Ah, the holidays. Time to relax, overeat, and brawl with strangers over “discounted” kitchen appliances. Remember the smoothie blender from last year? How many times did you end up using it, huh?
It’s the most wonderful time of the year.
But, while most are clocking out and winding down, another, less jolly workforce is clocking in and ramping up for their own busy season: digital con artists.
Every year, thousands of people become victims to holiday-themed scams and collectively lose millions to cyber grinches.
Next year I won’t buy gifts last minute. It’s already October. Better luck next year.
This holiday season, global digital sales are expected to reach $1.25 trillion in November and December alone. Consumers within the U.S. will contribute about $270 billion to this total and generate 2.3 billion packages for Santa to distribute.
As toys are delivered door-to-door, scam messages will be delivered inbox-to-inbox. It is highly likely you’ve already been targeted in a delivery scam and have received a text message or email claiming there has been an issue in-transit.
And although you may ignore these messages throughout the warmer months, the congestion of postal routes during the holidays increases both the legitimate chance of delays and the illegitimate credibility of scams.
To the readers of this blog, the tell-tale signs may be clear. You would never click on those links or submit any information. However, to those less security-conscious, this attack vector remains disturbingly convincing.
In an analysis of DNS traffic, ranging between October 2023 to February 2024, Akamai researchers revealed that the number of queries to the legitimate usps[.]com domain was virtually equal to queries that resolved to malicious domains impersonating the United States Postal Service.
During peak hours, the number of people who visited the phishing domains even exceeded the visits to the official USPS web app.
To make matters worse, Proofpoint research conducted last year discovered that, out of the top 50 online retailers in the United States, 40% were not actively preventing spoofed emails using official company domains from reaching customer inboxes with the Domain-based Message Authentication, Reporting & Conformance (DMARC) ‘reject’ policy.
Yes, you read correctly: Puppy. Scams.
While these types of scams aren’t new, or exclusive to animals that bark, “puppy scams” became increasingly common during the COVID-19 pandemic, when the soaring demand for dogs made them a lucrative criminal scheme. In 2020, pet scams represented 26.3% of all online purchase scams reported to the Better Business Bureau.
The scam involves advertisements for adorable puppies and other pets, claiming they’re available for sale or adoption.
At first, “sellers” may be quick to respond, send additional cute photos, share heartwarming backstories, or offer sought-after breeds at a discount. By building trust and preying on emotions, scammers trick victims into paying for an animal that either doesn’t exist or will never arrive.
In more sinister cases, communication continues past the initial payment. Once victims are both emotionally and financially invested, the fraudsters string them along, demanding additional payment for ‘unexpected’ expenses such as additional paperwork, transport fees, vaccinations, or emergency veterinarian care.
On April 11th, 2022, Google LLC filed a legal complaint against Nche Noel, accusing the Cameroon resident of utilizing a network of fraudulent websites and Google services to carry out a puppy fraud scheme. The complaint cites a case in which a victim was scammed out of $2,200.
Although reports of this scam have declined since their 2020 peak, they’re still prevalent and pervasive. More recently, in just the first nine months of 2023, the IC3 received 3,500 complaints related to puppy scams that converted compassion into $6.6 million in losses.
Currently, there are over 30,000 pet websites that have been marked as fraudulent on PetScams.com.
In yet another cold-hearted demonstration, scammers will also capitalize on the elevated levels of generosity during the holidays by masquerading as charitable organizations to steal donations or sensitive information.
Shockingly, there seems to be nothing that is considered to be off-limits. Scammers will display complete moral bankruptcy to avoid financial bankruptcy. Tragedies like wildfires, hurricanes, breast cancer, and impoverished children have all been used as fronts to exploitation.
In 2022, Ian Hosang, was indicted on charges of grand larceny, identity theft, and conducting a scheme to defraud. Allegedly, he had stolen over $152,000 in donations meant for his network of fraudulent cancer charities. However, further investigation into the case revealed that this was not an underground operation. Hosang had 76 nonprofits approved by the IRS, including the 23 used in the scheme, despite multiple red flags. Had the agency done their due diligence, they may have found that Hosang had a criminal history. In March of 1999, he pleaded guilty to federal conspiracy and money laundering charges in a stock manipulation case in which he was accused of hanging a man by his feet out the ninth-story window of a skyscraper—a scene that was depicted in the 2013 movie The Wolf of Wall Street.
Last year, the FBI received more than 4,500 complaints reporting approximately $96 million in losses to fraudulent charities, crowdfunding accounts, and disaster relief campaigns.
We would all like to think so, yet the numbers say otherwise.
In a survey of 9,397 adults in the US, 73% report that they have experienced at least one online scam:
Last year, consumers lost more than $12.5 billion to fraud—a 25% increase over 2023.
Yet, that’s just the reported total. Among those surveyed who have lost money, nearly three-quarters say they never contacted the authorities.
Across all age groups, the vast majority pointed their fingers at the elderly when questioned on who was most likely to fall for a scam. Though, about a quarter of 18 to 29-year-olds say they’ve lost money online, while only 15% of those over 65 did.
However, when older adults are swindled, the reported losses are significantly higher. In the past few years, the combined losses reported by older adults that have lost $100,000 or more in impersonation scams has increased eight-fold, from $55 million in 2020 to $445 million in 2024.
Between gift shopping, end-of-the-year deadlines, travel plans, and awkward reunions with distant relatives, it’s easy for online security to become an afterthought. So, enjoy the festivities but stay vigilant because scammers know procrastination is as seasonal as the weather.
Santa double checks his list and so should you. Verify everything. Double-check URLs, don’t pay for puppies in Amazon gift-cards, and make sure the organization you’re donating to is official.
Compared to Cyber Monday deals, a healthy level of paranoia will save you even more money this holiday season.
…
Thanks for tuning into Bugcrowd’s Cybersecurity Awareness Month blog takeover! We hope you’ve enjoyed the extra content all month long!