Twitter Chat held 10 November 'Cyber SOS: Shop Online Safely #GCAchat

Aiming to grab a bargain on #BlackFriday or #CyberMonday? But with it increasingly being used by cybercriminals, scammers and fraudsters @GlobalCyberAlln decided to hold a Twitter Chat alongside @GetSafeOnline @EC3Europol @TakeFive @RH_ISAC @SBRC_Scotland @scamadviser @Cyber_Readiness @APWG_EU @quad9 @cybersupportnet @EMEA_GCA and @CarpeDiemCyber to help ensure a safe and happy online experience - for all legitimate buyers and sellers!

Here is the Q & A transcript (with many of the #'s removed for ease of following).

We are extremely gratefully to all the participants for their valuable contributions - hopefully we have accurately replicated the responses - the questions and answers came fast and furious!

Feel free to continue the chat here!

Q1. What are purchase scams and can you share some examples?

@EC3Europol Scammers will lead you to fake websites through unsolicited emails and pop-up windows offering #2good2btrue deals. Remember: don’t open attachments or click on embedded links, even if they appear to come from a trusted merchant.

@GetSafeOnline Goods that don’t exist, they range from hard-to-find presents or the latest tech to event tickets. They often appear on social media pages or auction sites and you’re asked to pay by bank transfer. Your purchase doesn’t arrive and the advertiser disappears

@TakeFive Criminals may pose as sellers, posting ads for goods/services at very low prices on auction sites or social media. Once payment has been made, often through bank transfer, the item isn’t delivered and contact with the seller ceases. There are lots of fake ads for pets/motor vehicles circulating, with lockdown restrictions used as the reason people are unable to view their purchases first. More people are also being tricked into buying DIY equipment that doesn’t exist

@RH_ISAC Criminal activities targeting purchases abound because the skill/infrastructure barrier to cash in via a criminal exploit can be relatively low with a relatively high payout, especially when applied over many transactions. One example is injecting code allowing the skimming of customer-sensitive payment details (identity, credit card info, etc.) from a legitimate online transaction. Those credentials can be used for a fake purchase elsewhere or sold to other criminals. -Carlos Kizzee, RH-ISAC

@scamadviser We see as most scammed products fashion brands, but also products people will not complain about such as viagra, adult dating and wigs!

@SBRC_Scotland Purchase scams are when a seller deceives a buyer into paying for something that either doesn’t exist or does not function as described. An example of this would be purchasing something suspiciously cheap from someone through an untrusted website

@APWG_EU This scam tempts the victim to buy a product or service offering low prices. When the victim transfers the payment to the “seller”, he never receives the item. Always check the legitimacy of the vendor before making any online payment.

@Cyber_Readiness Purchase scams most often involve online retailers pretending to be legitimate sellers, using fake websites and low prices to trick buyers into giving their online payment details, which are later used by scammers to withdraw money.

@cybersupportnet Online purchase scams occur when you pay for something that’s been advertised to you and it never shows up; from puppies, rental homes, event tickets, etc. These types of scams are common on public marketplaces

@CarpeDiemCyber Purchase scams focus on frauds around online sales, not delivering a paid for good or service, ordering something and not paying, or getting a fraudulent refund.

Q2. What are the warning signs I should be aware of when buying goods/services online?

@scamadviser Most important: if it is too good to be true, it usually is. Other signals: no contact details, no social media presence, no paypal/credit card payment options, bad grammar/spelling, etcetera…Also check the website age, where the site is actually hosted, and reviews from several review sites. You can do this for example on scamadviser.com.

@GetSafeOnline It could be that something’s available where you know it’s sold out everywhere else. Or, but not necessarily, that the price seems a little, or much too low. And being asked to pay by bank transfer could be a real telltale sign

@EC3Europol You can spot some warning signs by always checking:
The reviews and ratings of the website and the products available
The service terms & conditions (e.g. return policy, delivery costs, taxes)
That the merchant’s contact details are provided.

@RH_ISAC As a consumer, leverage the same type of trust online that you would if you were going to make a purchase from a brick-and-mortar establishment… Don’t go to seedy establishments! Ask yourself: Is the seller a known & reputable commercial enterprise? Does the website URL start with https? Is there a closed padlock in the URL field? Is there something about the transaction that seems commercially too good to be true? -Carlos Kizzee, RH-ISAC

@quad9 Don’t do holiday shopping on non-secure wifi networks like cafes or public transportation. If you must, though, use DNS encryption or a VPN to protect yourself. Quad9 offers a free app for android users. quad9.net/quad9-connect-…

@TakeFive Offers/prices that seem “too good to be true” can be tempting, but it’s important to be wary as they could be a scam. Additionally, if you’ve been asked to pay by bank transfer instead of using the online platform’s secure payment options this should ring alarm bells

@SBRC_Scotland Look for site encryption, meaning the connection between the site & your device is encrypted & secure. If the site’s not secure, it’s not safe to buy from. Also pay attention to the overall look of the site, does it have a section for customer feedback? Does it have legitimate contact details? Does it feel professional? Use your intuition

@APWG_EU Think before buying: If a product/service is too cheap and no one else is offering it, someone is probably trying to scam you.

