The holidays are prime time for fraudsters, and this year is fixing to be one for the record books. Not only is the Log4j vulnerability still shaking out with still unknown implications for potentially millions of businesses, but the Better Business Bureau recently warned Americans to look skeptically at shipping notifications as well.
The organization in November announced details regarding one of the latest holiday scams now taking hold, particularly as shoppers increasingly turn to online purchases. The scam involves sending shoppers fraudulent e-mails and texts that resemble their shipping invoices or tracking numbers. The message may suggest that there were problems delivering your package or that your delivery preferences need to be updated. Bad actors are betting on you--or your employees--clicking that malicious link. Here's how to avoid doing so.
When in doubt, go to the source
When you get a shipping invoice or an email from any retailer, don't click on any links in the notice. Instead, go directly to the website, says Eric Stegner, the director of information risk at Andrews Federal Credit Union.
Though some of these e-mails may be legitimate, you can verify any details directly on a company's website. What's more, doing so completely removes you from the loop of even remotely clicking on a malicious link.
Even though it might seem inconvenient at the moment, it can't hurt to jot down your tracking number and shipment information, Stegner recommends. Similar to keeping an eye out for anything that's off in a phishing email or text message, employ those same techniques before double-clicking any messages from your mail courier.
Set up safeguards
Enabling multifactor authentication (MFA) or two-factor authentication is an absolute must for business owners, Stegner says. Duo Security is one solution provider businesses could consider when looking to adopt MFA. Businesses are ideal targets for scammers because they usually deal with larger amounts of money and the accounts of others. Setting up MFA is like planning for failure. In case you do fall for a phishing notice, if a bad actor is able to tap into your account with your credentials, they'll still get throttled by an access code that's sent to your personal device.
"You want to make sure that as a business owner, you have a pretty good e-mail filter," Stegner adds. "Fraudulent emails come in left and right and you want to make sure that a ton don't get through."