News and Music Discovery
Play Live Radio
Next Up:
0:00 0:00
Available On Air Stations

How to keep an eye out for cyber scams during this holiday shopping season


Today is Black Friday. And many Americans are out looking for a good deal. As always, it's wise to keep an eye out for scams. But are companies doing enough to protect you from being tricked? Here's NPR's Jenna McLaughlin.

JENNA MCLAUGHLIN, BYLINE: Cybercriminals love the holiday season. The internet is flooded with ads clamoring for shoppers' attention, and that makes it easier to slip in a scam. At this point, you probably know to watch out for phishing emails, but it might surprise you to know that there's a tool that's been around a long time that could help solve this problem. It's called DMARC - or the Domain Message Authentication, Reporting and Conformance Protocol - whew. It's actually pretty simple. It basically helps prove the sender is who they say they are.

ROBERT HOLMES: DMARC seeks to bring trust and confidence to the visible from address of an email so that when you receive an email from an address at or, you can say with absolute certainty it definitely came from them.

MCLAUGHLIN: Robert Holmes is with the cybersecurity firm Proofpoint. According to his new research, more than half of the top 50 online retailers in the United States - they're not fully compliant with DMARC. Experts are predicting record-breaking holiday shopping this year. That makes for a lot of potential for fraud. Holmes helps explain why with a timely analogy.

HOLMES: The way that they look at this is Gmail on Black Friday - it's like kind of JFK Airport over Thanksgiving. So imagine you're at JFK Airport on one of these days, with lots of people coming and going, and imagine a world where that airport didn't check IDs. Lots of nefarious activity would happen.

MCLAUGHLIN: But there's good news. Early next year, Google and Yahoo will be requiring companies to use DMARC authentication. Otherwise, their messages will be more likely to get flagged as spam or blocked entirely. Holmes suggests it's important that companies take on a big part of the burden of securing their customers rather than train everyone to be cybersecurity experts just to buy Christmas gifts.

HOLMES: So the thing about good security - it should be invisible to Joe Public.

MCLAUGHLIN: Even so, that might not be the end of consumer problems.

HOLMES: I think the consequences of getting this wrong are severe. Legitimate email gets blocked.

MCLAUGHLIN: That's because big companies have a big supply chain. They give third parties permission to send emails on their behalf. You know those automated messages you get when your flight time changes or a payment is due? Those services need to be secured, too, or they might get blocked. If retailers don't take those kinds of things into consideration, you might miss a scam, but you could also miss a flight.

Jenna McLaughlin, NPR News.

(SOUNDBITE OF MUSIC) Transcript provided by NPR, Copyright NPR.

NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.

Jenna McLaughlin
Jenna McLaughlin is NPR's cybersecurity correspondent, focusing on the intersection of national security and technology.