@Cyber_Readiness 1.Make sure the retailer lists a physical address and phone number. 2.Conduct a simple web search to compare price tags; this will help you determine whether a bargain you find is a realistic one. 3.Grammatical errors are another sign of a potentially fake site.

@cybersupportnet RED FLAGS:
The seller asks you to wire money
The seller asks that you pay for the good/service sight unseen
You are purchasing from an unsecure site (http:// = unsecure, https:// = secure)
The price is too good to be true

@EMEA_GCA In Europe , many national authorities require to state the companies’ legal information in a section called ‘Legal Notice’ / ‘Mentiones légales’ / ‘Impressum’ / ‘Aviso legal’. Don’t buy anything from a site that doesn’t show those!

Q3. How can I identify fake ads on online auction sites and how can I avoid them?

@GetSafeOnline If a product is really hard to get, ask yourself – and the advertiser – why this one’s available. If it’s ‘buy it now’, check the price & ask yourself if it’s realistic, compare with other ads to see if it’s too good to be true. Always check seller ratings & reviews

@RH_ISAC One easy self-check is to check the seller’s ratings. Even for a good deal, if the seller has poor reviews, you should avoid the transaction. Avoid convoluted payment requirements & stick with payment methods that you know/trust. - Carlos Kizzee, EVP at RH-ISAC

@APWG_EU Check the domain! Some domains may look legitimate but often have typos or slight variations in their product names. Moreover, if you are visiting an unfamiliar domain name, do a separate search of the domain to verify whether it is the legitimate vendor.

@TakeFive Fake ads can be hard to spot as they often use pictures and details taken from a genuine seller’s ad to convince you they’re the real deal. If popular items are advertised at a price that seems “too good to be true”, this could be an indicator that it’s fake. Be scam savvy by reading online reviews from reputable sources before making purchases to check websites and sellers are genuine. Always access the website you’re buying from by typing it directly into your web browser instead of clicking on links in emails. Don’t be rushed or panicked into buying something for fear of losing the ‘too good to be true’ price

@cybersupportnet You can search the URL and look for company reviews online to help you determine how trustworthy the ad is. If you notice a fake ad, report it to the site that the ad appeared on.

@CarpeDiemCyber The tips that have already been offered are valuable. Is the deal too good? Are there clear errors? Looking at other sales and reputation when dealing through a site like eBay or Amazon can be very helpful.

@Cyber_Readiness Look at who posted the ad, do a quick google search to see if the company looks legitimate. Is there a physical business address? Is the website complete?

Q4. What tactics do criminals use to trick you into buying fake goods/services?

@EC3Europol “Buy now, before the deal expires!” Don’t fall for this criminals use a sense of urgency to make you buy fake goods & services.

@GetSafeOnline They place ads on auction & buy/sell sites, use social media posts & DMs/texts. They scan fan forums for selling and want ads for sports, gig or festival tickets. They say they have these, but they don’t of course. Again, they’ll ask for direct payment

@SBRC_Scotland Many fake goods advertise with a sense of urgency or give a fake impression of limited supply. Descriptions of the products might exaggerate their functionality, possibly giving a quick & cheap solution to a possible problem. If it’s too good to be true, it probably is!

@scamadviser Very low prices. More than 10% cheaper than anywhere else is a big red flag.

@RH_ISAC Just like in other sales areas, beware of pressure. Don’t let the seller convince you that you will “lose” if you think or wait. Avoid transactions that leverage “FUD” (Fear, Uncertainty, Doubt) as a sales motivation.Fake anti-malware software is sold in this fashion, using fear of compromise to impact the compromise. - Carlos Kizzee, EVP at RH-ISAC

@TakeFive Criminals often use cloned websites with slight changes to the URL to trick you into thinking you’re purchasing from a genuine site. They may also convince you to pay in advance of receiving your goods/services, sending you fake receipts and invoices to trick you. Don’t be rushed or panicked into missing that deal – that’s what the criminals are hoping you’ll do

@Cyber_Readiness *Here are some tactics fraudsters apply to trick consumers:

  1. They offer phantom or counterfeit goods.
  2. They ask for upfront payments.
  3. They follow-up with cold-calls, pretending to be your bank and credit card company and asking for transaction authorization.*

@APWG_EU If you feel that the price offered is “too good to be true…”, probably it is not true

@scamadviser We did a survey amongst consumers. 69% of consumers regret having bought a fake product. A lower price does not make them happy. Only 13% of the consumers are actually happy with their fake purchase…
@CarpeDiemCyber So I’ve fallen for this. I once bought a phone case for an insanely low price. It never arrived. It’s very hard to resist deals that are very inexpensive and just might be legitimate. In my case, the online marketplace cancelled the deal for me.

