John Martindale, Cyber Security Operations Supervisor
Protect your identity and money this season by watching out for these sneaky tricks with help from Holiday-Shopping Harry.
The winter twilight arrives in the early evening as a long day of holiday shopping winds down. Harry has been to so many stores today, and one more stands between him and a holiday movie with a cup of cocoa. As his wife browses, Harry sits and rests his legs.
He opens a social media app on his phone and begins scrolling. Harry’s attention jumps second by second to each new post until an ad catches his eye. He presses the ad, expanding it to full screen.
On his screen, saloon doors bust open, and an apron-clad mustached cowboy emerges to proclaim, “Howdy partners, I’m here —” Harry quickly realizes his phone volume is too loud and looks around as he rapidly presses the volume down button. Harry slightly sinks into his chair, self-conscious about the commotion he may have just caused. He refocuses to his muted phone and thinks to himself, “Wait a minute — he looks familiar. Isn’t this cowboy a famous actor? There’s no way they got him for this ad. Oh my goodness, it IS him. What is this ad even for?” With an awkward blink and a youthful cheeky smile that mismatches his withered crow’s feet, the cowboy answers. Subtitles speaking for him, he (silently) belts, “Ricochet Waffle Maker! Only $59.99 after shipping. Click the link in the video description to place your order.”
Harry can’t believe it! Only $59.99? He would have loved to pick up a waffle maker for his parents earlier during the shopping day. However, this model, or at least what he thinks is this model, was double the price. He thinks for a minute. Something about this cowboy fella isn’t right. He rewatches the video. The cowboy is blinking way too much at odd intervals and then goes a very long time without blinking. Harry also compares the young-looking cheeks and lips of the cowboy contrasted with his old eyes. The more he watches, the more unsettled he becomes.
Deepfakes
Eureka! Harry realizes he has just encountered a deepfake. A deepfake is an algorithmically generated video that replaces the likeness of one person with another to make a video look authentic. The signs that Harry used to identify the deepfake, including odd blinking patterns and mismatched age of skin, are among several that MIT identifies as reliable ways to uncover deepfakes.1 Over the course of 2023, 60% of consumers reported seeing a deepfake video.2 In this case, the creator of this ad unethically used the likeness of a celebrity to dupe people into selling a waffle maker.
Was this waffle maker authentic or could it have been too good to be true? Had Harry clicked the link and purchased the waffle maker, he could have inadvertently provided his credit card info and never received a product. He also may have been asked for his password to a shopping site, which could then be used to place unauthorized orders. The Better Business Bureau includes online ad scams in its “online purchase scams” category and, according to the BBB Scam Tracker 2023 Report, online purchase scams were listed as the “third riskiest” with “the highest percentage of reports to BBB Scam Tracker (41.9%) and the second-highest percentage of reports with a monetary loss (susceptibility). Additionally, more than 82% of those who reported being targeted by online purchase scams lost money. The median dollar loss for this scam type dropped from $100 in 2022 to $71 in 2023.”3
Out of curiosity, Harry opens his browser and searches for “Ricochet waffle maker.” The product does not exist, but there is a product called the Ricochef Waffle Master which costs $120 off the vendor website. Just as Harry finishes his investigation, a text message notification pops up. The text comes from a number he does not recognize and reads, “Your pakage arrived at the warehouse but could not be delivered due to incomplete address information. Kindly, update your address.” Below the body of text with a spelling error in the word “package” sits an unintelligible link clearly not related to any known delivery service.
Smishing
Though Harry recently placed several online orders for gifts, he quickly identifies this text as a “smishing” or “SMS phishing” attempt. Once again, had Harry clicked the link, he could have been asked for a username and password from a seemingly authentic delivery service website. Many people reuse passwords across services, meaning that one compromised password could lead to a whole series of breaches. Luckily, Harry has complex, unique, randomly generated passwords for each service stored behind a password vault. His password vault saves him the trouble of remembering lots of passwords and makes him more secure.
On top of incurring a potential password breach, he could have been directed to a website to install a “package tracking application.” Though controls exist to prevent downloading applications from mobile web browsers, it is still possible and inadvisable to install any mobile application outside of the Apple App Store or Google Play Store as they could be malicious.
