Holiday shoppers need to be on high alert for spam-scams, a new report says.

Malicious email disguised as delivery notifications or online purchase invoices are particularly effective during the holiday season when shoppers are active, says F-Secure, a Helsinki-based cybersecurity firm.

"The kind of spam that criminals use doesn't seem so spammy to a lot of people this time of year,” said F-Secures Behavioral Science analyst Adam Sheehan in a statement.


“The failed delivery notification scam works because it plays on our trust of huge brands that we deal with on a nearly constant basis,” F-Secure said.

In a way, online criminals are also amateur behavioral scientists. “They know we’re inclined to click first before we ask questions,” the cybersecurity firm said.

Tests conducted by F-Secure that simulated Black Friday and Cyber Monday phishing emails saw 39 percent more people click on these than at other times of the year. Phishing is when an attacker pretends to be a reputable organization, company or person.

F-Secure's research cites spam campaigns -- sent out to a massive number of email addresses -- as the most common method for cybercriminals to distribute malware in 2018, accounting for 9 out of every 10 infection attempts throughout the year.

A whopping 69 percent of spam campaigns tried to trick users into visiting malicious websites and download a malware-laden file or other malware that results in an infection, F-Secure said. Malicious attachments were used in the remaining 31 percent, F-Secure added.

Other data points:

  • Banking malware is the most frequently seen malware delivered through spam.
  • The majority of spam campaigns seen by F-Secure target users in the US, EU, Canada, and Japan.

Retailers trying to get better at spotting fraudsters

Shopper-targeted spam “heats up right before the holidays as cybercriminals count on consumers being in a hurry,” said Ryan Wilk, VP of Customer Success for Mastercard-owned NuData Security in a statement provided to Fox News.

Their goal is to steal consumer credit card or account information. “They [criminals] use this information to take over accounts or use the credit cards to steal goods and services online,” Wilk said.


But retailers are fighting back. Merchants are now becoming more aggressive at trying to separate real customers from fraudsters, Wilk added.

Using behavioral analysis and a technique known as passive biometrics – which analyzes customers patterns and habits – retailers can up their game, according to Wilk.

“Merchants…are able to determine if the legitimate user is accessing and transacting on the account or if it is a cybercriminal at work,” Wilk said.

So, what should consumers do? "Keep your system updated and run security software at all times. And train yourself to not click on links in emails—especially emails related to shipping," F-Secure said.