McAfee Security Advice Center

Bad Santas are making their lists and checking them twice, gearing up to rip off consumers online with common scams that take the happy out of the holidays.

Below, McAfee reveals their dirty tricks to educate the millions of consumers worldwide who want to enjoy safe shopping this holiday season.

1. Charity Phishing Scams - Many popular charitable organizations encourage consumers to think of others during the holiday season through emails asking for year-end donations. In fact, according to McAfee’s recent holiday survey, almost 30% of US consumers plan to donate online this year.
   
   Unfortunately, hackers also know consumers are in the giving spirit during the holidays and prey on their generosity through fake charity phishing emails.
   Here’s how it works: The hackers send fictional emails that appear to be from well known charitable organizations, such as the Red Cross, the Salvation Army, and Oxfam that direct consumers to fake websites designed to steal their money. The websites are generally very professional with a fairly high amount of graphical content and a good amount of verbiage designed to make the reader feel upset or guilty. Sometimes the layout and content of these fraudulent sites are copied directly from legitimate charity websites with simply a name and a logo changed.
   
   To determine if an organization’s site is legitimate, go directly to their Website to donate. Don’t ever click on a link sent in email. To learn more about phishing, visit www.mcafee.com/advice.
   
   
2. Email Banking Scams - The current economic climate is not only forcing over 95% of us to spend less money and buy fewer holiday gifts this season, but prompting hackers to take advantage of our bank account balance concerns to bah-humbug the holidays with another common phishing scam.
   
   Financial institutions are the most common phishing scam targets. According to the Anti-Phishing Working Group, during the first quarter of 2008, 92% to 94% of all phish scams were financial-services related.
   
   With these scams, the bad guys send an official-looking email that asks consumers to confirm account information, including their user name and password. These emails often try to fool consumers into thinking that if they don’t comply with the instructions, their account will become invalid. 
   
   So remember, call your bank by telephone if you’re concerned about your account. Never give your account details out as a result of an email request or you could fall victim to a popular phish scam designed to empty your wallet. And with the stress of the holidays, your guard might just be down enough that you fall for one of these scams.
   
   
3. Holiday e-cards - Most people never consider the dangers of e-cards -- but unfortunately, there are plenty of dangers, especially during the holiday season. For example, a scam that was popular in 2007, was a New Year’s e-card that included a nasty surprise. When the consumer clicked on the link, they were brought to a malicious Website that attempted to download Trojan software.
   
   Here's another tricky example: Scammers may send you an e-card that appears as if it’s coming from Hallmark asking you to download an attachment to pick up your e-card. However, the attachment isn't really an e-card -- it's a Trojan. This particular Trojan then waits for you to sign onto AOL. If and when you do, it displays a pop-up window that looks like an AOL form, but asks you to verify/update your AOL billing info by providing your credit card, checking account info, and Social Security number.
   
   A few clues that an e-card is not legit are spelling mistakes, errors in the message, unknown senders or senders with bogus names and odd-looking URLS.
   
   Remember – if in any doubt about the legitimacy of an e-card, don’t open it. Never click on anything from an unknown source. 
   
4. Fake Invoices. During the holidays, lots of friends and families order and send gifts online. This is no secret to stealthy Scrooges who try to trick consumers into giving away personal financial details through fraud invoices.
   
   Here’s how this scam works: The bad guys create a fake invoice or waybill and send it via email as an attachment. Once the consumer opens the email attachment there are a few variations of - the recipient may be asked to confirm or cancel an order, they may be told that the parcel service was unable to deliver a package due to having an incorrect address, or the recipient may receive a customs notification about an international package.
   
   In every instance, the email either asks the consumer for their credit card details so that their account can be credited or requires the recipient to open an invoice or customs form to receive the package.
   
   Pretty tricky, huh? This kind of scam has been played on many consumers who believed they were receiving emails from FedEx, UPS or the US Customs Service but instead were delivered a deadly Trojan program or other threat that can lead to identity theft or hacker control of a computer.
   
   To protect yourself, never give your financial details over email to an unknown recipient or open a suspicious attachment. If you want to ensure you are reaching shipping sites like FedEx or UPS, open a browser and directly access the Website. Also, ensure that your Internet security software is up to date to help spot Trojans and other forms of malware if you have opened a bad attachment.
   
   
5. You’ve Got a New Friend! As the joy of the holiday season brings people together and reignites old friendships, many of us are excited when alerted with a message that says, “You’ve got a new friend!” when using popular social networking sites.
   
   Sadly, in some cases, after clicking on the notice, you NOT only do not have a new friend—you have downloaded malicious software that you can’t even detect. Of course, it’s designed to steal personal and financial information. Stay away from “friends” you don’t know.
   
   
6. Dangerous Holiday-related Search Terms. We love Santa too, but when clicking on the results of a “free Santa download” search, in addition to the Christmas-themed screensavers, puzzles, and pictures you find, you also could be clicking on adware, potentially unwanted downloads, and spyware.
   
   In fact, McAfee’s free and award-winning safe search tool, McAfee® SiteAdvisor®, found that all of the following holiday-related search terms are risky:
   
   
   • Free Santa holiday screensaver
   • Free holiday screensaver
   • Free Christmas screensaver
   • Free holiday downloads
   • Christmas tree download
   • Free Christmas wallpaper
   • Santa wallpaper
   • Santa screensaver
   • Santa ringtones
   • Santa mail download
   • Santa download
   • Free Santa music downloads
   
   When searching for fun holiday-themed downloads, make sure your holiday searches are guided by McAfee SiteAdvisor software– the simple green, yellow and red rating system will help you avoid any unwanted gifts you may get along with your Christmas downloads.
   
