Q&A: Fake Web Stores Are on the Rise. How Can You Spot the Scam This Cyber Monday?

It’s a plausible scenario this time of year. 

You’re browsing the internet and trying to find the best deal for that expensive item on a loved one’s holiday wish list when, boom, it flashes across your screen and you suddenly think, “Oh, I can afford those Ray-Bans they wanted!”

Some advice from a University of Virginia professor before clicking any further: “If it’s too good to be true, it is too good to be true.” 

Chris Maurer, a cybersecurity expert at the McIntire School of Commerce, practices what he preaches when it comes to vigilance while shopping online.

“If I know I want a specific product,” Maurer said, “and I’ve been searching for it, I don’t go with the outlier, low-priced product because chances are it’s not a real product listing.”

A recent report from the threat intelligence and research team within Human, a reputable cybersecurity company based out of New York, discovered hackers have created more than 100 fake web stores, leading to millions of dollars in losses for consumers. 

Another report from Stanford University found 84% of people targeted by a fake shopping website engaged with it and 47% of those targets lost money because of their actions. 

It’s all enough warning to be careful this holiday season. With “Cyber Monday” looming on Dec. 2, UVA Today caught up with Maurer to learn more about these scams and help e-shoppers protect themselves. 

Q. What does this kind of scam tell you about the continued rise of online hackers?

Portrait of Chris Maurer

Chris Maurer has extensive experience in cybersecurity-related fields, including risk management, vulnerability assessment, security awareness and training, business continuity planning and IT governance. (Contributed photo)

A. The level of sophistication has certainly increased to some extent. This is a twist on the traditional scam. Anyone can go and create a Shopify web page and list these products and try to get people to submit credit card information and just steal it – that’s easy. It’s hard, though, to actually get the traffic to your site when you’re competing against known companies and brands. 

With this particular type of scam, the level of sophistication has ramped up to make it even harder to spot those fakes and reel a lot more customers in. 

Q. What’s different about this particular type of scam?

A. If an attacker can identify a vulnerability on a website, they can make the Google search result look like it came from a legitimate website. 

So, in Google Shopping, you type in a specific product, and they’ll tell you all the different retailers and their prices.  If an attacker has exploited a real site, it would show that, say, Amazon is selling this product for 40% less than everyone else. Well, I’m going to go and click that because it looks like Google has already sifted through and filtered out the scam. 

When clicking that link, before loading the legitimate website, there can be an automatic redirect to a fake website. From the consumer perspective, unless you’re paying very close attention to the URL, you might not know that you were just redirected. 

That’ll trick a lot of people.

Q. What’s an easy way to spot a fake web store?

A. A lot of these big-name consumer brands, they do not allow any retailer to sell their product below a certain price. So, when you have an outlier price that is so different from every other retailer out there, I would say 98% of the time, it’s not legitimate, simply because of contractual obligations that retailers could never sell that product without losing their right to sell Ray-Bans or Milwaukee Tools, or whatever other name brand. 

If you sense fraud at all, there’s websites out there like ScamAdvisor.com that reports and aggregates different scams. 

Q. Social media advertisements are becoming more and more prevalent. How do scam ads get into your social media algorithm?

A. Social media companies are a bit coy and protective of their algorithms. And honestly, to some extent, they don’t even know how they work because it’s based on AI and constant learning of what gets people to click on different things. 

Paid advertising, though, plays a big role. Any company can go to Meta and Instagram or X and pay for ad space in there to target certain blocks of consumers. If they can gain some traction through influencers or other things that will post on their behalf, that can boost their status, and their ads may be shown before other reputable ads.

Q. How is that regulated?

A. There’s not a whole lot of controls enforced by the social media companies to immediately screen out those fraudulent or scam-based sites. 

If enough people report it as fraudulent, then they’ll take it down. But it’s very reactionary. As soon as you put it into the algorithm, the algorithm will spin and show it to a lot of people, and only until enough people report it would it be taken down.

Q. Do hackers focus on “selling” particular items over others? 

A. They tend to do what’s trending. Anecdotally, I tend to see a lot of sunglasses, like Ray-Bans at 70% to 80% off. 

I’ve also seen tools, electronics, cell phones. These are types of things that are everyday purchases, and things that people might be searching for exact versions of, or exact models of, and are things that people tend to price-compare. 

‘Inside UVA’ A Podcast Hosted by Jim Ryan
‘Inside UVA’ A Podcast Hosted by Jim Ryan

Q. Any other hacker trends to watch this holiday shopping season?

A. Be cautious post-purchase. 

Everyone knows that people buy things on Black Friday and Cyber Monday. People are going to be waiting for shipping notifications in the week after, so attackers can send spoofed messages hoping that you will think it is a legitimate update to a purchase you just made. 

With these messages, the attackers may trick you into believing there is a delay with processing your order, such that you click their link to input your username/password into a fake site or pay an additional fee for expedited shipping. So just be wary about the nature of those texts. 

If you’re concerned about whether there is an issue with shipping or you have to pay more than you originally did, don’t click the link in the text or in the email. Go back to the original website, log back into your account and check your order history. 

If there really is a problem, it would be available when you log in through the legitimate channel that you actually bought it from. 

Media Contact

Andrew Ramspacher

University News Associate University Communications