@cybersupportnet Criminals will use urgent language like “Deal Ends Today!” or “Act Now!” to rush you into making a snap decision. Follow the three golden rules on ScamSpotter.org to avoid a scam: 1. Slow it down. 2. Spot check. 3. Stop! Don’t send.

Q5. How can I protect myself when purchasing goods through social media?

@GetSafeOnline Use your instinct about if it’s authentic or not. Then, ask the seller to DM you their number so you can phone them with questions. Try to buy locally so you can see the goods in person, without breaking COVID rules of course!

@EC3Europol Never rush into a purchase. If it sounds #2good2btrue, then it might just be. Take your time, research the products & the seller. If a website asks for your credit card details before you have selected items to purchase or even for a ‘free’ service, beware.

@EMEA_GCA Always, always check the domain where you are being taken (and try to open it on your browser, especially if you are using your phone). This is particularly important because social media platforms usually abbreviate the domains to keep the character count low.

@RH_ISAC Two key suggestions: First, research the seller’s reputation. Second, use only trusted methods of payment (preferably those with fraud protection). - Carlos Kizzee, EVP at @rh_sac

@scamadviser check how long the social media account has been set-up and from where it is actually maintained. Facebook supports this.

@quad9 If you know the domain of the seller, try just typing it in by hand into the URL bar instead of following ad clicks or search engine responses.

@TakeFive Social media can be a great platform for purchasing goods but it’s being used by criminals to target people. Shop safely by requesting to see items high value items over video before making payment & use a secure payment method instead of paying by bank transfer

@SBRC_Scotland Don’t pay for anything without seeing an image from the seller first - If possible, meeting the seller in person can help verify the condition of the item, preventing a scam. Be sure to meet in a safe place. Remember to observe current COVID-19 Guidelines. And when paying online, services like PayPal offer buyer & fraud protection for reimbursement in the event of a scam.

@Cyber_Readiness Consumers can safeguard their identity through a strong password protocol: 15-character passphrases, two-factor authentication, and avoid password reuse across multiple accounts.

@cybersupportnet If you’re purchasing from a company off of social media, always go directly to their site to make a purchase & read reviews. When purchasing from an individual, make sure you are able to receive the item or verify it’s legitimacy BEFORE sending any money!

@GlobalCyberAlln Taking your time and doing some research on the seller/site/account seems to be a common theme!

Q6. How can I check if a seller is legitimate or website genuine?

@quad9 SSL Encryption of a website is not a method to determine legitimacy of a site. Make sure you end up on the right site (check the domain name) and use a service like Quad9 to help prevent clicking on bogus sites. Quad9.net

@GetSafeOnline Look for reviews/recommendations. Type in the website address yourself instead of clicking links, fraudsters have fake sites with very close spellings. Check that the payment page is secure with https and a padlock, though TBH even this could be a scammer’s site

@scamadviser Apart from checking scamadviser.com we always recommend contacting the website, preferably by phone. If in doubt… do not do it!

@RH_ISAC Security certifications & secure pages are a start but some fraudulent sites have those in place. Slow the impulse to buy, conduct diligent research (search Google, the BBB, social media for REAL reviews, etc.). Beware of the use of fake reviews on social media!

@TakeFive Researching the seller/website by reading different online reviews will allow you to determine their authenticity. You can also double-check the website’s domain name to ensure it’s not fraudulent. Purchase items made by a major brand from the list of authorised sellers listed on their official website

@APWG_EU Contacting the vendor before making the purchase is a very good starting point. If the response is poor and does not answer your question, it could be a sign of a #bot trying to scam you.”

@EC3Europol #BuySafePaySafe tip: use a creditcard when shopping online most credit cards have a strong customer protection policy; if you don’t get what you ordered, there is a process to get a refund from the card issuer.
@EMEA_GCA And some even offer specific insurance policies for online shopping. Check with your bank!