   
7. Coffee Shop Cybercriminal. While everyone enjoys a warm gingerbread latte while surfing the Net at their local coffee shop, most are not aware of the dangers in surfing on unsecured networks. Attackers can jump on an unsecured wireless Internet connection with a program called a packet sniffer to see what Websites users are visiting, the passwords they are using, and what bank accounts they are accessing.
   
   Also, an attacker might set up a rogue wireless access point nearby a coffeehouse. If somebody unwittingly connects to the attacker’s network, the miscreant can watch just about everything that goes on while that connection is in use and can redirect traffic, sending the unknowing user to the dark alleys of the Internet.
   
   McAfee advises consumers to make sure they have updated security software including a firewall, they’ve updated the patches on their system—and most importantly, they check bank accounts and shop online from a known, secure wireless Internet connection.
   
   
8. Password Stealers. The McAfee holiday shopping survey found that 53% of consumers admit they use the same password for multiple websites or online services. Consumers need to know that free and low-cost tools exist that make it easy for bad guys to guess passwords and hack into users’ PCs. That’s a holiday visit no one wants.
   
   McAfee Labs found that attackers go after passwords for banks and e-commerce sites, multi-player online role playing games, instant messaging and finally, social networking sites.
   
   As tricky as getting malware that’s delivered invisibly via spam, consumers could get a password stealer downloaded to their PC without even knowing it.
   
   By using the same password, an attacker only has to nab one password to hit all of a user’s accounts. So this holiday season, be sure you use have an updated comprehensive security software suite to help prevent access to password-stealing malware. This includes anti-virus, anti-spyware and a two-way firewall. Remember to check to make sure your subscription software is current – and not just trial software that might be expired.
   
   In addition, create complex passwords such as: $aNt@IsRe@l or H@PPyH0l!d@y$. Check out these tips on how to create safe passwords.
   
   
9. Fraud via Auction Sites. As nearly 40% of American consumers are expected to visit auction sites to find gifts this holiday season, shoppers must be aware of scammers who will use the increased activity of the holiday season to prey upon new victims. Be sure to read the security and safety policies from such sites as eBay. You’ll learn how to protect your account and buy safely
   
   eBay’s Online Safety Advisor, Rich LaMagna, recommends the following:
   
   
   • Use your common sense. If an item looks too good to be true, it probably is.
   • Carefully review the seller’s ratings and feedback to be sure that he or she has a positive rating. Learn more about the item before bidding on it by carefully reading all of the information in the item listing, including the seller's policies.
   • Pay with a safe payment method such as PayPal or your credit card. These methods offer the most protection for buyers should something go wrong with the transaction. To learn more about eBay’s Buyer Protection Program, click here.
   
   
10. Holiday-themed Email Attachments and Spam - The bad guys know that emails with holiday-inspired subject lines are intriguing to most consumers. The recent McAfee holiday survey found that 49% of consumers have opened or would open an email with a holiday themed attachment.
    
    Consumers should beware of emails that prey upon their holiday spirit, inviting them to look at homes bedecked with lights or PowerPoint presentations with vague holiday-related subjects. For example, last year an email made the rounds with a Microsoft PowerPoint called “Christmas Blessings” that contained malicious software.
    
    Some examples of subject lines bad guys use to lure consumers into opening a friendly-looking email are “happy 2008 to you!”, “happy 2008!” and “new hope and new beginning”. Be wary when you see these titles and don’t open attachments with odd-looking URLs.
    
    
11. Online Identity Theft - Online shopping offers the 3 Cs: cost, convenience and choice, but there’s one more we learned about from the McAfee Shopping Survey: concern.
    
    90% of consumers have some level of concern about shopping online. Unsure of where to shop, they rely on friends and family to determine the safety of a website, but friends can only advise on personal experiences, and some sites may have security issues that aren’t readily apparent.
    
    For example, sites that store your personal information can be vulnerable to cybercriminals who hack in to steal your identity. In fact, research shows that as many as 80% of websites have known vulnerabilities.
    
    McAfee can help. The McAfee SECURE™ trust mark appears on more than 80,000 sites that pass daily testing for more than 10,000 known hacker vulnerabilities. Your personal information is safer on sites tested by McAfee SECURE because daily scanning for known threats can prevent Websites from falling prey to the vast majority of hacker crime. Only valid sites that pass the McAfee SECURE service of daily testing can display the trustmark.
    
    
12. Laptop Theft.
    And the last way the bad guys can take the merry out of your Christmas is by outright stealing your laptop! According to the FBI’s State of the Net Report (2007), chances of having a laptop stolen are 1 in 10, and according to the research firm Gartner, 97% of laptops are never recovered.
    
    While you are out enjoying the festivities of the season, make sure to be particularly vigilant at this time of year and never leave your laptop in sight in your car.
    
    For further protection, be sure to purchase a product that safeguards important files – including photos, music and bank/credit card statements, in the event your laptop is stolen. One such product is McAfee Anti-Theft File Protection software.

The above does not constitute an association with, or endorsement of the information, products or services contained herein, nor has it been authorized, sponsored or otherwise approved by Microsoft Corporation, Salvation Army, Oxfam, Hallmark, AOL, FedEx, UPS, US Customs Service, eBay, PayPal, Anti-Phishing Working Group, FBI and/or Gartner.

McAfee and/or other noted McAfee related products contained herein are registered trademarks or trademarks of McAfee, Inc., and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. Any other non-McAfee related products, registered and/or unregistered trademarks contained herein is only by reference and are the sole property of their respective owners. © 2008 McAfee, Inc. All rights reserved.