Brian Krebs has written a new post warning about the dangers of fake order confirmation e-mails. 2 of the screenshots in the post show examples of fake order confirmation e-mails from Home Depot and Walmart, respectively. I don’t know with absolute certainty the dates the e-mails in these screenshots were sent, but because both e-mails mentioned Thanksgiving and have a copyright date of (or ending in) 2014, they are likely to be recent.
Nevertheless, Krebs is correct in referring to this type of e-mail as a “perennial scourge.” A quick Google search reveals similar scams going back as far as 2004, though the DSLReports scam does not seem to explicitly mention the holidays. Here’s another example in 2012 that probably linked to a phishing website. Here’s a third example from 2013 that infects your computer with malware if you click any of the links.
From a technical standpoint, fake order confirmation e-mails are no different from the countless other scam or malware e-mails. What makes them different in practice is the subtlety with which they social engineer users into clicking links and opening attachments.
There are at least a few ways even a somewhat cautious user may be tricked into clicking a link or opening an attachment. First, as Krebs points out, if you actually ordered something from a store recently, you might be interested in knowing whether it will arrive before the crucial December 25. Second, if you didn’t actually order anything, you may believe a friend ordered something for you, so you might be curious about the details. Third, if neither you nor anyone you know has ordered anything, you might be concerned that someone has been illegally placing orders using your money. I believe if you can successfully address all three of these possibilities, your chances of falling prey to a fake order confirmation e-mail will be significantly lower.
Scenario 1: You actually want to know the status of your order
One way to address the first possibility is to plan ahead and order your holiday gifts well in advance instead of doing your shopping at the last possible minute. Check the estimated shipping dates before you actually place the order, and make sure to allow extra time for delays. If, for example, the estimated shipping time is 5-7 days and you want to make sure your order arrives by December 25, it wouldn’t hurt to order today if you know what you want already. The extra time will decrease the probability that an unexpected delay such as a huge snowstorm that shuts down airports will delay your order’s delivery. Planning ahead will also reduce your anxiety. If you know your order will arrive on time, you will have less reason to constantly check on its status. Checking, incidentally, will do nothing to speed up the delivery of your order.
Scenario 2: Someone you know ordered something for you
The second possibility is a bit trickier. On certain occasions, it may indeed be possible that a friend has ordered something for you that can be accessed only by clicking a link. In one of my other posts, I cited just such a possibility: Hallmark e-cards. One way to protect yourself against fake e-mails of this type that masquerade as legitimate e-mails is to understand how to read links. Take a look at the following example:
Although the link looks like an Amazon link at first glance, if you keep reading until the first forward slash after the two forward slashes that immediately follow “http:”, you will see that the highest level domains are represented by random321.org, which is definitely not an Amazon site. If you train yourself to read links, you will have an easier time separating legitimate e-mails from fake ones.
Krebs also mentioned an important point in his post: legitimate e-mails generally have data points embedded in the e-mail, such as an order number, a price, your name, and so on. Without clicking any links or opening any attachments in the e-mail itself, therefore, you can check the authenticity of the e-mail by visiting the legitimate site via a bookmark or found via Google. If there is no feature in the site to use any of the data points in the e-mail to check the status of your order or gift, you can always contact the store’s customer service/support with the data points supplied in the e-mail. This will quickly tell you if the e-mail was fake or not.
Scenario 3: You get an e-mail about an order you didn’t actually place
This third type of scam e-mail is arguably the most devious. The attacker doesn’t even have to directly tell you to click a link or open an attachment. You may have a desire to do so simply because the e-mail says you placed an order when you actually didn’t. For example, suppose you get an e-mail thanking you for your order of $581.13. How do you investigate without clicking any links or opening any attachments?
First, do you have an account at the store that claimed to have sent the e-mail? For example, if the e-mail claims to be from Amazon.com, and you have an Amazon account, you can easily check whether any orders were placed from your account by visiting Amazon from a bookmark, a Google search, or by manually typing the URL into your address bar. Once you’ve logged in, check your list of recent orders and find out if any of them were for $581.13 around the date the e-mail was sent. If not, the e-mail is clearly bogus and you can ignore it. Another option is to contact the store’s customer service and ask the representative about orders placed around that time.
It is possible you don’t actually have an account at the store that the e-mail claims it was sent from. For example, the order confirmation could claim to be from Newegg instead, and you might not actually have an account at Newegg. First, I find it highly unlikely that if someone was using your credit card illegally they would also wish to notify you about it by specifying your e-mail (if they even know what your e-mail is). I would find it far more likely that the order never happened and that any links and attachments in the e-mail are mere bait. However, if you still want to check whether such an order was actually placed, you can contact Newegg’s support and ask if any orders associated with the e-mail were made recently.
Another way to investigate whether fraud has occurred is to simply check the records for all the payment methods you use to shop online. This method is particularly useful if the store mentioned in the scam e-mail doesn’t actually exist or can’t be found for some reason. If you shop with three different credit cards, for example, you can quickly check the statements of each one to see whether any charge of $581.13 is listed on them. If not, then the order never happened because it didn’t use any payment method that you could possibly use. It is of course a good habit to check every line in every credit card statement you get anyways, so if a fraudulent order did somehow occur, you will catch it eventually without the help of an e-mail that is most likely fake.
Aside from exploits that target the e-mail client itself like this one, malware-laden attachments and links that lead to phishing sites or malware-infested sites are the two primary ways your computer or accounts can be attacked via e-mail. However, getting a savvy user to either click a link or open an attachment requires social engineering. Fake order confirmations are just one more way this social engineering happens. If you can learn to distinguish a fake order confirmation e-mail from a genuine one, you will decrease your chances of being hacked.
There’s one final point that bears mentioning: Safeguarding your e-mail by not giving the one you use to shop with to forums and other sites that require e-mail registration can help reduce your chances of receiving one of these scam e-mails. Also, if you never use a particular e-mail to do any shopping and you get one of these messages in that e-mail’s inbox, you will immediately know it’s fake. But sometimes, nothing you do can prevent your e-mail from being obtained by a spammer. Maybe one of your trusted contacts got hacked, for example. So do what you can to keep your e-mail out of the hands of spammers, but don’t let down your guard.