Skip to main content
Exploring what’s next in tech – Insights, information, and ideas for today’s IT leaders

Don't fall for these scams this holiday season (or ever)

Online fraudsters usually claim to have information or authority they don’t have. Be on alert this holiday season.

The Internet—brace yourself—is full of people who want to rip you off. Yes, it’s a shocking fact; take a moment to calm down and breathe.

Below we detail just a few of the schemes used by the morality-challenged to steal your money. Many of them are age-old bunko methodology, updated with Internet-era terminology and automated for worldwide mass scamming. The advent of cryptocurrencies, largely Bitcoin, makes it easier for these perpetrators to get away with the virtual loot without a trace.

The key to recognizing these scammers for who they are, at least most of the time, is to take a default attitude of suspicion. When a stranger reaches out to you on the Internet, don’t just look for signs that their identity may be false; assume it’s false, and make them prove to you that they are real. Even when a message comes from someone you know, you have to be careful because it’s possible, at least in some cases and with varying degrees of effectiveness, to impersonate others. I once got a message on Facebook that appeared to be from a friend, but I knew that friend had died. Someone had cloned his account, which had remained up after his passing. I reported it immediately and warned people.

Every now and then a scam makes enough of an impact to get in the news, but mostly this problem is endemic on the Internet, just as it has been endemic in human society for ages. The examples below were chosen to illustrate the importance of social engineering—whereby criminals trick you into trusting them—and underscore the need for suspicion and vigilance on your part.

So, yeah, it’s bad out there. Here are some of the bad things that bad people will be doing during the holidays and throughout the year.

Holiday scams

There are always lots of scams around the holidays. Some are tech-oriented, and some are more conventional thievery just moved to the Internet. Here are a few and how you can recognize them. Remember, as with all the other scams, the trick is to start with suspicion, not with trust. Here are just a few. 

Fake charities

We've all gotten unsolicited phone calls from people claiming to collect for firefighters, police officers, or children with cancer. The same sort of fraud has gone online on crowdfunding sites. In a well-publicized 2017 case, a couple raised more than $400,000 on a GoFundMe page, supposedly to help a homeless person. They got busted—and so did the homeless man who was in on it. 

It's probably never a good idea to give money to people who call unsolicited. If you want to give to a cause, find a real charity and contribute on its web page. 

The crowdfunding case is more troubling because it's hard to verify such things. If you have no independent way to validate the claims, it's better to give to a cause you can validate.

Knockoffs for sale

It's no surprise that there are a lot of counterfeit products for sale, on the street and on the Internet. In addition to ripping off the intellectual property owners, you may not get what you really need. Cheap fake electronics that don't work at all are often sold as brand-name items, like iPhone chargers, as detailed here by Consumer Reports. Among other things, it recommends that you research the seller online, be especially wary of large discounts, and read product reviews. If you buy, make sure to scrutinize packaging—counterfeiters don't put anywhere near as much money into their packaging as real brands.

Fake shipping notifications

People get a lot more shipments during the holidays, so it becomes more common to send out phishing emails that look like shipment notifications. The fake email has a link to a fake web page with a fake login. The point is to get your credentials and use them to steal from you. This scam, along with many others, is explained by the Better Business Bureau on this page.

Fake accommodation listings

There are many travel-related scams. The increasing use of private residences for travel accommodations has created a large market for fake listings. According to The Guardian, fake ads for luxury villas for rent are professional looking and convincing. The property may not even exist. If you're booking through an established site like Airbnb, you can check host reputation and reviews. If you're going through a service you don't recognize, the article recommends, "email and request the number if it is not provided, and get the full address of the property and find it on Google maps to check location and legitimacy."

Sextortion

In late 2019, the hot scam is sextortion, in which a criminal sends an email threatening to disclose embarrassing information about you, almost certainly related to your sex life.

The vast majority of these attacks are fake attacks, as I will illustrate with a personal example. I have received many of these threats. Either in the subject line or at the top of the message, the perpetrator shows a password of mine—for example, “Your password is passw0rd” (no, I haven’t actually used that one)—and then conveys a story about how they used it to learn about my "embarrassing" sexual habits. It says I’d better cough up some Bitcoin or they will tell the world.

All of these threats have used the same password, which I recognize as a very old password I haven’t used in many years. Since then, I have started using a password manager and practice good password habits. That, combined with the fact that <cross fingers>I have never done anything to be ashamed of</cross fingers>, told me that this was a scam.

As is generally the case with such emails, the password was not obtained with any personally directed attack or used to dig up any dirt on me but was culled from one of many large dumps of compromised passwords over the past decade. (To find out if your passwords have been used in such a breach, sign up for the Have I Been Pwned service.) The username (if an email address) and password were then bulk mailed with the threat. The claims that malware was installed on my computer are not true.

