Incognito — December 2023: Avoid Scams This Holiday Season

Welcome to the December 2023 issue of Incognito, the monthly newsletter from DeleteMe that keeps you posted on all things privacy and security.

Here’s what we’re talking about this month: 

• How to avoid scams this holiday shopping season. 
• Recommended reads, including “Your Experian Account Is Still Hackable.”
• Q&A: Why would I pay for a password manager if I can just use Google’s?

It’s the holiday season – a time of year commonly associated with family, good food, and gift-giving. But it’s also the time of year when scammers are most active. If you intend to shop online this month, here’s what you need to know to avoid fraud. 

‘Tis the Season for Online Scams

It looks like most people now prefer to do holiday shopping from the couch. A recent survey of online holiday shopping found that 97% of Americans plan to do at least some of their shopping online this year. 

That makes sense – online gift shopping saves time and is typically less stressful. But it has its downsides. The main one: you’re more likely to fall for a scam. 

• Nearly 1 in 4 global consumers say they’ve been targeted by a scam when shopping over the internet, with half of them falling for the scam. 
• The average financial loss to victims is $1,510. 

Scams to Watch Out For

Santa Claus isn’t the only one coming to town this time of year. This December, we expect a wave of seasonal scammers to try out tricks like these:

🎅 Christmas delivery scam messages

Although fake delivery notification texts are popular all year long, the chances of being tricked increase dramatically during the holiday season. It’s one thing to get a text or email from USPS or DHL about a missed delivery or import fees when you’re not expecting any packages. It’s quite another when you’re actually waiting for a bunch of gifts to arrive. 

🛍️ Phishing emails from well-known brands

Hey, look – it’s an Amazon Christmas giveaway! Wait… why does the link go to a Russian domain (.ru)? If only all fake surveys, giveaways, and other scams impersonating well-known e-commerce stores were as obvious as the one that circulated a few years ago.

✉️ Charity scams

Whether you donate to charity as a way to give back or do it as a gift to someone else, scammers make bank on our generosity. Some people are more vulnerable than others, including those who have donated in the past (and appear in data broker donor lists), older people, and those with specific ailments (and can, therefore, sympathize with a particular cause). 

Plus: Be wary of “grandparent” scams, in which criminals impersonate family members to scam older individuals out of money. This scam is getting worse, as criminals find videos posted on social media and use AI tools to impersonate the person’s voice when contacting an elderly relative. 

What Do These Scams Have In Common?

To send you, or your friends and family, a phishing text, email, or social media message, scammers need your personal data. 

Fortunately for them, these details are easy to find. Various online sources, including data brokers and your own social media profiles, leak this information to bad actors. 

Most of the time, the resulting scams are generic, i.e., you’re one of a thousand-plus people who get the same seasonal scam text.

When they get the chance, however, scammers will go further. Watch out for personalized phishing messages that use information from data brokers about shopping habits and donations to try and trick you. 

Privacy exercise: If you shopped at LEGO and received this text message from UPS about your LEGO delivery, how would you know it was a scam? (The answer: The link doesn’t start with https://www.ups.com, and the text is sent from a non-UPS phone number. Also, UPS doesn’t include payment links in texts. See more about USP scams on their site.)

Give the Gift of Privacy (to Yourself) 

The less information there is about you online, the less likely you are to become a victim of a scam – personalized or otherwise. 

As we approach the holidays, make sure that:

✅ Your personal information is taken off major data brokers.

✅ Your social media accounts are set to private.

✅ Your posts don’t reveal too much about you or your life. Maybe you love LEGO and bought it for yourself this holiday season, but do you need to share this on LinkedIn or Reddit? Similarly, does everyone need to know you’ve donated to your local dog shelter?

✅ Your online accounts are not linkable. To see how easy it is to dox someone based on their post history, read this online forum thread. 

✅ You know how to spot a phishing email. Watch out for unnecessary urgency, typos, logos that are slightly off, strange sender emails and domains, etc. In general, don’t respond to unsolicited or unexpected texts or emails, and don’t share confidential information. If you think the message might be legitimate, contact the institution/e-commerce site directly using the contact information you find on their actual website. 

Recommended Reads

Our recent favorites to keep you up to date in today’s digital privacy landscape. 

WhatsApp Users Can Now Hide Their Location

WhatsApp introduced a new privacy feature called “Protect IP address in calls,” which hides your IP address from the person you call through the app. Instead of a peer-to-peer connection (which provides better voice quality but exposes both parties’ IP addresses), the feature relays the call through the company’s own servers. All calls will still be end-to-end encrypted. 

FCC Unveils New Anti-Swim Swapping Rules

The Federal Communications Commission (FCC) introduced new rules to protect consumers against SIM swapping attacks (where criminals trick your carrier into transferring your phone number to their SIM card). Carriers will now need to use secure customer authentication methods before transferring their number and notify customers immediately when a port-out or SIM change request is made. 

Your Experian Account Is Still Hackable

In 2022, KrebsOnSecurity wrote about several readers whose Experian accounts were hijacked after identity thieves used a different email address to re-register their accounts. More than a year has passed, and the security issue hasn’t been fixed. As Brian Krebs reports, his Experian account was breached, but he was able to steal it back from the criminals using the same method they did. 

Google Considered Creating a Private Search Engine 

Google leaders contemplated creating a subscription-based private Search service in 2018, according to testimony in an ongoing antitrust case. At the time, Danny Sullivan, public liaison for Google Search, said in an email, “$10 per month buys you, I don’t know, 1,000 searches. Or maybe it’s much more — because maybe it should be more.” He also suggested bundling it into something like YouTube Premium. 

You Asked, We Answered

Here are some of the questions our readers asked us last month.

Q: What’s stopping other people from using Have I Been Pwned to see where I have accounts? 

A: Nothing. Anyone can use Have I Been Pwned (for anyone who doesn’t know, Have I Been Pwned is an online tool that lets users see if their email address or phone number has been part of a data breach) as a way to figure out what online accounts you have. 

Luckily, the site’s creator has foreseen this happening, and you can opt out of other people looking you up through it. 

Go to the Have I Been Pwned opt-out page to remove your email address. If you do this, your email address will never be publicly searchable again on Have I Been Pwned – even if it’s part of future data breaches. 

But to stay informed if you’re involved in a data breach, subscribe to breach notifications. 

Q: Are there any smartwatches that track health data but are privacy-focused?

A: Check out Mozilla’s *privacy not included buyer’s guide. It has reviews of connected toys and gadgets, including smartwatches. 

If you sort their fitness tracker reviews by “Creepiness: least to most,” Garmin watches appear to be the best. 

What’s cool is that each review on Mozilla’s buyer’s guide includes information on whether the watch can snoop on you, what data the company collects, how the company uses this data, how you can sign up (email, phone, third-party site), etc. 

Tip for even more privacy: If you can, connect the watch to your computer through USB and download your data directly rather than using the app. 

Q: Why would I pay for a password manager if I can just use Google’s?

Because Google’s password manager is browser-based, and browser-based password managers are considered less safe. 

Also, Google’s password manager has fewer features than other password managers. For example, it doesn’t let you securely share passwords with family and friends. 

PCMag has a good article on why you probably shouldn’t trust Google with your passwords.

Back to You

We’d love to hear your thoughts about all things data privacy.

Get in touch with us. We love getting emails from our readers (or tweet us @DeleteMe).

Don’t forget to share! If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. If you’d like to subscribe to the newsletter, use this link.

Let us know. Are there any specific data privacy topics you’d like us to explore in the upcoming issues of Incognito? 

That’s it for this issue of Incognito. Stay safe, and we’ll see you in your inbox next month.