Beware of Cyber Security Risks from Online Shopping and Long Holiday
With Christmas and New Year long holidays just around the corner, the strong festive atmosphere spells another peak season of shopping. Nowadays, as most of us have become accustomed to do our shopping online, we must always maintain good awareness of cyber security. To help you understand more, HKCERT has compiled this short piece on hackers’ tactics in online shopping and areas that online shoppers must pay attention in order to ensure a joyful shopping experience. This will also outline the possible security measures for organisations to implement during the long holidays.
Online shopping fraud
In online shopping, hackers use phishing websites and emails to steal from victims personal or sensitive information, such as credit card information and bank account passwords, etc. There are 3 common methods:
- Unbelievable discounts
As the festival approaches, consumers have become accustomed to browsing for online promotions and discounts to find their favourites. Hackers will leverage this behaviour to pretend to be merchants and set traps such as “shocking prices”, “flash sale”, or gift cards to attract consumers. When a consumer clicks on a picture or the link of discount, he or she will be led to a phishing website and asked for personal information in exchange for the discount, thereby stealing the consumer’s personal or even credit card information.
- Fake email/SMS
With a pretence of online shopping platforms or courier companies, hackers will send emails/SMS to the victims, falsely claiming that the delivery failed or requesting confirmation of the ordered items, etc. Usually, such email/SMS requires the victim to click on the link in the message which redirects the victim to a phishing website. Recently, hackers sent emails in the guise of an international courier company, asking the recipients to fill in information in order to steal their personal credentials. There were also cases in which the attachment of the email was actually a ransomware that would hijack the system.
- Fake website of popular brands
Hackers will create a fake website, register a URL very similar to the targeted brand, and even place advertisements to make their site appear in the forefront of search engine results, in order to deceive users.
Six things you should pay attention to while shopping online
- Don't click on any links or attachments from an unknown sender. Always enter the URL of the online shopping platform directly in your browser or use bookmark. Be careful with the legitimacy of the links and emails. For example, check for spelling and grammatical errors in the URL, or whether the sender is trustworthy. If the website does not use HTTPS for encryption, please be careful and do not provide sensitive information;
- Change the account password of online shopping platform regularly. If the platform supports multi-factor authentications, please enable it to enhance security;
- Place orders or check order status from official website or mobile app only;
- If you receive a suspicious email/SMS, verify with official channels for details. Do not provide sensitive information to unknown sender;
- Check your online payment records regularly for suspicious transactions; and
- Cross-check the order information displayed on the website or email/SMS to confirm that it matches the purchased item.
Tips for organisation during holiday
Organisations should beef up their cyber security during long holidays, by implementing the measures as follows:
- Before and after the holidays, check the network logs for suspicious activities in the company network, such as abnormal traffic, repeated failed login attempts, repeated file access failure events, and abnormal CPU usage, etc.;
- Ensure the backup system is working properly and an offline backup has been set up. If the company is infected by ransomware, the organisation can only rely on proper backups to restore data. For information on ransomware and its related preventive and remedial measures, please refer to HKCERT’s Fight Ransomware page;
- Perform vulnerability analysis and vulnerability scan of the systems (especially systems for remote access, such as VPN, etc.). Always update the systems to the latest version to fix known vulnerability. For details on the latest system vulnerabilities, please refer to HKCERT’s Security Bulletin;
- Review the user accounts of the system, and check whether the account is obsolete or has excessive privilege;
- Remind employees not to open suspicious emails. Pay attention to any fake company website or email; and
- When working remotely, use the company VPN to connect to the corporate network. Always use company’s PC for work.
HKCERT has also created a “Check Your Cyber Security Readiness" page for organisations to assess their cyber security readiness and obtain relevant security advice.