holiday-shopping‘Tis the season to … go shopping?  In the U.S., the day after Thanksgiving – often called “Black Friday” – has traditionally been the heaviest shopping day of the year. Spending on that day in 2012 totaled a record-breaking $59.1 billion despite an uncertain economy. In the last decade, though, another “big spender” day has been gaining ground, with “Cyber Monday” – the Monday after Thanksgiving – designated as the day for online shoppers to make their holiday purchases. According to Adobe’s statistics, last year’s Cyber Monday sales were just shy of $2 billion, a 17 percent increase over 2011.

This new tradition is a great convenience for those of us who prefer to avoid the whole holiday shopping nightmare and get our gift-buying done from the comfort of home. It’s also a big boon for online retailers, who seize the day by advertising all those “offers you can’t refuse” to lure us in while we’re in the spending mood. However, there’s a dark side that many people don’t think about: Cyber Monday also presents a perfect opportunity for phishers and other cyber criminals to take advantage of the “quick click and buy” mentality to separate you from your money in a less ethical or downright illegal way.

Phishing schemes work the same way doing the holiday season as at any other time – but because the pool of potential victims is so much larger, phishers step up their efforts. According to report released by FireEye in 2012, the incidence of phishing attacks spike at Thanksgiving, in part because many security center personnel are off work, leaving them understaffed. Computer users are also likely to be more gullible at a time when they’re caught up in the festive spirit and pressed for time because of all the extra parties, family outings, and changes to the usual routine.

One of the reasons more people are shopping online is because of the way ordinary people seem to go a little crazy in the frenzy of trying to get a good deal on a desirable item, especially one that’s in short supply. Online shoppers aren’t immune to the urge to get a little reckless in the pursuit of a great price, either. I’m normally the opposite of an impulse buyer, doing massive pre-purchase research and comparison and agonizing over any major outlay – but I recently found myself this close to booking a cruise even though it was at an inconvenient time and I had no one to go with me, just because the price was so low. It was a legit deal, but my reaction made me stop and think about just how easy it is to get caught up in the moment when you see a great bargain – or just what appears to be one.

As Cyber Monday approaches, you’re likely to get plenty of those legitimate sales emails from companies with which you’ve done business in the past. My inbox is already beginning to fill up with holiday sales announcements from Nikon, Sony, Dell, HP and other companies from which I’ve bought directly online. Some of these messages are really from those companies and others might not be. If I see something that interests me, instead of clicking the link in the email, I generally type the company’s URL directly into my browser to be sure I’m going to the “real” site.  Most of the time that works fine, although occasionally you might lose out on a special deal that’s in a link for “select” customers only.

Phishers are getting better and better at making their deceptive email messages and web sites look like the real thing, but often there are still some obvious clues if you know how to look for them. Many phishing messages and sites will contain misspellings or grammatical errors that you wouldn’t expect to see from a big company with a hefty budget for producing its advertising. Oh, a mistake may slip through now and then in the real ads, but if there are multiples, be suspicious.

One dead giveaway that a message is a phish is when the hyperlinks in the message don’t match up with the printed URLs to which they’re linked. In other words, the message says something like “go to www.sony.com” but if you hover over that link, you see that it will actually take you to www.bigbadphisher.com/sony.htm.  Don’t assume that seeing the “right” links means all is okay, though.  Some sophisticated phishers use URL redirection or domain forwarding to confuse matters more. Another tactic is to use characters from a different language to make a URL look as if it says one thing when it actually says another, or they register a domain that’s one letter “off” from the real one or substitutes a lowercase “L” for uppercase “I” or similar visually deceptive tricks.

Early phishing attacks were simple: the email message was designed to get you to click a link and go to a web site, and the web site attempted to get you to enter credentials such as your bank account number or credit card information, which the attacker then used to steal your identity. But don’t think you’re safe just because you didn’t enter any personal info on the site. Some web sites run “drive by attack” scripts that can install malware on your system without your knowledge. The malware can collect personal data stored on your computer or capture the keys you press when you go to your banking site or buy something from a legitimate online retailer, and send that information back to the phisher.

Online as in the “real world,” if a deal seems too good to be true, it most often is. That makes them easy to identify and bypass – but smart phishers know this, and will make their deals “just good enough” to sound real. Does this mean you have to forego all the great sales that pop up during the holidays? Should you assume that every low-price offer you see online smells phishy? No – but it means at this time of the year, even more than usual, it’s essential to look hard before you click. Happy cyber shopping!