Despite the chaos that the COVID-19 pandemic has caused, Australians are expended to spend up big this festive season.
According to Finder, the average person is planning to spend $893 this Christmas – that equates to over $17 billion nationally.
The festive season sales begin with Black Friday and Cyber Monday, with close to $2 billion in sales expected across the four-day period.
But cybersecurity experts warn it’s also a prime time for scammers to be out in force, trying to steal your personal data.
Figures from the ACCC’s Scamwatch show losses to online shopping scams have increased 42 per cent in 2020, with almost $7 million duped out of Aussie wallets.
Scamwatch has received over 12,000 reports of online shopping scams, with classified websites such as Facebook Marketplace and Gumtree making up the bulk of those reports.
Fake websites are one of the easiest ways scammers can dupe you into handing over your details.
“What they’ll do is they’ll spin up fake websites that maybe look like retailers that everybody’s familiar with,” Garrett O’Hara, Principal Technical Consultant with Mimecast and cybersecurity expert told the News Fix podcast.
“Completely fake – designed really just to do nothing more than steal your information and steal your credit cards.”
Another way scammers bait unsuspecting victims is with emails about fake deliveries.
“It will be generally on email and most people have seen some version of those at this point – the ones where they tell you that there’s a package that is delayed and click here to see where it is.
“People kind of go, ‘what package is that?’ and they click on the link and potentially then there’s some malware installed on their computer.”
Another common way for scammers to get your info is to mirror a popular domain.
“That’s the URL or the part of the website that you would type in ‘the name of the company.com.au’”, O’Hara said.
“They will often change one character, one letter within the domain. So at a glance, it looks like something you’re familiar with, but actually, it’s a completely different website.
“One of the other things that it’s important to know is a thing called a homoglyph or a homograph attack – that’s where you use characters that are actually not from the Roman alphabet – the one that most Australians are probably familiar with and probably use quite often.
“Obviously there’s lots of other languages in the world, some of those languages have characters that look exactly the same as our Roman alphabet.
“So I could swap something that isn’t a zero, it actually looks exactly like a ‘O’, or it looks exactly like an ‘L’, and those characters are called extended characters and that’s actually quite difficult to see.”
Too good to be true?
As the old saying goes, ‘if it sounds too good to be true, it probably is’.
But scammers like to play on our curiosity and greed.
“What you can do instead of clicking on the link, just go straight to the organisation’s website,” O’Hara said.
“If that’s the courier, if that’s the retailer, if it’s your bank – whoever it is – go to their website online.
“Just type in their domain to your browser and if you’ve got an account, log in because generally, you’ll find all those notifications,” he said.
“Anytime an organisation that you deal with is asking for personal information or credit card number, be wary – go to go to their website, don’t click on the link.”
Also be wary of new retailers or sites that you’ve never heard of before.
“If you’re dealing with an online site you haven’t dealt with before, do a Google search,” ACCC Deputy Chair Delia Rickard recently told Sunrise.
“See what others had to say about it. The last two ideas for things I wanted to buy for people for Christmas both turned out to be scams.”
A recent survey found that people are still using easy-to-hack passwords like ‘123456789’ and the word ‘password’.
“If your using ‘password123’, honestly, that is basically instantly available to an attacker,” O’Hara said.
“You might as well not have a password, and I mean that quite literally. There’s no time involved in guessing that if you’re an attacker,”
“If you’re using the same password for social media, for banking, for online retail, and you’re using your email to log into those sites, which is often the way these days if an attacker gets your password, they’ve got access to everything.”
O’Hara’s advice is to look for a password manager.
“There’s a bunch of them that are available, many of them are free, and the idea with that is a password manager can use a very, very long and complex password that you don’t have to remember.
“It does the job for you and you also get the added advantage of a different password for lots of different platforms,” she said.
After the scam
If you do fall victim to a scam, there are things you can do.
“If you have been the victim of a scam, contact your bank as soon as possible and contact the platform on which you were scammed to inform them of the circumstances,” Rickard said.
And if you see anything suspicious, report it to Scamwatch.