Watch out for Phishing and Social Engineering Scams this Holiday Season

‘Tis the season for fake emails and manipulative mischief

A Phishing Tale of Misfortune

Full disclosure, yes… I’ve been scammed. Before my dive into the cyber world, I coordinated product reviews for high-end consumer electronics like phones and computers, which are big ticket items every year around the holidays. As part of my job, I combed the internet looking for jolly good tech journalists interested in reviewing our clients’ devices, and I found a juicy one. An opportunity with one of the biggest technology publications in the country. The journalist was looking for a specific device to inform their annual Tech Gift Guides Column. Given I had success with these types of requests in the past and with the clearance from my management, we sent over the device. The journalist was professional, knew the right questions to ask, and was prompt in their email responses. We hustled to get the device in their hands, and in short order, we did. Once the device was delivered, all I heard were crickets. The journalist never replied to my emails again, and of course, the article with a plug to our client was a sham. The “catfish” was posing as a real, established writer for a very well-known publication and had us completely fooled. There was a silver lining, the assailant asked we have it delivered within two weeks, and we got it there within one… speed like that can’t be taught.

This is, of course, a story of social engineering. Social engineering is a tactic used by hackers to manipulate users into sharing confidential information or performing actions they should not be doing. I understand this anecdote is not typical for most shoppers during the holidays, but I wanted to tell this story because it is timely, and it shows just how creative and deceiving scammers online can be. The holiday season will be full of not-so-nice swindlers masquerading as legitimate people trying to steal your personal information and get something out of you. So please, enjoy the following tips to reduce the risk you are phished.

What to Look for in a Phishing Attempt

For most holiday shoppers, emails and text messages will be the most common form of deception attackers will use to attempt to steal information from you. The email or text will likely tout an amazing deal for the holidays, accompanied by a link to a website. The first thing you should do is check the sender’s email or number: Do you recognize it? If not, you can safely assume the message is spam. If you are on a computer, you should also hover over the link which will show the URL destination before you click on it. Be sure to check this URL to see if it is one you recognize. But let’s say for this blog you do click the link, and you are brought to a website familiar to you. Everything on the website looks completely normal, asking for your email and password to log in. While the website may seem legitimate, entering your login information will give your information to the attacker for them to use against you. Believe it or not, the Swiss Cyber Institute found that 1.5 million fake websites are made every month with exactly this purpose, so be on the lookout this holiday season.

Let’s play a game

I understand my story was specific to a job, but for online shoppers, I have prepared a little quiz. Below are three screenshots of popular websites, two are real and one is fake. You must determine which of the 3 pictures is fake. The answer lies below the third screenshot:

Website A:

Photo Credit: What is Phishing? Take the OpenDNS Phishing Quiz

Website B:

Photo Credit: What is Phishing? Take the OpenDNS Phishing Quiz

Website C:

Photo Credit: What is Phishing? Take the OpenDNS Phishing Quiz

And the Answer Is…

Website A? If you chose that option…that was wrong. Always check the URL of the website you are browsing if you were sent there from a link in an email or text. The URL link in your email should be the same URL if you were to go directly to the website. Additionally, starting with “HTTPS”, clearly shows it’s unforged. The answer would be Website B. While the website does share the same font and web design elements as Amazon’s actual website, the URL lacks the presence of “HTTPS” in the URL, and the referenced IP address displayed does not resolve to Amazon’s e-commerce URL.

Photo Credit: What is Phishing? Take the OpenDNS Phishing Quiz

If you had entered your login information into this sign-in window, BOOM, the assailant has your information and can now log into your account, so be sure to also enable second-factor authentication (in the event your password is compromised, you’ll have another layer of protection). If you have not, the attacker can enable it for you and have it send authentication texts to their phone number and you would be completely locked out. Be sure to keep these tips in mind while shopping online, as Amazon will likely be a common place for shoppers this year. Quizzes like the one above are common in security awareness training, so if your organization is lacking do not hesitate to reach out to us today with any questions or concerns!

For more information speak with a QoS consultant today,, or reach out through our contact form on our website,