Keep the Holidays Merry & Bright - Beware of These Sneaky Seasonal Phishing Scams
- by Brittany Day
Phishing attacks are in hyperdrive this holiday season. Cybercriminals know that users are distracted and stressed by holiday shopping and preparations - and are taking advantage of this hectic time to lure employees into unknowingly giving up sensitive credentials which can be used to gain access to confidential business information. Although phishing attacks spike during this festive time each year, holiday phishing risk has been heightened due to the recent increase in remote workers, the proliferation of inherently vulnerable and frequently misconfigured cloud platforms and widespread anxiety surrounding the pandemic.
A successful attack is guaranteed to put a damper on your company’s holiday cheer with severe consequences including financial loss, data theft, reputation damage and significant downtime or worse - permanent business closure. To help keep your holiday season merry, bright, productive and successful, we’ll examine some of the most notorious and dangerous holiday phishing scams, and offer expert advice for staying safe in this season of increased digital risk.
A Quick Review: What is Phishing?
Phishing is a scam in which a malicious actor masquerades as a reputable individual or organization with the aim of tricking targets into unknowingly giving up sensitive information. In an email-borne phishing attack, a threat actor sends fraudulent, deceptive emails from a spoofed or compromised account that are crafted to steal sensitive data or infect victims’ systems with malware.
Phishing has been a favorite attack method among cyber criminals for decades and is currently the number once cyber threat businesses face, accounting for over 90% of all cyberattacks. While phishing emails have traditionally relied on malicious URLs or attachments, modern attacks have evolved to become highly sophisticated, targeted and difficult to detect, often leveraging advanced social engineering techniques to manipulate psychology and stealthy fileless tactics to evade detection.
Recently, there has been a resurgence in phishing attacks due to the proliferation of popular cloud platforms like Office 365 and G Suite to accommodate remote workers’ communication and collaboration needs. Phishers have experienced great success targeting cloud email users, as they have direct access to all users within an organization and the uniformity of cloud platforms provides the ideal environment to test their malicious tactics and then conveniently reuse the same campaign on thousands of different accounts. Credential phishing is ubiquitous in Office 365 and, despite built-in security defenses, Osterman Research reports that 40% of Office 365 users have experienced credential theft.
Top Four Holiday Phishing Scams to Be On The Lookout For
Phishing is a persistent, year-round threat; however, it is of heightened importance that users are on the lookout for phishing attempts during the 2020 holiday season. Here are the four most common phishing scams to beware of this December:
Fraudulent Shipping Notifications
Phishing emails that impersonate shipping notifications are more problematic than ever, as most people now do the majority of their shopping online due to pandemic. As a result of this trend, cyber criminals are now more likely to reach into your inbox with a phishing email disguised as a shipping notification. These malicious emails either contain links to fraudulent websites that harvest credentials or malicious attachments designed to capture keystrokes, install ransomware, or steal sensitive data that can be monetized for personal gain.
Gift Card and Coupon Scams
Along with shipping notification scams, phishers are exploiting the dominance of online shopping this holiday season to steal money and personal information in scams that leverage fraudulent coupons and gift cards. These scams create a sense of urgency by offering a great deal on a popular product for a limited time. Attackers ask for payment through gift cards, directing users to a fraudulent landing page that steals credentials which can be used to make multiple transactions.
Many of us have had a tough year, and could use a safe and relaxing vacation. If you’ve booked a trip online, you are at risk of being targeted by phishers in a travel scam. In many travel scams, a threat actor sends a fraudulent notification email, informing the target that his or her trip has been cancelled due to the pandemic and asking the recipient to fill out a form in order to claim a refund. This form captures personal information which can be used to steal money and launch further attacks. Other travel scams impersonate airlines, offering free tickets if a user either forwards a link secretly leading to a phishing site or shares the malicious link on social media.
Charity fraud involves deceiving victims into believing that they are making donations to legitimate charities, and has become increasingly prevalent due to a widespread eagerness to contribute to pandemic research and relief efforts. In charity fraud scams, attackers pose as a charity organization and send phishing emails asking for donations to a charity that doesn’t exist.
Tips & Advice for Avoiding Holiday Phishing Scams
Awareness and preparation are critical in preventing phishing attacks this holiday season. Here are our top tips for recognizing and avoiding phishing attacks:
- Do not open emails from suspicious email addresses, such as ecommerce emails with generic domains.
