By Jon Munshaw.

Attackers will resort to all tactics to trick users into downloading malware, handing over credit card data or completing compromising their machine.

No topic is off-limits, and threat actors have resorted to using everything from PlayStation 5 sales, to COVID-19 cures and news on nuclear weapons as part of their lures over the past year. And these spam attacks will only ramp up over the next month as consumers across the globe shop online for the holidays.

Adobe Insight’s recent “Holiday Shopping Forecast” predicts that spending for e-commerce will top $200 billion during the holiday season for the first time ever. The report also specifically warned that there will be supply chain shortages this year due to the pandemic, which is likely to force online shoppers into long virtual queues or push them to shop even earlier than usual. While consumers always need to be diligent during the holiday season, supply chain issues this year linked to the COVID-19 pandemic could create even greater challenges and inspiring new cyber scams, especially with popular video game consoles and other electronic products in short supply.

News is likely to move quickly around online shopping scams and cyber attacks starting the week of Thanksgiving, so this should serve as a hub for all of Talos’ advice to stay safe while shopping online this holiday season.

For some quick-and-dirty tips, listen to the Talos Takes episode we recorded last year around this time where we provide a general overview of how to stay safe when shopping online. This is advice that applies any time you are shopping online, not just during the holidays.

We’ll also have a new Talos Takes episode releasing the week of Thanksgiving and Black Friday that covers specific threats shoppers could see this year with additional complications around the supply chain and the pandemic.

In the meantime, you can watch Nick Biasini’s appearance on a local CBS station in North Carolina. The head of Talos Outreach discussed how supply chain shortages are fueling scams this holiday season. Nick also joined WXYZ in Detroit for an interview, where he provided seven simple tips everyone can follow to avoid holiday shopping scams.

For defenders, be on the lookout for top-level domains like .top, .stream, .trade and .bid, which are traditionally responsible for the majority of spam emails Talos sees during this period.

Here are some other important tips for avoiding holiday shopping scams:

  • Only download apps from trusted and official app stores like the Google Play store and iOS App Store.
  • Look out for apps that ask for suspicious permissions, such as access to your text messages, contacts, stored passwords and administrative features.
  • Some malicious apps will try to masquerade as a legitimate version of the one you could be searching for. Signs of these apps include poor spelling and grammar in app descriptions and interfaces, lack of high-quality performance and a developer contact that uses a free email service (such as @gmail.com).
  • Avoid clicking on unsolicited emails. Make sure you purposefully subscribed to any marketing emails you receive from retailers before opening it.
  • Use an ad blocker locally on your browser. These will often block any malvertising campaigns that aim to capitalize on shoppers looking for deals.
  • Try to use payment services such as Google Pay, Samsung Pay and Apple Pay. These services use tokenization instead of the “Primary Account Number” (your credit card number), making your transaction more secure.
  • Use complex passwords that are unique, per site. Attackers commonly reuse passwords to compromise multiple accounts with the same username. Use a password locker if you have a hard time creating and remembering secure passwords.
  • Manually type in URLs to sites you want to visit rather than clicking on links.
  • Use multi-factor authentication, such as Cisco Duo, to log into your email account to avoid unauthorized access.