Incognito — December 2024: Holiday Shopping Scams

Welcome to the December 2024 issue of Incognito, the monthly newsletter from DeleteMe that keeps you posted on all things privacy and security.

Here’s what we’re talking about this month: 

• “‘Twas the Scam Before Christmas.” Yes, it’s that time of the year again. 
• Recommended reads, including “AI Can Replicate Your Personality After a Two-Hour Interview.”
• Q&A: What are the privacy implications of QR codes? 

48% of consumers polled by Norton said they’d been targeted by a scam while doing their holiday shopping online. 

To help you stay merry this holiday season, we thought we’d spend this issue looking at some of the scams you can expect to encounter in the next month or so. 

Let’s Start with a Classic

 🚚📦”The USPS package has arrived at the warehouse and cannot be delivered due to incomplete address information.” 

You’ll likely get at least one message like that this holiday season.

• But don’t fall for it, whatever the message’s tone. As one Redditor said, “Some even threatened to have me arrested if I don’t pay as they claimed that my parcel contained drugs and/or illegal items.”
• Remember: the U.S. Postal Service will never ask for your personal information in a text or email, so if you get one, forward it to spam@uspis.gov or 7726.

Other organizations/brands that are most often impersonated include: Best Buy/Geek Squad, Amazon, PayPal, Microsoft, Publishers Clearing House, Norton/Lifelock, Apple, Comcast/Xfinity, Bank of America, and Wells Fargo. 

Next, Let’s Talk About Online Shopping

🛍️ Online purchase scams were the third most common in 2023, according to the Better Business Bureau. 

This year will likely be just as bad. 

There are two things to watch out for in particular when doing your Christmas shopping:

1. Fake stores. Creating fraudulent storefronts online has never been quicker or easier, mostly thanks to large language models (LLMs) aka “AI.” Specifically, criminals are using LLMs to create or rewrite text for product descriptions and boost search rankings. “We first observed LLM-generated retail product descriptions in July 2024, and similar behaviors continue into the holiday shopping season,” said a recent report by a cybercrime disruption and digital risk protection company. 

2. Fake social media ads (and even ads on search engine results like Google!) Whether on Facebook, Instagram, another social media site, or even your preferred search engine, the BBB advises consumers to be wary of ads that lead to scams. “They could have a really discounted price, a free trial offer, or some product we haven’t heard about before,” said the Director of Communications at the Better Business Bureau for Metro Philly and Eastern Pennsylvania, Kelsey Coleman. 

Always do your research and keep in mind that if a product, price, or delivery time looks too good to be true, it probably is. 

• Be careful about porch pirates, too. Recently, two teenagers in Texas were arrested for reportedly stealing iPhone 16 devices by exploiting stolen tracking data to intercept FedEx shipments. 

• Better to shop in person? CyCognito researchers found that just over 50% of e-commerce technology like payment portals and websites collect personally identifiable information, making them an attractive target for criminals. 

Do You Really Need That App?

📱Finally, don’t download any apps you’re not sure of (good advice regardless of the time of year).

Research from previous years shows that a crazily high % of holiday-themed apps, including shopping apps and Santa video chat services, have security issues and leak personal data. Some can even gain control of your device without your consent. 

See: The BBB website for more scams to watch out for during this holiday season. 

Noteworthy: The Rise of Scam-Yourself Attacks

Though not necessarily holiday season-related, this is still something worth knowing: 

• The emergence of a new trend called “scam-yourself attacks.”

According to a report by Gen (whose brands include Norton, Avast, and more), scam-yourself attacks increased by 614% in Q3 2024 compared to Q2 2024. These attacks involve criminals manipulating victims into doing something malicious without them realizing it. 

One example is the “I Am Not a Robot” attack where criminals use fake CAPTCHA prompts to trick users into copying malicious code onto their clipboard, leading to malware installation on their devices. 2 million people were targeted by this attack in Q3 2024 alone. 

Recommended Reads

Our recent favorites to keep you up to date in today’s digital privacy landscape. 