Curious about the statuses of his legitimate packages, Harry checks his email for official notifications from the vendors from which he ordered packages. He’s thrilled to learn that a gift for his kids has arrived! He also verifies that no vendor has attempted to reach him with an “incomplete address information” request. For extra measure, Harry forwards the smishing message to the FTC at 7726. He uses an iPhone, so he also holds his finger over the message and clicks “delete and report junk.” If Harry were on an Android, he could move the message to his “Spam & Blocked Folder.”4 Thanks to these actions, Harry avoids joining the 320,000+ Americans who, since 2021, have fallen prey to smishing attacks, according to a report by SmallBusiness.5 A publication by TechReport reveals that these victims and others have collectively lost $86 million to smishing attacks since 2019.6
“When will these scammers ever stop?” Harry thinks to himself just as his phone begins to buzz. The call comes from a local number, so Harry picks up the phone.
“Hello, this is Harry.”
“Hi Mr. Harold, this is Alexis from the County Humane Society. Do you have any pets?”
“Yes, I have a cat named Fido.”
“Adorable! Mr. Harold, did you know that thousands of pet owners in our county will be unable to buy holiday gifts for their pets this year?”
“Uh... I did not.”
“I see that you donated last year. Would you like to donate this year?”
Harry had donated last year to his local Humane Society around the holidays to support adoption drives. Yet, if this truly were the Humane Society, wouldn’t they know if he had a cat? Harry is suspicious but hesitantly replies, “Sure.”
“Great! Thank you for your generosity. We will need you to purchase some gift cards from the local pet store, scratch off the codes, and send the codes to [email protected]. Can you do that for our furry friends?”
Gift cards? What reputable nonprofit accepts donations in the form of gift cards? None, according to Harry’s astute perception. He hangs up the phone. Harry avoided this scam by noticing the scammer’s vague cause and method of donation. The caller ID likely depicted a local number due to a tactic called “spoofing” where scammers can easily alter the number that their call appears to come from.
Spoofing and Scam Calling
The Australian Government’s Scamwatch reported $107,000 in losses and 358 reports between January 1, 2024 and August 21, 2024 resulting from charity scams.7 Though statistics specific to charity scams for the United States were hard to find, the Better Business Bureau revealed that the gift card scam, a tactic employed in the call to Harry, has accumulated losses of $690 million with 177,074 reports between 2020 and late September 2023.8 Yet another tactic employed here, “vishing,” “voice phishing,” or “scam calling” has caused nearly 56 million Americans to lose money in 2023 per TrueCaller’s U.S. Spam and Scam Report.9
Harry quickly spotted this scam because of the odd request from the caller. The FTC asserts that reputable charities will not ask for donations in the form of cash, gift cards, or money wires. Charity scammers know that people feel more generous during the holiday season and may also employ urgency and guilt to bait their victims into giving up their money. When pressured about vague requests, many will attempt to divert the conversation. The FTC advises conducting independent research before donating to charities. Charity Navigator, Charity Watch, give.org, and the Better Business Bureau may be useful guides in vetting the authenticity of a charity.10 If Harry had donated to the fraudulent County Humane Society, he could have reported the scam through the FBI’s Internet Crime Complaint Center, the Disaster Fraud Hotline at 1-866-720-5721, or his state’s Consumer Protection Office.11
Thankfully, today, Harry will only be donating his time to his shopping efforts (and a reputable charity after he has conducted his research). He sighs in relief. Today, Harry has braved social media ad scams, smishing, and charity scams on top of the busy stores. Grinning at his wife, proud of his security awareness and bountiful shopping haul, he opens his mouth to regale his feats. She smiles and interjects, “Hey, can we hit one more store on the way home?” Like holiday scams, holiday shopping never ends.
1 Detect DeepFakes: How to counteract misinformation created by AI
2 Jumio 2024 Online Identity Study
3 2023 BBB Scam Tracker Risk Report
4 FTC: How to Recognize and Report Spam Text Messages
5 Tech Report: 60+ Smishing Statistics in 2024
6 Tech Report: 60+ Smishing Statistics in 2024
7 Australian Government: Scams Awareness Week 2024
8 BBB Study: Growth of gift card scams causes retailers to innovate solutions
9 U.S. PIRG Education Fund: Ringing in Our Fears 2024
10 FTC: Donating Safely and Avoiding Scams
11 American Bankers Association: Charity Scams
This material is being provided for educational and informational purposes only. D.A. Davidson & Co. is a registered broker-dealer and registered investment adviser that does not provide tax or legal advice. Information contained herein has been obtained by sources we consider reliable but is not guaranteed and we are not soliciting any action based upon it. Any opinions expressed are based on our interpretation of the data available to us at the time of the original article. These opinions are subject to change at any time without notice. Copyright D.A. Davidson & Co., 2024. All rights reserved. Member FINRA and SIPC.