that it’s being updated. Make sure that you’ve installed all the latest updates for your device, whatever that might be - your phone, your computer - so that bad guy can’t exploit known security holes in there.

For years, nerds like me said you have to look for the lock in your browser. It should say HTTPS. That’s still really important. You should never put any sensitive information into a website where you don’t see that lock. But you can’t assume that just because there is that lock, the website is legitimate. The bad guys will go out, spin up a website that looks just like Amazon or Target, they will get a certificate so that they get a lock. Having a lock means there’s encryption on, the data you are sending to that website is encrypted, but it does not necessarily mean that the website is legitimate. 

You should look for the lock, but just having it is not a guarantee that you are not going to get scammed.

Hatter's tips for safe online shopping: you are a target. (c) Shutterstock

Do you think people are getting more vigilant about these risks online?

Unfortunately, the bad guys keep changing their tactics. More people know what phishing is, and more people know that they should be alert. A really simplistic sort of attack that might have worked five years ago doesn’t work as well now because people hear someone like me constantly warning about this.

But the bad guys keep changing their tactics. And more and more people go out and buy smart devices, like internet-connected coffee makers, or ring bells, etc. They are unwillingly creating more potential vulnerabilities in their network, more potential attack links for the bad guys. People are wiser than phishing. I am not saying they never click on those links, but they are smarter and less likely to fall for a simplistic type of attack. More and more people are buying these devices.

There are estimates that there will be 75 billion internet-connected devices by 2025. Many of those things are just privacy and security dumpster fires. You don’t have to go too far to find any number of examples of how these things are hacked left and right. They are insecure. People don’t know how to configure them, and they don’t know that they have to update that. Vendors stop supporting updates fairly quickly.

Do you really need all those IoT devices? 4-5 years from now, all these devices are going to be more secure, but it’s still the Wild West out there around these things. People are buying these things and plugging them in with little regard to security concerns. These devices are making it much easier for hackers to access corporate data.

Do you think that people will become more vigilant because of the pandemic?

I hope that’s the case. But I doubt it. Right now, especially because it’s an election year in the United States, you have a lot of news around that, about election fraud, and you’ve got people working from home, and you’ve got the economy in the state of flux around the pandemic. I'm not sure people are paying as much attention to this as I would like for them too. People still see the lure of the convenience of IoT devices without entirely understanding the privacy and security concerns they bring along, particularly if they don’t know how to configure and secure them properly. 

There’s this misconception there, and people think that they don’t have anything worth stealing, that they are insignificant, but the bad guys want your data for many reasons. Either they want to sell it out straight away, or use it for identity theft and the fraud that goes along with it, or to use it to create more authentic attacks to allow them to get to the data they want from you, like your bank account. You are a target, no matter how small you are. A lot of these steps are automated, and unless you are taking steps to protect yourself by being vigilant and skeptical, you are just asking for trouble. 

Folks, turn on multi-factor authentication. MFA would block around 99% of attacks. It’s not full-proof and perfect, but if you turn on multi-factor authentication, you will make it much much more difficult for hackers to attack you. As you make yourself a harder target, they will move on to a softer target.

More from CyberNews

The NFT craze: should you buy or stay away from it?

Create your online website with one of the best website builders, like Shopify or Squarespace

Read all about the best web hosting providers in 2021. GoDaddy will even offer website building option

Leave a Reply

Your email address will not be published. Required fields are marked