The FBI warned consumers to be vigilant while shopping online, as cybercriminals are targeting e-commerce shoppers to steal sensitive information. In a security alert, the FBI stated that it has seen a spike in online shopping scams. Attackers are targeting shoppers by redirecting them to fraudulent websites via social media platforms and search engines.
Online Shopping or Monetary Loss?
According to the Federal Trade Commission (FTC), the number of complaints on online shopping scams has grown every year and victims have lost a total of $420 million dollars since 2015. The commission received more than 86,000 complaints related to online shopping issues in 2019.
The FBI received several complaints from victims stating they have not received items they purchased and were led to fraudulent websites via ads on social media platforms or while searching for specific items on online shopping pages. Complaints reported to the FBI include:
- Disposable face masks shipped from China were received regardless of what was ordered.
- The payment was made using an online money transfer service.
- The retail websites provided valid but unassociated U.S. addresses and telephone numbers under a ‘Contact Us’ link, misleading victims to believe the retailer was located within the U.S.
- Many of the websites used content copied from legitimate sites; in addition, the same unassociated addresses and telephone numbers were listed for multiple retailers.
Some victims who complained to the vendor about their shipments were offered partial reimbursement and told to keep the face masks as compensation. Others were told to return the items to China in order to be reimbursed, which would result in the victim paying high postage fees, or agreeing to a partial reimbursement of the product ordered without returning the items received. All attempts made by the victims to be fully reimbursed, or receive the actual items ordered, were unsuccessful.
How Attackers Target Online Shoppers
The FBI listed the indicators of the fake websites that attackers used to target online shoppers:
- Instead of .com, the fraudulent websites used the Internet top-level domains (TLD) “.club” and “.top.”
- Websites offered merchandise at significantly discounted prices.
- Uniform Resource Locator (URL) or web addresses were registered recently (within the last six months).
- Websites used content copied from legitimate sites and often shared the same contact information.
- The websites were advertised on social media.
- Criminal actors utilized a private domain registration service to avoid personal information being published in the WHOIS Public Internet Directory.
How to Spot/Avoid a Fraudulent Shopping Site
Based on victims’ complaints, the FBI said that fake shopping sites have multiple things in common and can be easily detected with simple security checks, including:
- Do your homework on the retailer to ensure it is legitimate.
- Check the WHOIS Public Internet Directory for the retailer’s domain registration information.
- Check other websites regarding the company for reviews and complaints.
- Check the contact details of the website on the “Contact Us” page, specifically the address, email, and phone number, to confirm whether the retailer is legitimate.
- Be wary of online retailers offering goods at significantly discounted prices.
- Be wary of online retailers who use a free email service instead of a company email address.
- Do not judge a company by their website; flashy websites can be set up and taken down quickly.
The FBI recommended online shoppers to be alert about unreliable offers/low prices on an online store, when compared to other online stores.