A stark new warning has just been issued ahead of the holidays. The deluge of Black Friday spam emails hitting mailboxes across all the most popular platforms is much more dangerous than you might think. Being pushed to "buy now" is actually the least of your worries. The advice is simple for Gmail, Outlook, Apple Mail and Yahoo users: Do not open these emails, delete them from your inbox right away.
Bitdefender has been monitoring Black Friday themed spam emails since last month, and warns that "cybercriminals have wasted no time trying to capitalize on the frenzy." While this includes the usual plague of "phishing emails impersonating trusted brands," the researchers warn that this holiday season has proven "fertile ground" for more malicious types of threats.
The incredible headline number is that 3 out of every 4 Black Friday themed spam emails is now a scam. That might mean it's a phishing lure to steal your credentials of card details, or it might be seeking to plant malware on your device. Gone are the days when the biggest threat was a so-called marketing lure, "emails designed to drive traffic to legitimate but overly aggressive promotions." This is bad for you and bad for all the brands trying to reach you -- even if they're a bit pushy in doing so.
This new 77% figure is up almost a third from two years ago and is increasing year-on-year. It means that on balance of probability, almost every Black Friday marketing email you see could be a threat and is almost certainly fraudulent. And with new tricks to better copy legitimate brands to trick you into clicking or buying, you should simply visit websites the usual way rather than clicking through.
Bitdefender reports that "the US and Europe remain the top targets: The United States received 38% of all Black Friday-themed spam, while Europe accounted for 44% of global spam activity, with Germany and France among the most targeted countries... 66% of Black Friday-themed spam originated from the US, while Europe accounts for 23% of spam origin, with countries such as France, the Netherlands and Germany leading. Countries in Asia are also present, with 6% of Black Friday spam (by volume) sent from IP addresses in Indonesia, Japan, and China."
Unsurprisingly, scammers tailor their campaigns to lure users looking into the most popular product categories and brands -- phones, household electronics, gadgets and fashion. "One of the most notable features of Black Friday scam campaigns this year is their diversity. Scammers have tailored their messages and tactics to appeal to different groups of shoppers, ranging from tech enthusiasts to fashion aficionados, with campaigns targeting various demographics and regions."
Specific tricks highlighted by Bitdefender include:
While the usual phishing advice is to check URLs and look for telltale signs that an email is fake, the scale of the Black Friday campaigns is so pervasive that you're better off looking at the headlines and if you like the promotion to go and visit the site itself. If it looks like spam, avoid it. If it is a brand you trust and you're certain the email is legitimate, then go ahead and open it. But I would certainly advise against clicking directly through on any links within those emails.
Remember, it's not just phishing tricks you need to watch for. Emails designed to deliver malware to your device could remain hidden, quietly stealing your credentials and other personal date, without you ever realizing.
We have already seen a range of threats this holiday season targeting users of the most popular email platforms and web browsers, including SEO poisoning to push malicious campaigns directly into Google's search results, increasingly sophisticated phishing lures and brand impersonation advances.
Kaspersky has warned online shoppers this holiday season that "scammers often impersonate major retailers like Amazon, Walmart or Etsy with deceptive emails to lure unsuspecting victims. These emails typically claim to come from the companies themselves and promote exclusive discounts, especially during high-traffic shopping periods like Black Friday... Emails designed to exploit the urgency and excitement of seasonal sales to trick consumers into clicking potentially dangerous links."
The lures are clever. The bad actors know your guard will be up given all these phishing warnings, and so they are designed to overcome this with a sense of urgency and a fear of missing out. "The catch is always the same: act quickly, or risk missing out on the 'exclusive' offer," Kaspersky explains. "In reality, there is no deal -- just a carefully designed scam aimed at manipulating victims into making small payments to the scammers, thus losing money and giving away their payment details."
Stick to the FBI's advice:"If a deal looks too good to be true, it probably is! Steer clear of unfamiliar sites offering unrealistic discounts on brand-name merchandise. Scammers frequently prey on Black Friday and Cyber Monday bargain hunters by advertising 'One-Day Only' promotions from recognized brands. Without a skeptical eye, consumers may end up paying for an item, giving away personal information, and receive nothing in return except a compromised identity."