fb-pixel Skip to main content

Distracted by holiday stress? E-mail hackers are banking on it

Philippe Wojazer/REUTERS

Citing fake messages that appear to come from Amazon, cyber-security specialists are warning shoppers to be on guard during the stressful holiday season against disguised e-mails from digital scam artists that put their bank accounts at risk.

These “phishing” messages can look remarkably legitimate, aping the logos, language, and Web addresses of e-mails from shipping companies or shopping websites. But clicking on the wrong link can give hackers an opening to steal bank-account information or hold computers hostage until they collect a ransom.

Earlier this week, researchers from IBM identified a phishing campaign that appeared to come from an actual Amazon.com corporate e-mail address, with a subject line reading: “Your Amazon.com order has dispatched,” along with a fake tracking number.


The messages contained an attachment that downloaded a program called Locky, a type of ransomware that renders someone’s digital files inaccessible until they cough up a payment, typically several hundred dollars’ worth of the cryptocurrency bitcoin, said Caleb Barlow, a vice president with Cambridge’s IBM security division.

“The quality of these is really high. You’ve got to be paying attention to not fall victim,” he said.

E-mail ripoffs are nothing new. But Barlow said their growing sophistication reflects the highly developed underground economies that have sprouted up around cybercrime.

“What we’re dealing with here is not a bored teenager,” Barlow said. “We’re talking about organized crime on an epic scale . . . and they’re structured like highly legitimate businesses.”

Like any other business, an e-mail scammer often exploits moments of high stress or cultural distraction, such as elections, major sporting events, or the holidays, when someone’s normal skepticism may be compromised.

Amazon declined to comment, but the company posts detailed Web pages to help consumers identify fake e-mails and to report suspect messages.


One of those tips is pretty basic: If an e-mail seems questionable, don’t click on anything. Just go directly to the company’s website instead.

IBM also recommends using credit cards instead of debit cards when possible for online shopping. Because the credit card issuer is acting as a middleman, rather than directly tapping your bank balance, it can be faster and easier to get bogus charges wiped from the record.

Keeping e-mail accounts segregated can also be a good approach. If you set up one e-mail account dedicated to online shopping, and keep it separate from accounts that have banking and other sensitive information, it’s much tougher for a hacker to turn a shopping scam into a broader data heist. Barlow also suggests never using your work e-mail address for shopping or similar transactions.

Curt Woodward can be reached at curt.woodward@globe.com. Follow him on Twitter @curtwoodward.