FBI issues new Black Friday warning for millions of shoppers
Anadolu Agency via Getty Images
Republished on November 30 with new data highlighting the scale of cyber threat over this year’s holiday shopping season.
With Black Friday now here, it is clear that the dangers facing online shoppers are greater than ever. The latest reports suggest scam websites have surged 89% over last year, and almost 80% of shopping offers hitting inboxes are fraudulent. We have even seen Google search results poisoned to send traffic to dangerous websites.
Little surprise then that the FBI has released a new warning for online shoppers, setting out the sellers that must be avoided on Black Friday, Cyber Monday and throughout the holiday season. For all users of Chrome, Safari and Edge, which control 95% of the US browser market, this is a must-have checklist to stay safe.
The FBI’s advice on which sellers to avoid comes down to seven key points, think of this as your online safety check during the holiday season—don’t take any risks:
- Don’t buy from websites until you’ve carefully checked the URL to ensure “it’s legitimate and secure.” Websites should have the telltale secure connection padlock in the address bar and https at the beginning of the full address. If the website is not secure to the URL is not obviously right, move on.
- Do not buy from a website for the first time until you’ve done some research and checked any available online reviews. Remember, reviews can be faked as well, so don’t gloss over the first you find.
- If you’re using an auction site or similar marketplace, “be wary of sellers with mostly unfavorable feedback ratings or no ratings at all.” You want sellers with a large numbers of completed transactions and favorable reviews.
- Don’t buy from sellers “who act as authorized dealers or factory reps of popular items in countries where there would be no such deals.” This is a well-known scam whereby these shopfronts take orders and rarely ship goods, and those they do ship are usually counterfeit.
- Also beware of any sellers “who post an auction or advertisement as if they reside in the U.S. but then respond to questions by stating they are out of the country on business, family emergency, or similar reasons.” Again, this is a typical scam whereby the seller will offer a plausible excuse for having an overseas address or phone number. Move on.
- Don’t buy from websites that specify unusual shipping arrangements or who offer to bypass customs checks or fees, similarly don’t buy from sellers you don’t know who request direct money transfers. Always use a credit card which brings additional checks and protection.
- Don’t pay for items you buy with pre-paid gift cards. As the FBI explains, “in these scams, a seller will ask you to send them a gift card number and PIN. Instead of using that gift card for your payment, the scammer will steal the funds, and you’ll never receive your item.”
According to the cyber research team at Check Point, “cyber criminals are putting in overtime—with Black Friday and Cyber Monday approaching, threat actors are poised to take advantage of consumers hoping to shop the yearly discounts.” The team warns that this year’s “surge in websites related to Black Friday is 89% higher than the surge in the same period last year… Nearly all of these sites impersonate well-known brands, and almost none are classified ‘safe’.”
Check Point offers a similar five-point checklist to the FBI’s:
- “Check URLs closely for misspellings or unusual host domains.
- Make sure the url starts with “https:// and shows a padlock icon.
- When emails come in, reference the sender against emails you know to be real. Don’t click anything you’re not sure about.
- Don’t blindly click through on QR codes.
- Never input unnecessary details like your social security number, and avoid inputting extra info like your birthday where it’s not required.”
Check Point also gives some examples of the kinds of URLs designed to trick users into visiting fraudulent websites:
- Stüssy (Steatwear): stussycanadablackfriday[.]com
- Longchamp (Bags): longchampblackfriday[.]com
- Wayfair (Online Home Store): wayfareblackfriday[.]com
- SOREL (Footwear): soreloutletblackfriday[.]com
- Crew (Retail): jcrewblackfriday[.]com
- IUN (Footwear): blackfriday-shoe[.]top
The added focus on phishing is critical. This holiday season, Bitdefender warns that “cybercriminals have wasted no time trying to capitalize on the frenzy,” with an incredible 3 out of every 4 Black Friday themed marketing “spam” emails now actually a scam, intended to defraud you of your money or even install malware on your device to steal your credentials or your data.
This year, we have seen a deluge of AI-crafted phishing lures, which make mimicking a popular, trusted brand all too easy. And these enticing, time-sensitive offers can be pumped out to email addresses on an industrial scale.
“Remember,” the FBI warns, “if it seems too good to be true, that’s because it is.”
The retail numbers just released show how big a target this holiday shopping season has become for cyber criminals, and why the FBI’s advice is so critical. According to Adobe, this year will see record levels of spend, with its forecasts suggesting “consumers will spend a record $241 billion online during the 2024 holidays, up 8.4% from 2023.” That sheer level of activity drives the scammers’ paradise that the FBI and others have warned about.
Salesforce also forecasts a record level of spend this year, reporting (via TechCrunch) that “Thanksgiving generated $33.6 billion in sales online globally, up 6%. The U.S. market alone was up 8% to $8.1 billion. Europe was also a standout, growing 10%.”
From a cybersecurity perspective, the standout statistic in Adobe’s report is not the overall spend but the percentage being spent on mobile devices. “Mobile spending momentarily overtook desktop spending during the 2023 holidays and will be even more prominent in 2024. This holiday season, Adobe forecasts mobile revenue share will hit a record 53.2% of online shopping and account for $128 billion.”
That’s critical because it’s much more difficult to spot a scam on a mobile screen than a larger laptop or desktop. Truncated URLs and lures optimized for small screens, to say nothing of the one-click attacks from social media and messengers. It’s all too easy on mobiles given the ease of clicking between apps and browsers.
It’s obvious why mobile spend is now so high given the ease of buying while sitting with friends and family without having to open a larger screen. According to Salesforce, mobile orders on Thanksgiving itself were up 3% on last year, accounting for more than 70% of all orders it tracked on Thursday.
ESET has now published guidance on what to do if you think you’ve been caught out by a scammer on Thanksgiving or Black Friday. Do this right away, the sooner you act the more likely you will significantly reduce the scale of any losses”
- “Report the scam immediately to authorities like Action Fraud in the UK or the FTC in the US
- Tell your bank and, if relevant, freeze your cards – requesting new ones
- Stop contact with the scammer and don’t tell them why
- Change any passwords that may have been compromised
- Freeze your credit to prevent scammers opening new credit lines in your name. You’ll need to contact each of the three major credit bureaus separately: Experian, TransUnion, and Equifax
- Gather evidence of the scam in case it is required”
