A record number of people are expected to do their U.S. holiday shopping online because of the coronavirus pandemic — which means an increased risk of falling for online scams, experts say.
Steven Merrill, the section chief of the FBI's Financial Crimes section, said in a phone interview that the agency expects cybercriminals to put in extra work trying to scam people looking for Black Friday and Cyber Monday deals.
"The majority of people are going to be home, and they're going to do their shopping online more so than ever," he said.
Scams that target shoppers often rely on fake websites that mimic real online stores, similar to the kinds that target people every year. But people who are in tighter financial straits or otherwise stressed from the pandemic may be more likely to fall for them this year, Merrill said.
"One thing we've seen as a result from covid, people are economically distressed and people tend to make decisions that they wouldn't normally do because circumstances are different," he said. "People tend to lose the ability to do due diligence and be careful."
A primary way to trick people into visiting such lookalike sites is to email enticing coupons, said Mieke Eoyang, a cybercrime expert at Third Way, a security-minded think tank.
"Look out for deals that seem too good to be true that are emailed, and instead go to the website separately and see if that deal is actually on the website," Eoyang said. "Because a lot of people are going to receive emails trying to tempt them into deals that are too good to be true."
In a published guide spelling out cybersecurity basics for online holiday shopping, the U.S. Cybersecurity and Infrastructure Agency stressed that shoppers should "make sure that you are interacting with a reputable, established vendor" before sending money.
But that doesn't mean only shopping through major sites and chains is safe, said Jeremy Kennelly, manager of analysis at the cybersecurity firm Mandiant.
If a retailer is unfamiliar, that doesn't necessarily mean to avoid shopping there, but rather to "make sure they have a local presence, or you have some sort of touchstone that they have a grounding in reality," Kennelly said.
Scam online retailer sites don't necessarily just dupe customers out of a single purchase. They also could be designed to steal victims' personally identifiable information for the purpose of identity theft.
"A lot of criminals are looking to acquire what we call PII, personally identifiable information, whoever they can get it from. They use it to create false identities to create credit cards in other people's names," Merrill said.
If someone is potentially a victim of such a scam — credit card statements may be the only notice they get — they have several steps to take immediate action. They can report it to law enforcement, like the FBI, call their credit card company, and follow plans of action created by victim services like the Cybercrime Support Network.