Online shoppers are being warned about a new scam involving fake order confirmation emails.
The emails in question ask consumers to confirm the purchase of online order or shipment of a package from a big name online retailer, reports Krebs on Security, timed to trick consumers who may have purchased holiday gifts online. Unfortunately, as with most email phishing scams, clicking the links or downloading the attachments included in a malicious email may give consumers an unwanted gift of their own: malware, viruses, and potentially compromised personal information.
How Does the Scam Work?
The emails are designed to look like they are being sent from trusted retailers including Target, Home Depot, Walmart, Amazon, and Costco and have been reported to use a variety of subject lines, including: "Acknowledgment of Order," "Order Confirmation," "Order Status," "Thank you for buying from [insert merchant name here]," and a "Thank you for your order." The text of the email typically references a vague order that is ready to be picked up or delivered and instructs consumers to click on a link or attachment in the email to find out more information.
Consumers who do click on the links or the attachments in the email may be exposing their computers to a malware bot known as ASProx, according to security company Malcovery. This malware not only harvests personal information such as usernames and passwords from infected computers, but also uses those computers as part of a botnet to relay junk email and perpetuate malware attacks on other computers.
Email Confirmation Scams
Email confirmation scams are becoming one of the more common forms of email phishing. In 2013, customers of Delta Airlines were warned not to click on a message purporting to be from Delta involving flight cancellations, as the emails were part of a phishing scam. Email scams can also be used for more old-fashioned forms of fraud. Sellers on eBay have reported receiving fake payment confirmation emails from PayPal. The emails are generated by buyers, hoping to induce the seller to ship the items before discovering that payment was never in fact made.
How to Avoid Being Scammed
To prevent being infected with malware or otherwise duped by fake confirmation emails, the best policy is to confirm orders, shipping, payment, and other steps in the online shopping process through a retailer or service provider's actual website. In most instances, phishing or fraudulent email confirmations also fail to stand up under close scrutiny, and grammatical errors or overly vague language should both be red flags.
Most importantly: Even when an email appears to be from a trusted source, if the email is unsolicited or seemingly out of the blue, avoid clicking any included links or opening any included attachments. An order confirmation from a legitimate business will almost always include references to order numbers or transaction information that may be used to confirm the order online or over the phone.