Scrooge’s 12 Scams of the Holidays

They’re baaaack! Actually, they never left—Scrooge’s little trolls work hard all year, scheming and scamming to steal holiday presents—or at least valuable information—from good girls and boys. From the North Pole to the South Pole, they target every one of us through phishing, SMiShing (text phishing), shipping and gift card scams. If you aren’t paying attention, they will hack your devices, spy on your surfing and empty your bank account.

12-scamsThe holidays are supposed to be a fun-filled time for celebrating with family and friends, so make sure you keep the cheer in your holiday and learn about the “12 Scams of the Holidays,” the dozen most dangerous online scams to watch out for this holiday season, revealed today by McAfee.

To make sure your holidays are not stolen by the Grinch, here are some tips on how to protect yourself against scams during the holidays, and year-round:

  • Educate yourself—Keep up-to-date on the latest scams and tricks cybercriminals use, so you can learn to recognize scams and avoid potential attacks.
  • Use strong passwords— Make sure your passwords are at least eight characters long and contain a variety of upper and lower case letters, numbers and symbols.
  • Be careful when clicking—Don’t click on links in messages from people you don’t know, and use a URL expander to know what site you are going to before clicking on a shortened URL.
  • Stay suspicious—Like mom said, be wary of any offer that sounds too good to be true.
  • Practice safe surfing—When searching for holiday gifts, use a safe search plug-in such as McAfee® SiteAdvisor®.
  • Practice safe shopping—Make sure you stick to reputable e-commerce sites that have been verified as safe by a trusted third-party, like the McAfee SECURE™ mark. Also look for “https” at the beginning of a site’s URL, which indicates that the site is using encryption to protect your information.
  • Use comprehensive computer security—Make sure you have comprehensive security protection for all your devices, including your mobile phone and tablet, that also protects your data and identity protection, like McAfee LiveSafe™ service.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Feast of the 7 Phishes 2011

Every year at the Siciliano household, we have a holiday tradition based on the Italian Feast of the Seven Fishes, which is, as you probably guessed, a meal consisting entirely of fish. There’s lobster, mussels, clams, scallops, shrimp, smelt, and cod, all either fried or cooked in red sauce, spicy sauce, or white sauce. This year we’re dedicating our feast to “Miles for Miracles,” a fundraiser for Children’s Hospital Boston. I’ll be running the Boston Marathon this coming April in support of the cause.

Another of my holiday traditions is to expose the year’s phishing scams. The following examples come straight from my inbox or spam filter, and have been abbreviated to demonstrate the nature of the scam and specific hook being used.

1. This first phishing email appears to have been sent from LinkedIn, but the link that supposedly leads to the FDIC’s website is in fact a virus.

“From: LinkedIn

Temporary FDIC insurance coverage news. To obtain more information about temporary FDIC insurance coverage of transaction accounts, please refer to http://www.xxxxxx. Yours faithfully, Federal Deposit Insurance Corporation.”

2. In this phish, the sender claims to be Canadian, but the email suffix “.cn” is Chinese, and the scammer grammar is clearly East African in nature.

“From: Mrs.Martha Chery

Dear Beloved,

I am Mrs.Martha Chery from Canada,I am 58 years old,i am suffering from a long time cancer of my brain,from all indication my conditions is really deteriorating and it is quite obvious that i may not live for the next two months.”

3. Wow, my “email address has won.” Lucky me?


WINNING NUMBER: OL/656/020/018


4. This scammer responded to a Craigslist ad I had posted. Apparently I “sounded gorgeous in the ad.” I probably did!

“From: Justina Serini

Hi Robert, I found your posting and wanted to ask you something essential. I am in a relationship and caught my partner cheating on me so I decided to get even! My co-worker said Craigslist list would be the best place to find someone nearby who I can be with for one time only so thought the hell, I would email someone I thought sounded gorgeous in the ad and came across yours!”

5. In this phish, I’m being scammed in Hebrew!


יכול לחסוך לעצמו עשרות או מאות אלפי שקלים – ובקלות! גם אם לקחתם משכנתה והשגתם את התנאים הטובים ביותר,”

6. Oh, wow, the United Nations is contacting me directly. How exciting!


Attn: Beneficiary, This is to inform you that the International Community has received series Complaints from Beneficiaries who are yet to receive their outstanding Contract/Inheritance Funds.”

7. Download this report, and you’re as doomed as a boiled lobster.

“From: Jerry Bush

This report applies to the ACH transfer (ID: 963623905410) that was recently sent from your banking account. The current status of the referred transfer is: failed due to the technical error. Please find the detailed information in the report below.”