I’m sure some such attacks are real, but they are probably rare, because the cost of conducting a real one is high and the cost of conducting a fake one, like I received, is nothing. For many people, the password in the breach will be one they still use, and that has to be a scary experience. Before you take it seriously, scrutinize it for all the usual signs of fakeness. Search Google for the text in the email. If lots of people are reporting the same thing, it’s got to be a bulk attack. If there are images attached, search for them too. Then change your passwords and get a password manager.

Over 1M people read enterprise.nxt. Are you one of them?

Business email compromise/email account compromise

Business email compromise (BEC) describes a category of schemes by which an outsider gains access to a company’s funds or payroll. The attacks target both businesses and governments, but sometimes individuals who perform requests for fund transfers are also targeted.

Social engineering is usually a key part of the attack. For example, the company’s human resources or payroll department may receive a spoofed email, appearing to be from an employee requesting a change to their direct deposit account. The new account is generally a prepaid card account. The attacker may also impersonate someone in authority and request personal information about employees or the company that can be used to launch other attacks.

In other cases, more technical hacking mechanisms like password cracking might give an attacker access to a business or employee bank account directly. Or employees may be emailed a link to a fake login page for some key service, and those who attempt to log in give the attackers their usernames and passwords.

The best defense against these attacks is a trained workforce that knows to be suspicious and scrutinize such requests. But two-factor authentication is also an important defense, in that it blocks attackers who have only the username and password.

Romance fraud

Romance fraud comprises a variety of swindles that are as old as love and money themselves. They don’t all involve actual romance; sometimes it's just a relationship in which one party engenders trust in the other and then uses that trust to steal from them or trick them into performing some illegal act. In 2018, more than 18,000 victims filed complaints with the FBI’s Internet Crime Complaint Center, reporting losses in excess of $362 million.

The true romance fraud case these days usually involves online dating sites that are used to lure victims. The criminal will often claim to be a U.S. citizen or foreign national abroad and in need of help. The person may say they want to come to the U.S. to visit the victim but they need money for the travel. Or, they may say they were arrested under unjust circumstances and need bail money. Later, the perpetrator may say the money didn’t arrive and ask for more. You get the idea.

Such criminals don’t use their own photographs or background information. If you suspect a person (and maybe even if you don’t), use Google’s image search to see if their photos appear elsewhere, such as on some other person’s social media accounts.

This Federal Trade Commission page also has good information on romance scams.

The Chinese embassy scam

In this scam, the target is contacted through one of a variety of means—such as text, chat, or phone—by a person claiming to be from the Chinese embassy or consulate.

Targets are mostly persons of Asian descent—often Chinese nationals, including students or visiting university faculty—although it’s not hard to imagine similar scams developing among other migrant communities. The victim is told that a suspicious document or package was found, or a suspicious person detained, at an airport or some such place in China. In a variation of the scheme, the criminal claims to be from a Chinese shipping company or credit card company, but the story is similar. The victim is told that their name came up in the investigation and that they are required to cooperate with the investigation.

Next, they are transferred to an “investigator” who tells the victim that they must wire funds to a location in China or Hong Kong, or pay with a credit card or cryptocurrency. If the victim does not cooperate, the criminal threatens, they will be subject to deportation, loss of assets, or imprisonment.

Phony letters of credit

In this scam, victims are offered returns or loans on very favorable terms and (purportedly) low risk for the purchase of Standby Letters of Credit (SBLC). They are asked to provide an advance fee to initiate the investment, by transferring funds overseas or using foreign banks. 

An SBLC is a legal document issued by a bank to guarantee payment to a party to an agreement in the event of the other party, a client of the bank, defaulting on payment. They are often used in international trade between parties in different legal jurisdictions. SBLCs are not, in and of themselves, negotiable instruments—that is, they cannot be bought and sold or traded.

Nevertheless, some criminals are using counterfeit SBLCs and standard messages from the Society for Worldwide Interbank Financial Telecommunication. SWIFT is a network used by financial institutions across the world to exchange information and execute transactions, such as money transfers.

It is possible to authenticate SBLCs and SWIFT messages. The criminals attempt to make their messages look authentic and count on the target’s lack of knowledge and unwarranted trust in their claims. The victim is sometimes bound to secrecy and may even be made to sign a nondisclosure agreement.

Nothing new under the address bar

Like all the others, except business email compromise, phony letters of credit are an Internet version of an older scam that was spread on the phone or on paper. As an individual, there are technical measures you can take—as basic as spam filtering and as sophisticated as two-factor authentication—to block some of the threats. But the most important tool you have is a healthy skepticism of anything you read on the Internet for which you don't have good means of verification. As a business, technical measures and well-defined procedures are a must.

Internet scams: Lessons for leaders

  • Never trust outside communications inherently, especially when money or identity are at stake. Always look for independent means of verification. 
  • Implement two-factor authentication as widely as possible. 
  • Put firm business rules in place to prevent employees from mistakenly falling prey to scammers. 

This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.