@GetSafeOnline With a credit card, you get protection against fraud & non-arrival of goods. This goes for not only shopping but booking tickets & holidays too. If you’re asked to pay by bank transfer & it’s fraud, you may never see your money again, so think carefully before you do

@scamadviser Most credit cards offer insurance and allow you to do a charge back. We also recommend PayPal. However, Credit Card Companies and Paypal are becoming less lenient to consumers as the number of scams increases.

@Cyber_Readiness To make sure websites are legitimate:
1.Check if the retailer has contact details
2.Browse through customer feedback to verify whether previous customers have been satisfied with the retailer
3. Run a Google search using the retailer’s name and “scam” or “fake”
4. Check the URL. Ensure that the link starts with “https” rather than just “http” - the “s” means that your connection is encrypted!
5. Use your gut feeling. Does the website look and feel professional? If so, it’s more likely that the retailer is legitimate.

@EMEA_GCA Again, if you are in Europe , check the Legal Notice. If you can’t find a registered name, a registered address, and a VAT number there, just don’t buy! If so, check if there are any other sites using any of those details

@CarpeDiemCyber Lot’s of good answers here already. One thing I’d add is use your common sense. If you get the same feeling from an online seller that you get from the person selling football jerseys on the corner, think again.

Q7. Why is it best to use a credit card when shopping online, what if I’m asked to pay by alternate means?

@SBRC_Scotland The Consumer Protection Act supports a level of fraud protection for purchases made by Credit Card & Debit Card.

@GetSafeOnline With a credit card, you get protection against fraud & non-arrival of goods. This goes for not only shopping but booking tickets & holidays too. If you’re asked to pay by bank transfer & it’s fraud, you may never see your money again, so think carefully before you do

@TakeFive If you’re asked to pay by alternate means such as by bank transfer, Stop. Instead, use the secure payment method recommended by reputable online retailers & online websites. For purchases over £100 and up to £30,000, use a credit card as you’re covered under S75

@APWG_EU Credit cards provide more legal protection while shopping online. Legitimate vendors should always allow you to pay with them, so do not use any other alternative.

@RH_ISAC Your payment cards may have fraud prevention built-in. Your payment card vendor likely enables you to cancel or refund a fraudulent purchase. You lose this if you pay via wire transfer or another direct method. - Carlos Kizzee, EVP at RH-ISAC #protectasone

Q8. What can sellers do to help secure their websites?

@scamadviser Keep up to date on security updates and use a platform if you do not have IT skills yourself.
@EMEA_GCA Update Update Update! Our SMB toolkit can help you set up automated updates for your system

@RH_ISAC Use only TRUSTED & VERIFIED CODE on your customer purchasing pages. SCAN your site frequently to verify the activities of scripts & their impacts on the digital transaction (latency, cookies dropped, etc.). KNOW AND LIMIT the third parties who have access to purchasing sites where customer data is available. - Carlos Kizzee, EVP at RH-ISAC

@APWG_EU Check the latest tips given by @EC3Europol to sell securely and build trust to your customers: Safe sales, safe revenue | Europol

@GetSafeOnline Lots! Make sure it’s a certified secure site, protect your server with firewall & security software, monitor log files to detect intrusion attempts, don’t store customers’ details on a public ecommerce server, get the site pen tested, talk to a DDOS specialist

@Cyber_Readiness Retailers hire part-time/seasonal employees for the holidays. Employers must remain diligent in training all employees because anyone can be responsible – knowingly or unknowingly – for a cyber-attack. Online transactions yield a significant amount of personal and often payment information. It is important that retailers manage the storage of and access to this data securely. Retailers that offer delivery service can be easily preyed upon due to the prevalent transferring and sharing of confidential information. Protecting customer data should be a top priority for a retailer of any size as hackers tend to focus their attacks on this type of info.

@SBRC_Scotland Obtaining an SSL certificate to establish encryption between the server & browser is very important for online transactions to ensure the protection of financial information. You could also look into getting a Cyber Essentials accreditation
@EMEA_GCA In UK Cyber Essentials from NCSC:
ncsc.gov.uk/cyberessential…

@EC3Europol Online merchants should always consider the cybersecurity dimensions. They could start with these steps:
Prepare the business
Set the defences
Sell & get paid safely
Reach out for help
More details available here: Safe sales, safe revenue | Europol

@CarpeDiemCyber To help with implementing security measures like @EC3Europol’s businesses can look at the @GlobalCyberAlln Cybersecurity Toolkit for Small Business. gcatoolkit.org/smallbusiness. It is available in English, Spanish, French and German.

Q9. What can I do if I think a criminal is impersonating my website/shop?

