McAfee has released a list of 12 holiday scams. Here are some thoughts I had on the items in the list:
1. Clicking any links in e-mails and using them to give personal information are generally bad ideas, and shipping notification e-mails are no exception. If you placed an order, they already have all the information they need to ship you the item, so why would they need to ask you for it again?
2. This tip isn’t very specific, but it brings to mind shady sites that steal your credit card information instead of actually shipping you items. It may help to look up stores at the BBB. For example, if you type in www.newegg.com into the search box, you will see that the store has an A+ rating, and then you can see why the store received that rating if you’re interested.
3. It’s important to always do your research on anyone before giving them your money, and charities are no different. This tip is somewhat related to tip #1; if you click a link for a “charity” that e-mailed you rather than, say, Googling the charity first, you are more likely to send your money to a con artist than the organization that’s trying to help your chosen cause.
4. This tip has become more important lately. If you want to read about some recent breaches relating to point-of-sale malware, Brian Krebs’s blog has quite a few posts on the topic.
5. The tip to stick to only to official app stores is especially important in light of Wirelurker and Masque Attacks. Apps from unofficial stores or any other untrusted source are a vector for malware.
6. We know that links and attachments sent via e-mail are a malware vector, so it shouldn’t be surprising that e-cards can lead to malware infection, because they inevitably fall into one of these two categories.
However, there are in fact legitimate e-cards, so if one of your friends actually sent one, you probably wouldn’t want to delete it. I found a list of tips here that may help a recipient determine whether a Hallmark e-card is fake or not, but not all of the tips are ironclad. Tip #2, for example, only goes so far because e-mail addresses can be spoofed. Tip #3 probably won’t help you if your friend’s e-mail account was compromised. It also wouldn’t help if some kind of vulnerability like this one allows them to determine the name behind an e-mail that they’re spoofing. I would add that you can also simply call someone on the phone to determine if they really sent you an e-card.
7. It doesn’t matter whether the link is offering you a free vacation or some steep discount. If the source that sent the link isn’t reputable, don’t click it. Also keep in mind that even if a link was sent from your friend’s e-mail or Facebook account, his/her account could have been hacked, so it doesn’t mean they sent it.
8. This is a classic description of vishing. I wrote a post on it back in June.
10. No matter what they call it, it’s still a link in an e-mail.
12. I don’t know if the name of this tip was intended as a pun on BadUSB, but here are two of my previous posts on the topic. Nohl’s advice is equally valuable whether we’re talking about malware in the firmware of USB devices or more run-of-the-mill malware stored in flash memory.