This time of year, hackers are making their lists, checking them twice, and going after the most vulnerable targets: unsecured holiday shoppers. If shoppers have been lax in their cybersecurity practices, they will inevitably land on the hackers’ “naughty” list, putting their most valuable possessions at risk: their mobile devices. But if they’ve been “nice” and practiced cybersecurity best practices, they might find Santa putting a few extra gifts under the tree this year. 

Here are a few of the naughty mobile security practices that could very well get a shopper on a cybercriminals target list this year and run the risk of ruining their holidays. 

Mobile Security Naughty List

• Falling prey to risky QR codes

QR codes have become a popular option for streamlining our access to anything from restaurant menus to paying for parking. And as the shopping season begins to ramp up, many stores are using QR codes to offer shoppers access to discount coupons. Cybercriminals, however, are also using this trend to distribute malware, steal personal information, and conduct phishing attacks, which can then be leveraged to access confidential data. 

We all love a good bargain, and because of that, shoppers often fail to take that second look to make sure they are going to a legitimate URL. 

• Clicking malicious links via social media

Picture this: You are doing your daily scroll on Instagram or TikTok, when an ad pops up showing the exact gift you’ve been looking for to buy your mom. Without even thinking, you click on the link (Even if it’s spelled wrong i.e. Amazon.CORN), and boom, you’ve just accidentally downloaded malware onto your device. A cybercriminal can use mobile malware to steal sensitive data from a smartphone or lock a device, before demanding payment to return the data to the user or unlock the device. 

• Being fooled by package phishing

Have you ever received a text message or email that your FedEx or UPS package could not be delivered because the address or name was wrong and you just need to “click here” to fix the problem? That’s a prime example of one of the many phishing scams that cybercriminals will be using more than ever this holiday season.

And, sadly, while we all love unexpected presents, the shoppers who do fall prey to these links, grant cybercriminals access to their important personal and financial information (i.e. credit card numbers, banking information, social security numbers, etc).

• Shopping on public Wi-Fi

It’s pretty common for shoppers to connect to the mall’s free public Wi-Fi network as they shop around. Cybercriminals can create open Wi-Fi hotspots disguised as legitimate and free networks, which if connected to, can compromise devices and install dangerous malware. Bad actors also use this to launch Man-in-the-Middle (MITM) attacks, where attackers interrupt an existing conversation or data transfer to steal login credentials, account details and credit card numbers. Once an unsuspecting user connects to the free, malicious Wi-Fi hotspot that the attacker created, the bad actor has full visibility into the exchange. 

Mobile Security Nice List

On a brighter note, not all shoppers have made bad choices this year, and there are still things you can do to turn your security posture around. Here are a few of the top nice mobile security practices that can keep you on Santa’s security nice list this year.

• Being aware of your digital surroundings

In the midst of holiday shopping, curated ads, and packages awry, it is crucial that shoppers always double check for nuances when it comes to emails, messages, or even phone calls. It’s important that shoppers watch out for things like spelling and grammar errors, typos in sender address or domain name, unsolicited password resets, or being asked to resubmit payment information when they haven’t requested to. Especially, if receiving a call about fraud from their bank, they should never have to provide their username and password over the phone – their bank should already know their account information.

• Shopping inside a secure digital environment

As mentioned before, cybercriminals love to take advantage of a public Wi-Fi network. Because of this, shoppers should not make financial transactions such as online banking, trading, or shopping when they’re using a public Wi-Fi network. If they must use a public network, shoppers should consider using a VPN (virtual private network) for an added layer of protection.

All that being said, it’s important for shoppers to implement cybersafe practices this season in order to keep the bad actors far far away. Taking small initiatives like these, can be just the key to protecting themselves and their mobile devices, not just during the holidays, but all year long.

About the author

Georgia Weidman is a serial entrepreneur, penetration tester, security researcher, speaker, trainer, mentor, angel investor, and the author of Penetration Testing: A Hands-On Introduction to Hacking. Her work in the field of smartphone exploitation received a DARPA Cyber Fast Track grant and she has been featured internationally in print and on national television including ABC, BBC, Fox, NBC, and in the PBS documentary Roadtrip Nation: Life Hackers. She has presented and trained around the world including venues such as Black Hat, DEF CON, NSA, Oxford, RSA, and West Point.