As the holiday season is now upon us, everyone is starting to get in the spirit. Decorations are going up, shopping malls are getting busy and gifts are being wrapped. However, unfortunately, the holidays have a tendency to bring out the worst in some people – especially cybercriminals who prey on others for their own gain.
Every year, around this time, reports of hacks and scams skyrocket. Cybercrooks do whatever they can to take advantage of the chaotic holiday shopping environment in order to trick and rob unsuspecting victims. This is easy in a busy online environment, that is especially hectic during the holiday season.
Inboxes fill up quicker than usual with Christmas lists and last minute RSVPs to Christmas dinner. Not to mention the massive amount of order confirmations, online receipts and special holiday promos that come through from retailers. Because of this, our guard is down and we may not be as vigilant at identifying suspicious looking emails. For cybercriminals, this presents an amazing opportunity to deploy phishing scams and play the cyber-Grinch.
Phishing is a form of social engineering that attempts to steal sensitive information. An attacker’s goal is to compromise user systems to obtain usernames, passwords, and/or other account and financial data. Phishing attacks are most commonly deployed through malicious email communications.
The attacker sends legitimate-looking emails to people within an organization. The email usually pretends to be from someone trustworthy, like someone from within the institution, a bank, a shipping company, a credit card company, an airline, or some other site for which a user may have login credentials. The email includes a link to an “official” website that is actually a fake site operated by the attacker.
Once the user visits the fake site, they may be asked overtly to enter account information such as usernames, passwords, credit card details, social security or bank account numbers. The victim may also be exposed to malware by visiting the fake site. Taking advantage of a variety of vulnerabilities in the browser, the attacker may be able to install a Trojan Horse on the user’s computer.
If done correctly, the attack can capture sensitive information without the victim even knowing that they have been compromised. In some cases, malware can also be embedded in an email attachment, so when users open a bogus attachment, their system encounters the malware.
Unfortunately, phishing scams are far from the only cyber threat out there causing trouble for businesses and consumers alike during the holiday season. However, phishing does tend to be the most prevalent. To stay on high-alert, let’s outline the top six phishing scams that consumers and businesses are facing this holiday season:
This is one of the most popular kinds of phishing scams because it has the ability to sneak malware past IT security measures. By hiding the malicious code in an email attachment, labeled as a receipt or invoice, the standard phishing traps don’t catch the scam. This is especially useful during the holidays when so much holiday shopping takes place online. Usually, a random invoice from Amazon or The Gap would register as suspicious, but with the holidays around the corner, many would open the attachment without thinking twice.
This scam deploys a very similar strategy as the fake receipt scam. Much like bogus receipts and invoices, phishing scam artists create phony shipping notifications or updates to send to busy holiday shoppers. However, this strategy is often more effective, because it doesn’t create a fake purchase, but instead provokes consumer worry by stating deliveries are delayed or canceled. This can understandably make consumers worry that holiday gifts they paid for will be late or won’t come at all. Therefore, phishing scammers take advantage of the fact that a phony UPS delay notice will more than likely get a click during the holiday season.
This scam targets the frugal saver in all of us. With the rush of the holiday season, email users likely see dozens of holiday promo deals arriving in their inbox every week. Links to printable coupons, discount codes and special offers cram the digital information highway. However, during the holiday season, it’s critical to skim through these messages with a keener eye than usual. While there may be some great deals to be scored, phishing scammers also send out emails with malicious links to phony deals and discounts during the holiday hustle and bustle. When users click these malicious links, they’ll soon find out they’re getting no deal and may have lost money or infected their device in the process.
Embedded links are one of the most classic phishing scam styles there is. When clicked, malicious links embedded into email messages can download malware to a system or redirect victims to an infected website. We have a rule of thumb for combatting this. Whenever looking at an email with an embedded link, take the time to run your mouse over the hyperlink – no matter how legitimate it may look. While the hyperlink itself may look legitimate, the destination could be malware central. Users may think following the link will take them someplace familiar, but in reality, they’re being directed to malicious, hacker-controlled territory.
It’s no secret that keeping tabs on your bank account is a good idea – especially in an increasingly digital marketplace. However, this is especially critical during the holiday season. Trying to keep track of countless holiday shopping purchases can be an uphill battle, but keeping a close eye on changes to your account balance could help you identify fraudulent purchases that aren’t yours. Having payment card data stolen from the internet is easier than ever – all it takes is one website with weak security protocols. Once your payment card details are in the hands of hackers, you’ll be footing the bill for someone else’s shopping list.
Finally, fake customer incentive surveys are becoming an increasingly popular method for phishing hackers. Many company’s use online surveys offering cash or gift cards as a reward for completing them. However, scam artists have started using phony ones to phish for personal information from unsuspecting victims. Users can respond by staying vigilant and paying attention to the nature of the survey. The difference between a legitimate offer and a phishing attempt is all in the survey questions. If a survey asks for personal or financial information, it’s extremely likely that the survey is a cybercriminal’s way of stealing your data.
Lessons for Business Owners: Strategies for Holiday Cyber Protection
While most of these phishing scams are targeted at individual consumers, it’s not unlikely for these scams to show up in employee inboxes. If an employee happens to fall victim to one of these attacks on the company network, an infection can be triggered which can be disastrous for businesses. Once the infection is triggered, hackers can navigate the business network to steal personal and sensitive company data.
So, how are is your business supposed to combat this threat? The key is to have open and transparent conversations with your employees. Make sure they’re aware of the risks and work together to develop concrete strategies for protection. If and when employees identify suspicious emails, make sure they know the process – should they report it? Who should they report it too? Should it be deleted immediately or should they have an IT employee review it first? Making sure your team knows what to look for and how to respond is half the battle.
Furthermore, talk to your IT department or provider to ensure that you have reliable and strategic network security measures in place and that your firewall, antivirus, and antimalware programs are all up-to-date with the latest patches. Making sure your security strategy is operating correctly will help you avoid the holiday humbug scam-artists.
Wondering if your IT security strategy is up to snuff? Thinking about training your employees with concrete strategies for vigilance? Reach out to a local IT firm for guidance and consultation. The holiday season is busy and cybercriminals never take vacation – sometimes checking in with professionals makes all the difference.