Hey, that reminds me, I have fish to fry!

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses phishing on Fox Business Disclosures

4 Tips to Prevent Auction Holiday Fraud

Auction fraud refers to fraudulent transactions that take place through auction and classifieds websites.  Either a product advertised may be misrepresented by the seller or the items sold are never delivered at all.

This holiday season, as you seek out hard-to-find gifts and look for the best prices, keep in mind that not everyone out there on the wild, wild web has good intentions.

Auction sites are ground zero for scammers. It’s very easy to set up a free auction page from anywhere in the world, collect people’s money, and run.

Here are four tips to keep you safe when shopping through auction websites.

  1. Use strong passwords: Use complex passwords that are hard to crack but easy to remember. Passwords should include upper and lowercase letters as well as numbers, and, if possible, other characters.
  2. Look out for phishing emails: Any email that appears to have been sent from an auction site should be considered suspect. Certainly there are legitimate communications being sent by eBay and similar sites, but none of them should require a direct email response. To confirm that a communication is legitimate, always go to the website directly via your favorites menu, log into your account normally, and check your “My Messages” folder, rather than clicking any links within the email.
  3. Secure your device: Whether you shop using a tablet, smartphone, PC, or Mac, they all need some form of antivirus protection. At the very least, the operating system should be kept up to date with all the latest security patches. Any website can potentially pose a threat. Never respond to pop-ups that claim your computer or other device has been infected and instruct you to install antivirus software. This is actually “scareware.”
  4. Buy from trusted sources: Some may not like my saying so, but buying from sellers with no track history is risky. If sellers have less than five transactions under their belt, they may be scammers. My rule of thumb is never but from anyone with fewer than ten transactions, and even then I take all their feedback into account before purchasing. If a seller has ten transactions but all those purchases are less than a dollar in value, that seller is still suspect.

Online classified and auction websites can do more to protect legitimate buyers and sellers by identifying fraudsters faster with advanced device identification.  iovation Inc.’s fraud prevention service is called ReputationManager 360 and incorporates device identification, device reputation analysis, and geolocation, velocity, and anomaly checks in its real-time risk profiling. iovation is used by hundreds of online businesses to prevent fraud and abuse by analyzing the computers, smartphones, and tablets being used to connect to their online properties.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses Black Friday/Cyber Monday Scams on Mike and Juliet Show  Disclosures

6 Tips for Cyber Monday

Bad guys know perfectly well that when the online bargains begin after Thanksgiving, specifically, on the Monday after Thanksgiving, you will be providing your credit card number to retailers all over the world.

1. Go big. Do your online business with major retailers, or those you already know, like, and trust. The chances of a major online retailer stiffing you, or of their database being compromised, are slimmer than those of an unknown.

2. Do your homework. If you search for a particular product and wind up at an unfamiliar website, do some research on the retailer before putting down your credit card number. Search for the company’s name and web address to see if there have been complaints.

3. Don’t give out more personal data than necessary. Many retailers require your name, address, phone number, and credit card information. This is normal. But if you are asked for anything beyond that, like bank account numbers or your Social Security number, run hard and fast.

4. Vary your passwords. Often, online retailers will ask you to register with their website when you make your first purchase. Never register using the same password you’ve already used for another website. Otherwise, if one website is hacked, your password could be used to infiltrate your other accounts.

5. Use HTTPS sites. Websites that have a secure checkout process, with “https://” in the web address (as opposed to “http://”) are safer.

6. Print out and save online receipts. Keeping track of what you bought, where, and for how much can become confusing when making multiple purchases online. You need to pay close attention to your purchases in order to reconcile your credit card statements.

Smart retailers are already protecting consumers behind the scenes by implementing multiple layers of fraud protection. One very effective fraud detection technology is the use of device identification and device reputation to alert businesses to known fraudsters on their site. iovation Inc. provides this service, taking it another level to analyzing the device’s reputation by assessing risk on each transaction.

“The most reputable online sites all ramp up their security processes during the holidays,” says Molly O’Hearn, iovation’s VP of Operations & Co-founder. “This is a very good thing for online consumers because this is the time of year that your identity and credit card information is most at risk.”

Whether you are buying electronics as gifts this holiday season, or sports and entertainment tickets for friends and family, iovation is working hard in the background of these sites to keep the bad guys out so you can have a safe and fun experience.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit card fraud on NBC Boston. Disclosures