This holiday season is far from normal, but one tradition is sticking around: online fraud.
Studies show increased shopping volume typically results in a rise of fraud attempts over the holiday season. But online fraud has already been increasing for much of 2020, as more shoppers flocked to online shopping amid stay-at-home orders and ongoing public health concerns resulting from the pandemic. As a result, the record volume of online purchases predicted this holiday season could result in a similar record number of fraud attempts.
“Every year, we monitor a spike in the holiday season,” says Shai Cohen, senior vice president of global fraud solutions at TransUnion. “So if there is a spike every year, we imagine this year the spike will be even larger.”
Fraudsters seek out opportunity, and when more people shop online, those opportunities grow. Right now, people are especially vulnerable, says Vanita Pandey, vice president of marketing and strategy at Arkose Labs, an online fraud prevention technology company. “The propensity for someone to fall victim to these crimes is high, and I believe that fraudsters have all of that information ready to go as the holiday season approaches.”
1. Account Takeover
In the recent past, fraud attempts were typically thieves using stolen credit cards to buy things, says Gary Sevounts, chief marketing officer at Kount, a digital fraud prevention company.
But now the landscape has changed. Your identity is more important than anything else, Pandey says. Fraudsters are not only mining for credit card information, but also login credentials, reward points, and, most importantly, personal account information.
“I don’t need to take your card,” Pandey says. “I could get into your account and once I get into your Gmail account, I can wreak havoc.”
This is called account takeover (ATO) fraud. “When attackers successfully compromise accounts, they monetize their access by abusing credit card or loyalty programs, committing identity fraud, or submitting fraudulent transactions,” according to a recent FBI report on the trend.
Account takeover is such a boon for scammers because — despite being warned otherwise — many people use the same or similar username and password combinations across multiple online accounts. One hacked account could mean access to others, ranging from your Amazon account to your Twitter profile and even your online banking data.
How to Prevent Account Takeover
It can be difficult to prevent widespread account takeover schemes like data breaches — that responsibility largely falls on merchants taking adequate security measures, according to the experts we spoke to — but you can take steps to secure your data.
You should use different username and password combinations for each of your online accounts. Do not save your card information with retailers — it might mean a speedier checkout, but also puts you at risk if that merchant is breached.
If your account offers two-factor authentication, be sure to opt in, and always make sure to log out of accounts on your computer or mobile browser, especially if you’re using a shared device. Even shared accounts between friends and family members can be risky, Pandey says.
Sharing identifying information online can increase your risk, too.
“Think about what people post,” says Angie White, senior manager of global fraud solutions at TransUnion. “They might post about a high school reunion, and now you have their high school and their high school mascot. That could be the answer to a question to reset the password and get into an account. There’s a lot of nuggets that people leave out there that can be used to socially engineer and take over an account.”
Be mindful of what you’re posting, sharing, and tweeting, especially if your posts can possibly relate back to a potential security question.
2. Social Media Scammers
Reports of scams originating on social media have tripled this year, according to a recent report from the Federal Trade Commission. The most common scams (28%) were orders shoppers placed but never received, often after seeing an ad on social media.
You might have seen these yourself: Attractive, slick, and highly targeted ads start to appear on your Facebook News Feed or Instagram Stories featuring brands you’ve never heard of. “These scam ads look real and can be carefully targeted to reach a particular audience,” states the FTC report. “The scammers can delete comments on their ads or posts, so that negative responses don’t show up and alert people to the con.”
“It’s never been easier for someone to start their own business, but it’s never been easier for fraudsters to do that, too,” Pandey says. “Awareness is important. Don’t leave your payment credentials anywhere. Don’t just click on something if it seems too good to be true.”
How to Prevent Social Media Scams
If the price or photos listed on an e-commerce social media ad seem suspicious, beware. Do your holiday shopping with online retailers you trust, or have reliably purchased from before.
There is some good news. Generally, your money is protected if you use a credit card to purchase from a fraudulent seller on social media. Credit card issuers have robust security measures and you’ll likely have the option and ability to get your money back, easily lock your card, and ensure that any money spent fraudulently won’t come directly out of your account. Using a debit card doesn’t offer the same protections, which is why you should primarily use a credit card when making online purchases.
3. Gift Cards
When you’re unable to travel to see your loved ones, an e-gift card can seem like a great present. Your gift is delivered straight to their inbox without worrying about shipping or inventory delays. Digital gift cards have also become popular throughout the pandemic as a way to support your favorite businesses like restaurants or fitness studios, even if you can’t visit them in person right now.
But, experts say, fraudsters are more often turning to gift cards — and e-gift cards specifically — as sources for theft.
They test out numbers constantly, trying to figure out if there’s a balance on the card, Pandey says. So by the time the actual cardholder goes to redeem the balance, it’s already been wiped out.
Because gift cards are their own form of currency, fraudulent transactions can be difficult for security systems to catch. It’s virtually untraceable, according to Pandey.
Always use a credit card when shopping online. When your debit card information is stolen, money can be withdrawn directly from your account and take longer to recover. Credit cards often have more robust purchase protections and act as a buffer between fraudsters and your cash.
The information you share while purchasing the gift card, such as your email, credit card number, name, and address, can be a goldmine, too. “Digital gift cards, like any digital interaction, are susceptible to all the fraud and security threats, from account creation to account takeover to transaction fraud,” Sevounts says.
How to Prevent Gift Card Fraud
Always buy gift cards directly from the retailer or an authorized reseller. Use your judgment if you encounter any site offering gift cards for a steep discount. The offers that seem too good to be true often are.
If someone gives you a gift card, determine if the issuer allows you to change the PIN. Activate the card and change the PIN to add an extra layer of security. Then, actually use the card after you receive it. Since fraud networks are constantly testing card numbers, the longer your card balance sits, the better chance they have of making a match.
Targeted phishing scams have grown this year, and Cohen predicts the trend will only continue into the holiday season. These scams can be lucrative for fraudsters because once your personal data is compromised through phishing, account takeover fraud often follows.
“A lot of these things are all linked together,” White says. “A fraudster will take over a person’s account and get all that personal data including the credit card number,” which they can then use across other sites, too.
Shipping fraud is one specific type of phishing to watch out for this year, Cohen says. It often begins with a text message appearing to be from a shipping company like FedEx or UPS, linking to a tracking number or asking to confirm your address. “Once you click on the link, it takes you to a point where the fraudsters take over and reroute the shipping or all the information,” he says.
How to Prevent Phishing Attacks
Look out for dubious links in your email inbox, as well as suspicious phone calls or text messages that could be phishing scams. Keep track of the stores you purchase from online and the accounts you use for each payment so you’ll know whether to expect communication from them.
If you receive an unsolicited email or text claiming to be about an online order, go directly to your account to access any updates. “Be very, very leery about clicking on any links,” White says. “Always go into your account and check things, because they look very legitimate.”
Bottom Line: Stay Alert
Increasing your awareness can make all the difference in combating fraud.
“The IRS is not going to call or text you,” Pandey says. “Don’t click on every link, make sure it’s a legitimate one.”
Do your own research into any unsolicited messages from retailers or dubious-looking social media sellers before handing over your information. Even though it might be appealing to quickly click “buy” in order to knock off part of your holiday gift list, taking your time and having patience will serve you better in the end.
Practice good digital hygiene by keeping your passwords up-to-date, using two-factor authentication methods, shopping with a credit (not debit) card online, and logging out of accounts after use.
And always stay on top of your own financial information and data. You should regularly monitor your credit card and bank statements, as well as your credit report, but it’s even more important over the holiday season.
You can be your own first line of defense against any unusual card activity or incorrect credit information.