Beware of bogus retail websites this Black Friday

By Orly Bar Lev, Cybersecurity expert, Mimecast.

The holiday season is fast approaching, and consumers are turning to online websites to they make purchases– leaving them exposed to fake websites impersonating legitimate brands consumers know and love.

UK Finance, the trade body for the financial services sector, said more than £27m was lost to such fraud at the start of the year with the average loss totalling £720 per case. The goods advertised, commonly on social media or online marketplaces, are often cheap in price, which is likely to attract consumers hoping to save money or make their pound go further this winter. Unfortunately, once ordered, consumers find that the products will never arrive. Cybercriminals behind such schemes may even harvest the financial data of victims to use for future purposes.

14,000 suspicious domains

This isn't the only scam online shoppers should be wary of. Mimecast scanned the Internet for over two weeks for abuse of 20 major retailers' brands and detected nearly 14,000 suspicious internet domains. This includes fake sites where an attempt is made to extract sensitive data, such as personal or payment data; or pages that refer to a competing online store.

We have found that American online retailers are the most common victims of such brand abuse: monitoring five major retailers in the US, we identified more than 12,000 suspicious domains. On a smaller scale, we uncovered similar trends in the UK and Europe: a scan of two major British fashion retailers revealed more than 250 suspicious domains; and more than 800 suspicious domains mimicking a major German sports brand.

Well-known brand inspires confidence

With Black Friday and the holidays approaching, cyber criminals are sharpening their knives. Due to COVID, we are now more dependent than ever on web stores. Many consumers know that not all online shops are reliable and, as a precaution, shop at large retailers with which they have good experiences. But what if a cyber criminal mimics the website of such a retailer in detail? A well-known brand inspires confidence. It is important that people are aware of these practices.

To avoid falling into the trasp laid out by cybercriminals, consumers should follow a series of simple tips before spending any money online:

1. Don't rely blindly on the URL

Whether you followed a link or clicked on an email from a well-known retailers, make sure you check that the URL is the official one, even if the sender and the email address seem legitimate. This practice, called ‘spoofing’ consists in cybercriminals creating a fake online page that looks similar to the retailer’s. The best way to spot the fake is to look at the URL: cybercriminals will usually leave typos or unusual characters in the hyperlinks. If you see one, assume the website isn’t legitimate.

2. Be careful of urgent offers

Cyber ​​criminals often try to create urgency so that the target is less careful. During Black Friday and the holidays, they often use temporary offers to drive demand fast, and prevent consumers from taking the time to check for any signs of an illegitimate website. If you find yourself under pressure to buy something quickly or to click on a separate link to pay, it is likely you are being driven to a fake website where cybercriminals will be harvesting your data.

3. Scan the website for language errors

A lot of fake websites are quite convincing and will often look similar to the legitimate page. Yet, they will often include text that doesn’t read quite right, mediocre translations or strange language. Big retailers will usually spend  a significant amount of time creating content that is compelling and well-written. Therefore, if the language doesn’t sound right, it’s likely the website is fake.

4. Secure is not the same as safe

A lock in the address bar indicates that the website uses a secure https connection. Yet, even a secure website can be dangerous: hackers could use it as an opportunity to infect your device with malware, or try to steal your data through an online form.

5. Navigate to the official website

If you have followed all the other tips and you’re still unsure whether a website is legitimate or not, always visit the retailer’s website yourself. Hackers can work extremely fast, which makes it difficult for retailers to monitor all potential spoofs on the internet. If you find a website that doesn’t seem official, please contact the retailer to inform them of the situation. They will take the necessary measures to take down the website, and ensure that all their customers are driven to their official website to buy the products they are looking for.

The holiday season should be about spending time with and offering presents to loved ones – not worrying about a hacker stealing confidential data. By following these five steps, consumers will be able to develop the right habits when shopping online, enabling them to focus on what the season was designed for: celebrations.