FRAUD RESOURCE CENTER
En español | If you chuckle at having a digital moose or a singing Elvis wish you happy holidays, it’s a treat when someone sends you an electronic greeting card. With their sophisticated graphics, music and animation, e-cards can be clever and entertaining.
But unlike old-fashioned paper greeting cards that you can open without worry, digital greetings come with an added risk. Just as your family and friends find them fun and convenient to send, scammers see them as a great opportunity to catch you with your defenses down so that they can rip you off.
Like many email-based phishing scams, greeting card cons use social engineering tactics to trick unsuspecting victims into responding. And not surprisingly, they proliferate around occasions when card exchanges are popular: Valentine’s Day, Mother’s Day, the holiday season.
Here’s how it works: You see an email message with an innocent-sounding subject line, announcing that someone you know — coyly, it doesn’t say who — has sent you an e-card. The email includes a link or attachment and, often, has a message or logo that makes it appear to have come from a familiar greeting-card company such as Hallmark, American Greetings or 123Greetings.
Clicking the link might send you to an adult website, or one that’s booby-trapped with malicious software. Opening the attachment could trigger a malware download direct to your computer. That could enable criminals to gain access to personal information on your device, like the passwords for your online bank and credit card accounts, or to stealthily seize control of your machine and turn it into part of a botnet (a network of compromised machines that spews out spam, steals data or wages denial of service attacks).
- An e-card notification identifies the person who sent you the card in vague terms, such as “friend,” “classmate” or “secret admirer.” A genuine e-card should have the actual sender’s name or email address in the subject line.
- The email message contains spelling, grammar or capitalization errors. Hackers sometimes are careless or aren’t native English speakers.
How to protect yourself from this scam
- Do contact the sender of a card you weren’t expecting, if it is identified as coming from someone you know. Make sure the person actually sent you the greeting.
- Do an online search for a greeting-card company you don’t recognize, before going to its website. Type in the name plus “scam” as a precaution.
- Do look for a verification code. Real e-card notifications include a code you can use to open the card at the company’s website.
- Do hover your cursor over an e-card link to display the true destination. If it shows an IP address or a domain other than that of the supposed card company, it’s probably a scam card.
- Do use anti-malware software and keep it up to date.
- Don’t open an e-card unless it’s identifiably from someone you know.
- Don’t open an executable (.exe) file attached to an email purporting to be from a card company.
- Don’t assume the email is legit because it appears to be from an official-looking account like webmaster@Hallmark.com or firstname.lastname@example.org.
- Don’t assume a familiar name or logo on an email or website means it’s the real thing. Some scammers create sites that mimic those of legit card companies.
- Don’t allow an e-card website access to your contact lists, friend lists or social media, even if it’s a legitimate company.
Published: November 8, 2019