For most of us, the holiday season is about friends, family, food—and shopping! Black Friday and Cyber Monday fall just after Thanksgiving in the U.S., but internationally, they are two of the busiest shopping days of the year. Unfortunately, while you’re looking for holiday deals, the bad guys are looking for ways to scam you any way they can.

Follow these tips to stay safe this holiday season:

1. Keep your smartphone, computer, and other devices updated. This helps ensure that your device has the latest security patches.
2. Only use trusted Wi-Fi connections and be suspicious of any network that does not require a password to connect.
3. Take the time to change any outdated or simple passwords. Use strong, unique passwords on all of your accounts.
4. Be careful not to overshare on social media. Consider anything you post to be public information.
5. Keep an eye on the activity in your banking and credit card accounts. Also, be sure to monitor your credit report on a regular basis.
6. Be suspicious of emails you receive about online purchases. Check the status of your order directly on the website that you purchased from.
7. If you receive a holiday greeting card in your inbox, verify the sender before clicking the link to view the card.
8. If you’re traveling for the holidays, be sure to keep your devices stored safely at all times.
9. Pay close attention to the websites that you order from. Only shop on websites that you know and trust.
10. Watch out for giveaways and contests. Remember that if something seems too good to be true, it probably is.

The prevalence of phishing scams is at an all-time high. It is important to question the legitimacy of every email you receive. Below is a list of questions to ask yourself about any links or attachments on the email that may help you realize that you are being phished.

Are there hyperlinks in the email?

• Hover over any links and check the link address. Does it match the website for the sender exactly?
• Did you receive a blank email with long hyperlinks and no further information or context?
• Does the email contain a hyperlink that has a misspelling of a well-known website? (Such as Micorsoft)
• Is the sender’s email from a suspicious external domain? (like micorsoft-support.com rather than microsoft.com)

What about attachments?

• Did the sender include an email attachment that you were not expecting or that makes no sense in relation to the email’s context?
• Does the sender ordinarily send you these types of attachments?
• Did the sender send an email with a possibly dangerous file type? Files with a .TXT extension are typically safe, but beware, files can be disguised with a different type of file extension.

If you notice anything about the email that alarms you, do not click links, open attachments, or reply. You are the last line of defense to prevent cyber criminals from succeeding.

Grocery delivery services have been quite popular during the COVID-19 pandemic. These services help support social distancing, reduce the number of shoppers in each store, and allow at-risk patrons to safely buy essential items. Unfortunately, the popularity of these delivery services has caught the attention of cybercriminals. The bad guys are now spoofing supermarkets that offer delivery services in hopes of stealing your personal information. It starts with a phishing email that urges you to log in to your supermarket’s website using the link provided. Clicking the link takes you to a fake login page for your local supermarket. The page asks you to select your email provider (Gmail, Apple, and so on) and then log in to connect your account. Don’t be fooled! Connecting your account actually delivers your email credentials to the bad guys.

Remember the following tips:

• Never click on a link within an email that you weren’t expecting.
• Remember that email addresses can be spoofed. Even if the email appears to be from a familiar organization, it could be a phishing attempt.
• When an email asks you to log in to an account or online service, log in to your account through your browser-not by clicking the link in the email. That way, you can ensure you’re logging into the real website and not a phony look-alike.

A new phishing email—seemingly sent from your local government funding agency—is offering phony relief grants to those in need. What makes this scam especially sneaky is that the bad guys use a Dropbox link to disguise their malicious attachment. Dropbox is a legitimate and commonly-used file sharing service. Therefore, the email security filters that your organization has in place may not consider the link as a red flag–increasing the chances of this email landing in your inbox.

The phishing email urges you to click a Dropbox link so you can download a file that supposedly contains information about your relief grant payment. The link even includes an expiration date for an added sense of urgency. If you click the link, then, download and open the phony file, you’re taken to a look-a-like Microsoft 365 login page. If you enter any information on this page it will be sent directly to the scammers.

