Holiday Email Hoax Reminder

Be aware of email holiday hoaxes and don't fall for them!

As if the year couldn’t get any crazier, I’ve encountered more sophisticated hoax emails than in years past. Many target the services and products we rely on or seek during the holiday season, and they’ve become pretty convincing.

If you haven’t noticed, more emails are being sent for the holidays this year. Due to Black Friday, Cyber Monday, and other sales and specials to encourage online shopping, we are flooded with emails. There are sales, sales before the sales, and more sales even after the regular dates. My inbox has been evidence of that for the past couple of weeks, and it’s not stopping.

Holiday Emails and Scammers

I don’t know about you, but I was to the point that I just started deleting anything that had Black Friday or Cyber Monday in the title. I’ve unsubbed from those who sent so many that it was darn right annoying. It was becoming exhausting.

With all that extra activity combined with more folks purchasing online, hoaxsters know how to take advantage of the fact that you are pressed for time, overwhelmed, or not paying attention as you should.

Common is the hoax emails disguised as order confirmations, financial alerts, and “feel good” forwards so that they can be more easily propagated. Phony order or invoice emails that claim to need your immediate attention look just like the real thing.

Your first instinct is that something isn’t right, but the phrasing suggests you must check this out—right now!

Pause and take a breath first.

First, let’s check out the little details.

Before forwarding any email or clicking on any links or attachments that claim to be important, you need to vet that email. Before reacting, it is worth the extra effort to ensure it is not a hoax or a scam.

This effort can prevent you from unknowingly installing malware or inadvertently providing payment or personal information you will regret later.

Don’t Click “Phishy” Links!

phishing: n
The practice of luring unsuspecting Internet users to a fake website by using authentic-looking email with the real organization’s logo, in an attempt to steal passwords, financial or personal information, or introduce a virus attack; the creation of a website replica for fooling unsuspecting Internet users into submitting personal or financial information or passwords.

These scammers aim to get you to click a link or call a phone number. Do not click on any links or attachments until you verify the sender. Even if the email looks legitimate, double-check whether the clickable links are valid.

No matter what the Subject: field states or the message implies. Look at the underlying email address. Mouse over the link and look at your lower window location bar. Does it match what is displayed? Most likely not.

Hoaxsters have become pros at making emails look like they are from legitimate contacts or companies (UPS, Amazon, PayPal, BestBuy, virus software, financial institutions, etc.). They steal logos and images to make their emails look just like what you’d expect.

When you see that the link is directed to a strange or different URL, you can immediately determine if it could be trouble. But even with that, hoaxsters are very clever at making the underlying URL look legit(ish), too.

Here’s How to Investigate the Underlying Link Code

Let’s use Amazon as an example:

https://www.amazon.com/ — Good
https://www.amazon.com/something-after — Good
https://somethinghere.amazon.com — Good
https://amazon.hoaxdomain.com — NOT Good
https://www.hoaxdomain.com/amazon — NOT Good
https://amazonhoaxdomain.com — NOT Good

In the cases above, the only credible domains are when “amazon” is directly before the dot com or dot whatever. Noting “amazon” anywhere else is dubious at best.

When you see website URLs with the company name, don’t assume the domain is safe if it differs from what you usually see. If you have even the slightest doubt, do not click on links and go directly to the website as you usually do.

The thing is, anyone can register a domain name. While you are not supposed to buy or use domains of other company’s brands and trademarks, that doesn’t stop the bad guys. They’ll use them until they get caught.

What else should you look for in dubious links?

There was a time when you could see who owned a domain by looking it up. However, due to privacy concerns, that information is now usually hidden.

When in doubt, go to the primary domain you usually use. Check your user dashboard on the legitimate site to see if any alerts or messages require your attention. No alerts? That email was most certainly a scam.

If you see a link that ends with the following — definitely don’t click on it:

.php
.js
.asp
.cgi

If you see anything tacked on the end other than a typical domain ending, that’s a “Danger, Will Robinson!!” moment. That email could lead to you downloading/executing a trouble-making script onto your system.

Do not forward emails that contain nefarious links that could cause the other side to click on them. By forwarding a hoax email, you can’t be trusted on future forwards.

Don’t get mad if someone points out you were dupped and passed it on. Learn from the experience, thank them for letting you know and for their patience, and don’t do it again.

If you don’t want to confirm an email’s legitimacy, just hit delete.

Hoax Vetting and Info Websites

A handful of websites were truth detectors and hoax exposers in the past. They then lost their way.

VerifyThis is one website that doesn’t seem overly influenced by ideology—as of now. But that could change, as it has for many sites in the past. If you know of other reliable hoax-buster websites, please let me know so I can check them out.

Be safe out there…