Two phishing emails have shown up in my inbox in the last two days, masquerading as orders from popular American retailers: The Home Depot (a home-improvement store chain) and Costco (a warehouse club). Both serve as timely reminders that, as Americans recover from their Thanksgiving celebrations and the online search for holiday bargains begins, criminals are also active online, seeking to exploit the seasonal surge in shopping activity, from Black Friday to Cyber Monday, and beyond. Hopefully, it goes without saying that you should delete messages like this right away (if you really are expecting notification about an order from a retailer, confirm it with a phone call, or by typing the company URL into your browser and navigating to the order tracking page).

Here are the bodies of two of the emails that I received. Note that both wish the recipient Happy Thanksgiving Day. The first one, made to look like it came from The Home Depot, misspells “sign up” in the upper-right corner:

fake Home Depot email

Fake Home Depot Email

The second email, supposedly from Costco, says my personal data and that of the recipient of a store order "coinicide", which really doesn't make much sense when you think about it:

fake costco email

Fake Costco Email

­­The computers involved in sending the phishes and hosting the faked web sites vary, but include computers in the United States, South Africa and France. With such wide and seemingly-random geographic groupings, it is possible the criminals behind these messages were making use of compromised email accounts exploiting unpatched, vulnerable web sites to host their sites (for a detailed look at an example of how compromised servers used to send malicious spam, see operation Windigo).

The emails themselves give several clues to careful readers that they are less than legitimate. The offer for the order is written broadly, not telling the recipient any order details or the physical location of their nearest store. The messages also use phrasing and grammar that are technically correct but do not sound like American English; another clue to their illegitimacy.

What to do

If you were taken in by one of these scams and entered a credit card number or other personal details to confirm the order, contact your bank or credit card issuer immediately and let them know you were the victim of a phishing scheme. They can monitor your account for fraudulent activity and, if necessary, issue a new card.

If you received an email like one of the above and did not respond or click on anything in it then all you need do is just go ahead and delete the message.

Shopping safe online

These two emails remind us that cyber criminals love to exploit timely topics, including seasonal holidays. For more information about shopping safely online during the holiday season, please see the following We Live Security articles:

And, as always, read We Live Security for current information for your holiday computer security tips and tricks.