The holiday scam email season is here. Don’t fall in love.

Adriana Lima
By Adriana Lima 6 Min Read

Someone claiming to be from Kohl’s really wants to gift me a beautiful orange Le Creuset Dutch Oven.

The email always says this is the department store chain’s second attempt to contact me, although I feel it’s more like their 50th as I have received this email many, many times over the last few months. You probably did too. Maybe it’s not Kohl’s. Maybe it’s from Dick’s Sporting Goods or Costco. Whoever claims to be from, the result is the same: you click a link, fill out some sort of survey, and are asked to enter your credit card information to cover the cost of shipping your free Yeti cooler, Samsung Smart TV, or that Le Creuset Dutch Oven.

Those items will never arrive, of course. These emails are all phishing scams or emails pretending to be from a person or brand you know and trust to get information out of you. In this case, it’s your credit card number. The latter campaign is particularly effective for evading spam filters. That’s why you may have noticed so many of these emails in your inbox over the past few months. The fact that they got to your inbox in the first place as well as the realistic presentation of the emails and the websites they link to make them more convincing than the typical scam email. These attacks also usually escalate during the holiday season. So here’s what you should pay attention to.

“The Grinch is getting security companies coal and blocked IPs for Christmas, and that results in more spam with the domain hopping architecture getting into your inboxes,” Zach Edwards, a security researcher, told Recode . Domain hopping architecture is the set of redirects that route user traffic across multiple domains to help scammers hide their tracks and detect and block potential security measures.

Akamai Security Research identified the scam campaign as a recent relationship. The idea behind the scam itself – pretending to be a well-known brand and offering a reward in exchange for some personal information – is not new. Akamai has been following these kinds of scams for a while. But this year’s version is new and improved.

“This is a reflection of the adversary’s understanding of how security products work and how to use them to their advantage,” said Or Katz, principal security researcher at Akamai.

An example of a scam email pretending to be from Costco.  It features a woman in a yoga pose in front of a large screen TV and reads: “Pure 8K cinematic viewing.  Download it now.  Costco Wholesale Samsung OLED 8K UHD HDR Smart TV.  Congratulations!  You have been chosen to participate in our loyalty program for free!  Answer the survey.

Sorry, but you’ll have to buy a Samsung TV from Costco just like everyone else. This survey is just trying to steal your credit card information.

Basically, these scammers are implementing many technical tricks to evade scanners and get past spam filters behind the scenes. These include (but are not limited to) routing traffic through a mix of legitimate services, such as Amazon Web Services, which is the URL many of the scam emails I’ve received seem to link to. And, Edwards said, bad actors can identify and block the IP addresses of well-known scam and spam detection tools, which also helps them bypass those tools.

Akamai said this year’s campaign also included a new use of fragment identifiers. You’ll see them as a series of letters and numbers after a pound sign in a URL. They are typically used to send readers to a specific section of a website, but scammers used them to send victims to completely different websites instead. And some scam detection services don’t or can’t scan for fragment identifiers, which helps them evade detection, according to Katz. That said, Google told Recode that this particular method alone wasn’t enough to bypass its spam filters.

“What we see in this recently published research is the use of new and sophisticated techniques, which indicate the evolution of the scam, reflecting the intention of the adversary to make their attacks difficult to detect and classify as malicious,” he said. stated Katz. “And, as we can see, it works!”

But you don’t see any of that. You only see emails. At best, they’re annoying, and at worst, they might trick you into giving your credit card details to people who will presumably use that information to buy many things on your behalf. The fact that they’re in your inbox in the first place adds a veneer of legitimacy, and both those emails and the websites they send to victims look better and therefore might be more persuasive than some typical phishing scams. They also seem to change depending on the season or time of year. The examples Akamai collected weeks ago have a Halloween theme. The latest phishing emails lead users to a website boasting a “Black Friday Special”.

“The literal holiday banners are unique, so it’s an interesting and new addition,” Edwards said.

An example of a scam website claiming to offer a prize from Dick's Sporting Goods.  It has a picture of a Yeti cooler and reads:

Dick’s Sporting Goods does not give away a Yeti Cooler, even if you fill out a survey.

And it’s all spread out on a seemingly massive scale, which is why most people reading this have probably received not just one of these emails, but an onslaught of them, spanning a period of months.

Or, as one of my colleagues told me when he forwarded me an example of one of the many scam emails he received in his Gmail inbox: “help”.

A Google spokesperson told Recode that the company is aware of the “particularly aggressive” campaign and is taking steps to stop it.

“Our security teams have identified that spammers are using another platform’s infrastructure to create a path for these offensive messages,” they said. “However, even as spammer tactics evolve, Gmail is actively blocking the vast majority of this activity. We are in contact with the other platform vendor to address these vulnerabilities and are working hard, as always, to stay ahead of the attacks.”

Google also recently released a blog posts warning users of common scams during the holiday season, and the fake giveaway was at the top of the list.

“Did you get an offer that sounds too good to be true? Think twice before clicking any link,” wrote Nelson Bradley, manager of Google Workspace Trust and Safety.

Google also noted that it blocks 15 billion spam emails every day, which it believes is 99.9% of spam, phishing and malware emails sent to its users. Over the past two weeks, Bradley wrote, there has been a 10% increase in malicious emails. To be honest, I think there are more fake Kohl’s gift emails in my spam filter than in my inbox.

The spokesperson added that Gmail users can use its “report spam” tool, which helps Google better identify and prevent future spam attacks. Beyond that, the typical how avoid be subject to phishing the suggestions are still valid. Check the sender’s email address and the URL it links to. Do not give out any personal information, especially your account passwords or credit card numbers. Take a few seconds to think about why Kohl’s would randomly decide to give you Le Creuset baking pans or Dick’s would give you a Yeti cooler worth hundreds of dollars just for answering a few basic survey questions. The answer is that they wouldn’t.

You could also spend your Black Friday shopping for real items in real stores (or on their real websites) and giving your credit card details to real employees. Good luck out there; the Google spokesperson said the company expects the scam campaign “to continue at a rapid pace throughout the holiday season.” So it will almost certainly continue after Black Friday is over.

An illustration of a person stealing a giant credit card.

This holiday season, scammers are trying to trick us into revealing our credit card numbers by dangling free Yeti coolers in front of us. Denis Novikov/Getty Images

Share This Article
Leave a comment