“The most wonderful time of the year” is known for its generous sales, holiday cheer, and the notion of miracles around the corner. Unfortunately, it’s also a hot time for scammers, who steal personal data and money, precisely when everyone is having fun and letting their guard down.
At this time of year, Kaspersky experts identified cases of phishing built around the Christmas and New Year season of giving: scammers are disguising the theft of personal data and funds as holiday giveaways.
1. Phishing scams targeting personal accounts
Some phishing sites aim to obtain data by infiltrating users' personal social media and messenger accounts under various guises. They request information and once it is submitted, it is transmitted directly into the hands of the scammers.
One of these phishing incidents was recently reported in Singapore. Scammers created a sophisticated phishing site targeting individuals with the promise of payments in the new year purportedly from Singapore's Ministry of Finance. This deceptive site was designed to mimic the ministry's branding, giving it an air of credibility. To receive the payout, visitors were prompted to enter their Telegram account details.
Once the user enters the Telegram account details, fraudsters can then gain full access to the account, potentially leading to the digital identity theft, access to private conversations, and the ability to impersonate the victim for further malicious activity.
2. Phishing sites mimicking banks for the New Year giveaways
Another phishing technique designed to trap those who believe in miracles is a lottery featuring banks. As New Year's Eve is a time of lucrative offers and gifts, fraudsters have created phishing sites that invite users to participate in giveaways aimed at obtaining victims' bank details to steal from them.
One instance of the New Year's scam was specifically targeted at Filipino citizens. In this scheme, individuals were lured to a website where they were enticed to spin a wheel for a chance to win a sum of money. After the spin, users were shown their supposed winnings and asked to select between various banks where the alleged funds could be deposited.
After they made the selection, users found themselves on phishing sites designed to mimic legitimate online banking interfaces. This deceptive tactic was the final move in the scam, aiming to swindle the victims by gaining access to their banking credentials and ultimately their funds.
3. Fake New Year's crypto gift-boxes with no Pokémon
The stakes in the cryptocurrency market are very high. Stealing a wallet with even a few tenths of a bitcoin already brings scammers significant profit, so they put a lot of effort into creating believable phishing emails and sites, thus making it harder for the user to notice something wrong.
The fraudsters in one such case created a phishing page copying the official offer of Courtyard.io, a website that allows users to convert physical collectibles into tokens. The original Courtyard.io site invited users to register and purchase a New Year's Eve box containing a Pokémon card. So, scammers created a phishing page with the same offer, however, to receive the surprise box, visitors had to connect a crypto wallet, resulting in the theft of their funds.
“Scammers are inventive and cunning. In response we need to double check all those special offers that come through from unknown emails. Luckily, we can have a reliable ally here – a comprehensive cybersecurity solution that will protect personal data and money, and prevent malicious actors from stealing our holiday” Comments Olga Svistunova, Senior Web Content analyst at Kaspersky.
To avoid scams connected to the season of giving, Kaspersky experts share some simple tips:
1. Verify the source. Before engaging with any special offer, verify the legitimacy of the source. If it's from a known brand or organization, check their official website or social media channels to confirm the giveaway campaigns.
2. Type the URL into the address bar. Don’t open the link from the email: it could be a phishing link. Whenever there is a need to open a web site, it is always better to type its URL into the address bar avoiding any links in email.
3. Look for the red flags in the offer. Be wary of offers that seem too good to be true, like winning a large sum of money or expensive prizes with little to no effort. This is especially tricky when it comes to cryptocurrency transactions: scammers will do their best to make an offer look valid.
4. Do not share personal information. Legitimate giveaways rarely ask for sensitive personal information upfront. Be cautious of any request for details like your bank account numbers, passwords, or Social Security numbers.