@GetSafeOnline Depends on if it’s a fraudulent impersonation or a copycat site, which charges a fee for something you provide for free. If it’s fraud, report it to the police in your country for urgent action. If it’s a copycat, talk to Trading Standards or your equivalent

@RH_ISAC FIRST alert your customers leveraging your relationship with them through loyalty programs & via social media. ALSO immediately notify the @FTC or the hosting and request takedown. This can be difficult as some fake sites may be hosted in jurisdictions outside of the US with poor enforcement, so you may want to look into commercial services that can manage these efforts for you. - Carlos Kizzee, EVP at RH-ISAC

@SBRC_Scotland In Scotland you should contact 101 and report this as a crime to Police. If your brand is copyrighted, you should also send a DMCA take-down notice to the hosting provider.

@Cyber_Readiness Do not engage with the impersonator, especially if they are demanding a payment in exchange for website access. Report the incident to your supervisors. If you are the owner of the website, alert your customers and report the incident to authorities.

@cybersupportnet If someone is impersonating your website/shop, take screenshots of the impersonator’s website/shop and notify your customers about the website impersonating your business.

@CarpeDiemCyber Always consider reporting to law enforcement. There may be little it can do, but it may also be able to help.

Q10. What should I do if I think I may have fallen for a purchase scam?

@EC3Europol If you or someone you know become victim of online fraud, reportit to your national police & your bank! Doing so may help your case, but also prevent others from also becoming victims.

@GetSafeOnline In the UK, report it to Action Fraud, elsewhere (& Scotland) the police. Tell the website operator, social media platform, auction site or forum where you saw the ad. If you’ve lost money, report it to your bank without delay in case they can recover your losses

@RH_ISAC IMMEDIATELY notify your credit card company via their fraud contact. Similarly, immediately notify your bank if you paid via a funds transfer. Consider requesting a new payment card and changing your account access credentials. Also purchasing a credit monitoring service to identify new accounts or debts may be a good idea. - Carlos Kizzee, EVP at RH-ISAC

@TakeFive If you think you’ve fallen for a purchase scam, contact your bank immediately on a number you know to be correct, such as the one on the back of your debit or credit card. You should also report it to Action Fraud to protect others from falling for the same scam

@cybersupportnet If you experience an online shopping scam and you paid with a credit card, dispute the charge with your credit card provider right away! Then, report the scam to the @FTC Complaint Assistant: ReportFraud.ftc.gov

@Cyber_Readiness Call your bank or credit card company immediately to cancel your transaction. File a complaint if the scam occurred on a marketplace platform like Amazon or eBay. Consider filing a police report, especially if you need it to prove fraud to your credit card company.

And finally and further resources and advice for buying or selling online?

@GetSafeOnline Forgive the plug, but a good place to start for individuals and businesses is getsafeonline.org We hope we’ve been of help on this #GCAchat and thanks everyone for taking part & tuning in. Happy Christmas Shopping and stay safe out there!

@TakeFive We would always urge people to follow the advice of the Take Five to Stop Fraud campaign to keep their money and personal information safe from criminals #StopChallengeProtect Purchase Scam | Take Five

@EC3Europol If online merchants #SellSafe, then customers can #BuySafePaySafe.
Here are our tips targeting both online merchants and shoppers, available in +20 languages, E-COMMERCE: TIPS AND ADVICE TO AVOID BECOMING A FRAUD VICTIM | Europol

@RH_ISAC The @RH_ISAC blog is great resource for #retail, #hospitality, and #travel orgs to gain insights into what others are doing in our industry: rhisac.org/blog/
Another great resource is @StaySafeOnline. They have a ton of education and awareness resources to empower users at home, work, and school: staysafeonline.org Check out the @FTC consumer protection page here: https://www.ftc.gov/about-ftc/bureaus-offices/bureau-consumer-protection You can report #fraud on their website or learn about known #fraudulent sites. #protectasone

@quad9 Using a protective DNS service like Quad9 is a simple and free way to avoid even accessing those malicious sites. Quad9.net
And it is SUPER easy to set up! Did we mention it is also free? And doesn’t collect any of your personal information!

@SBRC_Scotland For further guidance on shopping online, you can visit the Police Scotland website: https://www.scotland.police.uk/keep-safe/keep-secure-online/phishing-and-internet-shopping/

@Cyber_Readiness One of CRI’s free resources is a series of tips to keep in mind when online shopping, especially around the holiday rush! Check it out here: https://cyberreadinessinstitute.org/news-and-events/holiday-tips-for-retailers-tis-the-season-to-be-cyber-ready/ #BeCyberReady

Wow - what a great Twitter Chat we had! Do take advantage of the tips, advice recommendations provided here by our expert panel of participants. If you’d like any further information or any of your own questions answered we are all here for you!