Remember these tips:

• Never click a link or download an attachment from an email that you weren’t expecting. Even if the sender appears to be a legitimate organization, the email address could be spoofed.
• Be cautious of unexpected deadlines. Scammers often create a sense of urgency to spark impulsive clicks.
• Get confirmation before clicking a Dropbox link. If you feel the file could be a legitimate resource for your organization, reach out to the sender another way—like by phone—instead of trusting the email.

Have you ever noticed the blue checkmark on your favorite celebrity’s social media profile? This checkmark shows that the person has provided documentation to verify their identity. Verification helps you know a real account from a fake—but this tool isn’t just for celebrities. Whether you have a personal social media account or manage one for your organization, being verified can be a great benefit.

To become verified, you are required to provide sensitive information which, unfortunately, makes this process the perfect bait for a phishing attack. Cybercriminals spoof popular social media platforms like Twitter, Instagram, and YouTube by sending out fake verification emails. The emails include a link that, when clicked, takes you to a convincing verification form. Here you’ll be asked for things like your username, organization, password, gender, and more. Anything entered on this page is sent directly to the bad guys.

Stay safe from this fake verification scam with these tips:

• This attack exploits the feelings of excitement and validation that comes with becoming verified. Don’t let the bad guys play with your emotions. Think before you click!
• Never click on a link within an email that you weren’t expecting.
• When an email asks you to log in to an account or online service, log in to your account through your browser—not by clicking the link in the email. That way, you can ensure you’re logging into the real website and not a phony look-alike.

The bad guys are automating robocall scams worldwide. Recently, there has been a rise in this type of fraud. They have a variety of attacks that you should watch out for. Here are a few examples:

1. Bank account and credit card scams where the bad guy claims to be an official from your bank or card company
2. Extortion scams where they request payment for a kidnapped friend or family member
3. Callback Scams where you are tricked into calling back a very expensive international number

Remember the following to avoid robocall scams:

• If you receive a call from a company urging you to complete a request, hang up and call back the company directly to investigate.
• Scammers can spoof any number they’d like. Therefore, even if a call looks like its coming from a familiar source, it could be a scam.
• Never provide personal information over the phone unless you’re the one who initiated the call.

Think Before You Pick Up!

The bad guys have come up with a scam to steal your Social Security Number (SSN). These fraudulent vishing, or “voice phishing” attempts often appear to come from the actual Social Security Administration (SSA) number–but the scammers are faking it.

When you answer the phone, the bad guys claim that your SSN has been suspended due to suspicious activity or involvement in criminal activity. They’ll also claim your bank account will be seized, to shock you into action. The scammers will then ask you to confirm your SSN in order to reactivate it–don’t fall for this trick!

Remember the following facts to avoid falling for this SSN scam:

• Your SSN will not be suspended! The SSA would never call to threaten you or your benefits.
• If you receive a suspicious call claiming to be from the SSA, hang up and call the SSA yourself to confirm.
• Never give any part of your SSN (or your bank account or credit card number!) to anyone who contacts you.

Always think twice before sharing your sensitive information with strangers!

If you’ve ever used social media to make a complaint about a company, you’d know that many organizations are quick to respond to this public expression. But have you ever stopped to question whether the account responding to your concern is really someone from the company?

Recently, fraudsters have taken to social media platforms to trick people into falling for their “help” and giving away their personal information. For example, a woman was upset with her broadband services so she took to Twitter to complain about her provider. She promptly received a response from an account appearing to be the customer service team for this company. The “customer service team” was able to gain personal information, and even banking information from her by using lines like: “I’m having trouble locating your account” and “I’ll first need to ask you a security question”. The woman soon found her bank account emptied out and several loans taken out under her name.
Clearly, this customer service team wasn’t helping anyone aside from themselves.

Remember the following to protect yourself:

• Never trust that an account is legitimate based on their Twitter “handle”, or any other “name” on social media. Just because the company name is present, doesn’t make it valid.
• A legitimate organization would never ask you for sensitive data like your bank account information. If it sounds like a strange request, then it probably is.
• If you’re having trouble with a product or service, log in to your account or reach out to their customer support channels, yourself. Never trust a response you receive after making a public complaint on social media or anywhere else online.