‘Tis the holiday season!
It’s time for presents, family, and sadly, new holiday phishing scams.
Recently, it was noted how phishing attacks form the spearhead to attack organizations. Key to blunting their effectiveness is educating your team about new types of fraud.
As the holidays approach and to-do lists lengthen, it’s important to remember that cybercriminals never take the holidays off. And, neither should your cybersecurity.
Keep your business and loved ones safe, by spreading the word on the latest phishing scams this holiday season.
Holiday-Themed Phishing
Attackers know how stressed you can be when preparing for the holidays, shipping presents, and trying to finish up work before vacations begin.
In 2020, 30% of US consumers received an email or an SMS attack, featuring amazing Black Friday deals on video game platforms, gift cards, and too-good-to-be-true offers. As a result, thousands of people fell victim to data theft.
Another common holiday phishing tactic warns about delayed, missing, or withheld packages from FedEx, UPS, and other major shipping hubs.
These attacks prey upon both stressed consumers, as well as businesses that see a surge in shipping needs during the peak holiday season.
These attacks target cryptocurrency, credit card numbers, credentials, or simply drop malware on the local machine.
Because these ploys primarily target consumers, educating your workers reduces the chance of your team and their families clicking on bad links on a less-than-secure home network.
Once an attacker gains access to an employee’s home network, they begin opening a path to other connected systems – even to your own business.
The rise in remote work increases the danger of consumer-oriented attacks, and serves as a reminder to help educate those around you.
007 & TSA Phishing
Of course, not all phishing attacks revolve around the holidays.
Malicious ads sometimes pop up offering free access to current events, such as concerts or popular movies.
One recent example occurred during the release of the latest 007 – James Bond movie, when victims were offered “free” viewing of the movie. The catch? They just needed to enter their credit card number to watch.
You can probably guess what happened after that.
Easy access to any hot trend should always be considered suspicious, but the same applies to offers that save time. This year has witnessed a surge in fake “TSA PreCheck Renewal” phishing attacks, which offer to help skip the line at the airport.
While this scam typically limits the damage to stealing $140 from victims (and possibly credit card numbers), this attack could easily be used to deliver malware as well.
Phishing Scams & Holiday Phone Fraud
Thanks to advanced email screening, you can detect and block many emails containing malicious code, or links to bad websites. As a result, some attackers are using the phone.
The phishing scam works like this:
First, attackers send a phishing email about a fake Amazon reset, fake orders for expensive items, or alerts for $5,000 Zelle transfers.
The phishing email then provides a phone number you can call to resolve the issue, instead of a malicious link or file. This lets them bypass any detection software you might have set up.
Fraudsters try to trick the user into directly divulging information over the phone, or by asking users to manually type in a website address.
The Zelle attack uses a more subtle technique, which seems more legitimate. Unfortunately, it can also be more damaging.
Victims call a number and reach someone pretending to be a bank’s customer service agent. This “agent” then asks the victim to confirm their online banking username, in order to verify their identity.
The fraudster explains that this verification will be completed once the victim receives an SMS (text message) security code and repeats it back. This sounds like a familiar and legitimate process.
However, on the other end, the fraudsters have opened the bank’s website, clicked “forgot my password” and selected SMS confirmation. Unaware, the victim gives up the code they receive, and provides the fraudster with the ability to change the password and drain the account.
These types of attacks aren’t usually detectible using anti-phishing software, making education and awareness your best defense.
This helps them stay safer in their personal lives, and adds a layer of protection to your business as well.
Bringing it Together
As the holiday season approaches, schedules fill up, businesses (and households) become hectic, and people get stressed. It creates the perfect environment for criminals to strike.
While attackers are always evolving their methods, you still need to prepare against those that are known.
To protect against phishing attacks, start with the basics, by using email filtering and proper email server settings.
Then, educate those around you by spreading the word about the latest attacks.
And, minimize the damage by using multi-factor authentication, network segmentation, regular patching, and monitoring our systems.
Make sure this holiday season is about enjoying your family and friends – and not dealing with a cyberattack.
Need a little help preparing your team? Complete the form below or call us at 412-349-6680 and we’ll provide a free consultation about what options work best for your needs.