Online Scams Are More Sophisticated Than Ever. Here's How to Shop Safely on Black Friday and Cyber Monday, According to a Cyber Intelligence Expert. Vice president of intelligence at ZeroFox AJ Nash reveals how the 'spray and pray' approach and rise in social media scams contribute to the threat.
By Amanda Breen Edited by Jessica Thomas
As Thanksgiving approaches, so do Black Friday and Cyber Monday.
Last year, the National Retail Federation reported nearly 180 million unique shoppers over the five-day period between Thanksgiving Day and Cyber Monday, which exceeded estimates by more than 21 million. According to NRF's data, 104.9 million of those shoppers visited stores and 127.8 million made their purchases online (some shopped both in-store and online).
Of course, "Cyber Week" brings in major revenue: The 2021 sales stretch drove nearly $40 billion in online spending, per Adobe.
But the onslaught of online deals doesn't just draw eager shoppers — it also gives cybercriminals a prime opportunity to trick people out of their money.
"Cyber Monday and Black Friday open the door for adversaries to make offers," AJ Nash, vice president of intelligence at ZeroFox, says. "Maybe if it were a Wednesday in July, you'd go, Man, that seems too good to be true. But come Cyber Monday, you go, Oh, maybe it's a doorbuster. Maybe somebody really is giving away this amazing thing for almost nothing."
Nash spent nearly two decades in the intelligence community, describing himself as a "traditional intel guy," before he was recruited for a cyber-focused contract, then to the private sector.
Entrepreneur sat down with Nash to discuss how cyber scams have become more sophisticated over the years and how you can protect yourself from even the craftiest cybercriminals.
Related: Cyber Fraudsters Reap $2.3 Billion Through Email Wire-Transfer Scams
"Technologies have made it easier to do a better job of impersonating."
Phishing, the process by which an attacker sends a fraudulent message to get someone to share sensitive information or to introduce malware, is one of the oldest tricks in the cybercrime book.
But the "spray and pray approach," where cyber criminals attempt to maximize the volume of their scam to get the biggest returns, has gotten an update over the years, Nash says.
"Technologies have made it easier to do a better job of impersonating," he explains. "It costs very little to buy a domain that looks very close to the real one. It's a misspelling, or they use a lowercase 'L' to replace a capital 'I.' There's a lot of different ways to set that up."
From bogus websites to texting schemes, cyber scammers are skilled in weaving webs that appear legitimate. A link sent through SMS might lead back to an authentic-looking site, for example.
"The longer you go down those paths, if adversaries link things together and layer them, the more trust it creates," Nash says. "If you believed the first thing, then everything else is going to reinforce that as a potential victim."
And the schemes themselves also run the gamut, though non-delivery scams, where shoppers are duped into purchasing something that never arrives, and gift card hoaxes, where people are tricked into paying with virtually untraceable gift cards or buying them, remain some of the most common.
Another rich arena for scammers? Social media.
"Social media is a huge opportunity," Nash says, "setting up social media accounts and luring people in, especially if you're dealing with social media platforms that aren't doing a particularly good job of regulating what is a valid account versus what isn't."
And if you do fall for a fraudulent post, all it takes is one click for disaster to ensue. Hit that link promising the deal of a lifetime to the first 500 customers, and you risk having your personal information stolen or your device compromised.
Related: How to Avoid Getting Scammed by Influencers With Fake Followings
How to avoid online scams on Black Friday and Cyber Monday
So, how can you stay safe while shopping for some of the best (legitimate) deals of the year?
First, never forget that if a bargain sounds too good to be true, it probably is, Nash says.
Once you suspect you might be a target, do your own investigation. For example, if you receive an amazing offer with a link attached, don't click it.
Instead, take a good look at that web address, Nash suggests, searching for any alterations to an authentic retailer's URL — whether it's one of those misspellings or capitalization swaps. Copying the address into a word document and switching up the font can make it easier to spot discrepancies.
You should also pay close attention to the message itself. Improper English and grammatical errors are red flags, Nash says.
Another simple tactic? Type the deal into your browser to see if it comes up anywhere else.
"If you start Googling it and you're somehow the only person that seems to know where this thing is, there's a good chance it doesn't exist," Nash explains. "You're not that special. None of us are."
It's also good practice to avoid giving out sensitive information as much as possible, even when websites seem legitimate. Consider using a separate credit card for online orders; some financial institutions even offer virtual credit cards. Both options can prevent cybercriminals from moving "laterally through the rest of your finances," Nash says.
Related: 11 Ways to Protect Your Business From Cyber Criminals
Along the same lines, it's important to make sure you're using different usernames and passwords for all of your accounts.
"If they trick you into the website and you give away your information, [for a] lot of folks, that means you give away everything because you didn't just give away that one Visa or MasterCard," Nash says. "It turns out that's the only password and username used for everything. More than ever, this is the time of year to remember to randomize passwords and use password management and two-factor authentication."
If you do make a purchase and have doubts after the fact, it might not be too late to protect yourself. Start by seeing if you received a confirmation email with tracking information — if you didn't, it's a bad sign.
"I had this happen to me, maybe 10 years ago," Nash says. "I got a laptop — it was a little too good to be true, but not crazy good. And I got a tracking number that didn't match up; the post office couldn't figure it out, et cetera. Well, lo and behold, that laptop never made it to my house."
But depending on your payment method and the insurance terms associated (which you should check before you shop), you might be able to recoup that money, Nash notes.
Keep these strategies in mind for a successful and safe Cyber Week this year.