Judge Allows Lawsuit Against Data Brokers Under Daniel’s Law to Proceed

A judge ruled that a lawsuit against data brokers can proceed after they failed to remove law enforcement officers’ personal information from the web, as required by Daniel’s Law. The brokers argued the law violates free speech, but the judge rejected this claim. A judgment against the sued entities could result in at least $2.3 billion in fines.

T-Mobile Confirms Cyber Attack; Says Text and Call Logs Not Accessed

T-Mobile said it detected recent attempts by hackers to infiltrate its systems but assured customers that their calls, text messages, and voicemails were not accessed. This follows reports that a China-backed hacking group compromised several telecom giants, targeting communications of U.S. officials and prominent Americans. 

AI Can Replicate Your Personality After a Two-Hour Interview

Research from Stanford and Google DeepMind shows that AI models can create virtual replicas of a person’s personality after just a two-hour interview. In a study with 1,000 participants, these AI agents demonstrated an 85% similarity to their human counterparts based on personality tests and social surveys. 

FBI Investigates Post-Election Threats Targeting Minorities, Possible Data Broker Link

The FBI is investigating racist and threatening text messages sent to Black, Latino, and LGBTQ+ communities after the presidential election. The targeting of specific groups raises concerns about the use of detailed voter lists, likely purchased from federally unregulated data brokers, which combine phone numbers with voting and demographic data. 

You Asked, We Answered

Here are some of the questions our readers asked us last month.

Q: A lot of things today use QR codes. Are they OK to scan? What are the privacy implications (if any)?

A: Depends.

As David Choffnes, Executive Director at Northeastern’s Cybersecurity and Privacy Institute, says:

“It’s sort of like a mystery box. You don’t really know what you’re going to get. And for the most part, people don’t see it happening.” 

When you scan a QR code, it can gather information your web browser makes available about your device. If the QR code opens an app, it may also access your location or other data the app is authorized to use.

Speaking to The New York Times, the senior policy analyst at the American Civil Liberties Union, Jay Stanley described the consequences of QR codes in the context of restaurants (one of the most common places you’ll find them) as: 

“Suddenly your offline activity of sitting down for a meal has become part of the online advertising empire.”

Privacy concerns aside, QR codes can also be malicious. 

Last December, the FTC issued a statement, warning consumers to be wary of QR codes in public places due to scammers hiding harmful links in them to steal people’s personal information. 

In Switzerland, fraudsters have recently been sending malicious QR codes through the mail.

Bottom line? If there’s another option, you should probably avoid QR codes.  

Q: How long should passwords be?

A: The answer to this question can vary based on who you ask. 

However, the general consensus seems to be at least 12 characters long, but ideally 16 or more. 

If your passwords are just 8-characters long, they’re much easier to break. Recent research shows that advancements in computing power make it easy to crack 8-character passwords, especially if stored with insecure hashing algorithms like MD5. 

Make sure your passwords are random or passphrase-based and enable MFA when possible. 

Q: Is it possible for biometrics to be stolen?

A: Unfortunately, yes. 

Biometrics can be stolen like any other personal data, including through data breaches, phishing attacks, and spoofing.

For example, Group-IB recently discovered a banking trojan that uses phishing to steal personal information and facial scans, which are then replaced with AI-generated deepfakes to bypass security. 

These attacks have been particularly effective in regions like Thailand and Vietnam, where facial recognition is mandated for financial transactions. 

To reduce the likelihood of your biometrics being stolen:

• Choose reputable services (if possible, only use services that have a good track record and are transparent about how they secure your biometrics).
• Combine biometrics with MFA.
• Be on the alert for social engineering (always a good idea!)

Back to You

We’d love to hear your thoughts about all things data privacy.

Get in touch with us. We love getting emails from our readers (or tweet us @DeleteMe).

Don’t forget to share! If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. If you’d like to subscribe to the newsletter, use this link.

Let us know. Are there any specific data privacy topics you’d like us to explore in the upcoming issues of Incognito? 

That’s it for this issue of Incognito. Stay safe, and we’ll see you in your inbox next month.