'Tis the season to be jolly and the holiday shopping rush has begun. For sure, with the influx of holiday promotions, online receipts, shipping data and tracking information, your email inbox is probably inundated with messages from retail outlets, online and brick-and-mortar stores alike.
These holiday emails can get overwhelming and of course, the ever opportunistic scammers will, once again, try and slip a quick email scam on unsuspecting shoppers. We even warned you about how scammers will try and fool you with various techniques like misspellings and typosquatting.
But still, email phishing scams remain the most widespread method for stealing customer information. Popular phishing campaigns include favorite online shopping destinations like Amazon and payment service PayPal and they typically skyrocket during the holiday season.
So before you make that list, better check your emails twice.
Here are two spreading phishing scams we have personally spotted lately:
Amazon Order Phishing Scam
Beware if your inbox has a purported email from Amazon with this subject line: "Your Amazon.com order cannot be shipped." That email is most likely a phishing attempt.
The email contains this message:
Hello, There was a problem processing your order. You will not be able to access your account or place orders with us until we confirm your information. Click here to confirm your account. We ask that you not open new accounts as any order you place may be delayed.
For more details, read our Amazon Prime Terms & Conditions.
Unsuspecting recipients who click on the provided link for "account confirmation" will be directed to a fake but convincing "Amazon" webpage where they are asked to re-enter their names, address and credit card information.
The whole thing is a sham, of course, and if you enter your information and click "Save & Continue," it is game over, the scammers will now have everything they need. To keep your suspicion down, they will even redirect you to the real Amazon website when the phishing process is complete.
PayPal Limited Account scam
Another phishing campaign that's making the rounds is this "Limited Account" scam that's claiming to be sent by PayPal's "Security Team."
The fake PayPal email's subject line is "We have limited your account temporarily."
It begins with "Access to your PayPal account has been limited" and it even includes a PayPal logo image.
The rest of the message reads:
Dear Valued Member,
There seems to be quite a number of login attempts that we have detected
that led us to believe someone was trying to use your account
without your knowledge.
Furthermore, we have limited your account in the mean time
until we hear from you. Normally, there can be a number of
reasons why PayPal limits an account. For your situation, your
PayPal account was limited to add greater security and to
When an account is limited, there are certain actions
that PayPal prevents you from doing; this usually includes
sending, receiving, or withdrawing money.
We ask that you open the attached file that we
have sent in this email. It is a form that you
should go through to verify your identity
After submitting the form, our security team can then carefully review your
information that you have provided and lift off the limitation. It shouldn't take
too long for us to process.
We apologize for the inconvenience.
Clicking on the attached HTML file will then lead you to a fake PayPal profile update page that claims to remove the "limitations" on your account. As usual, the page has required fields for your name, address, credit information and even your social security number.
Notice, too, that even though the sender's name is "PayPal Security Team," its email is actually from "security.payservices.net," a domain not associated with PayPal by any means, which is the case with any address that does not have the paypal.com suffix.
If you receive an email of this kind, please don't click on the file attachment. You can just delete the email or better yet, forward it, together with the header information, to firstname.lastname@example.org.
Avoiding phishing attacks
Criminals are always trying to stay ahead of the curve, delivering malicious links in numerous ways. Here are some things you can do to avoid being a victim of phishing scams:
- Be cautious with links - If you get an email or notification from a site that you find suspicious, don't click on its links. It's better to type the website's address directly into a browser than clicking on a link. Before you ever click on a link, hover over it with your mouse to see where it is going to take you. If the destination isn't what the link claims, do not click on it.
- Check for https - If you're divulging sensitive information to a website, especially on money transaction, always double-check if you are on a secure connection, signified by a padlock and the prefix https on the address bar. Hovering your cursor on a link or copying and pasting from your clipboard will reveal if a link has a https prefix or not.
- Double check the URL spelling - When typing a URL into your browser, take the time to verify you're spelling it correctly. With typosquatting, misspelling a URL could lead to a phishing scam.
- Watch for typos - Phishing scams are infamous for having typos. If you receive an email or notification from a reputable company, it should not contain typos. Before clicking on a link, hover over it and check for spelling. The safest move is to type the URL into your browser, with the correct spelling of course.
- Use multi-level authentication - When available, you should be using multi-level authentication. This is when you have at least two forms of verification, such as a password and a security question before you log into any sensitive accounts.
- Have strong security software - Having strong protection on your family's gadgets is very important. The best defense against digital threats is strong security software.