- Do not click links leading to external pages. Shipping details should be provided in the email body.
- Confirm the legitimacy of a charity before you consider making a donation.
- Beware of emails that convey a sense of urgency, or offer good deals on popular items.
- Avoid sharing personal information online with someone you don’t know or trust.
- Be on the lookout for spelling and/or grammatical errors, as well as vague greetings and/or signatures. These are all common signs of phishing.
- Educate employees on phishing and other email threats.
- Critically Important: Implement a layered supplementary email security solution - preferably accompanied by managed services - that provides real-time malicious URL protection and impersonation protection. An effective solution should also implement layered email authentication protocols such as SPF, DMARC, DKIM to protect against spoofing and sender fraud. Human behavior is ultimately unpredictable and modern phishing attacks are so sophisticated and deceptive that even the most security-aware users can fall for a scam. Thus, it is crucial to have a solution in place that prevents all malicious mail from being delivered - creating a safeguarded environment around the user and mitigating the risk of human error.
The holiday season coupled with pandemic has resulted in greater phishing risk than ever this December. A phishing attack can have devastating consequences for any organization, and can have a profound negative effect on business success. According to Verizon, data breaches that occur as a result of phishing cost an average of $3.9 million for businesses.
Modern phishing attacks are highly sophisticated, targeted and evasive, but can be prevented with a combination of cybersecurity awareness, smart online behavior and the implementation of a comprehensive, effective email security solution.
Email security is a gift that keeps on giving in terms of safety, success and peace of mind. Let your heart be light this holiday season and heading into 2021 - Learn how to secure email against phishing attacks with reliable, fully-managed supplementary defenses.>
- Thinking Strategically about Email Security in 2021 and Beyond
- There’s a Lot to be Gained with Effective Email Security
- Behind the Shield: EnGarde Cloud Email Security Explained
- Open Source: A Powerful, Yet Underutilized Weapon against Phishing & Zero-Day Attacks
- Buyer's Guide: What to Prioritize in an Email Security Solution
- Buyer's Guide to Office 365 & Workspace Email Security
- EnGarde Cloud Email Security: The Logical Solution to Cyber Risk in Office 365
- Exchange Servers Are Vulnerable - Learn How To Secure Your Email Server Now
- Top Email Security Risks in 2021 - How To Set Your Business Up for Safety & Success
- Ransomware By The Numbers: How Big Is My Risk?
- SMB Ransomware Warnings & How To Prevent an Attack
- Apache SpamAssassin 3.4.6 Release Fixes Two Potentially Aggravating Bugs
- Top Tips and Advice for Staying Safe Online in a Work-from-Home World
- Demystifying Phishing Attacks: How to Protect Yourself Now
- Why Your Business Needs Better Email Security
- Why Ransomware is a Threat to Business
- How to Protect Sensitive Data & Maintain Client Trust in Financial Services Industry
- Why Office 365 Users Are Moving Away from Relying on Default Email Protection Alone
- What You Need to Know to Shield Your Business from Ransomware
- Why You Need DMARC to Secure Email against Spoofing Attacks & Sender Fraud
- Biden's Cybersecurity Efforts Highlight the Power of this Key Technology
- Shortcomings of Endpoint Security in Securing Business Email
- Open Source Utilization in Email Security Demystified
- Limitations of Microsoft 365 Email Security & How To Close These Dangerous Gaps
- DMARC Quarantine vs. Reject: Which Should You Implement to Secure Business Email against Sender Fraud?
- Think Like A Criminal: What You Need to Know About Social Engineering Attacks in 2021
- TLS Email Encryption Explained - How To Encrypt Email with TLS
- Effectively Securing Business Email Accounts: Are Employees the Weakest Link?
- Encryption: An Essential Yet Highly Controversial Component of Digital Security
- Business Email Security Redefined: Key Benefits of Securing Your Business Email with Guardian Digital
- 8 Business Email Security Best Practices
- Demystifying Email Encryption: Stop Sender Fraud
- Demystifying Tax Fraud: How to Avoid Falling Victim to Deceptive, Costly Scams This Tax Season
- Coronavirus Phishing Scams are On the Rise - Is Your Business Email at Risk of Infection?
- Dave Wreski: A Passionate Engineer Brings the Power of Open Source to Business Email Security
- FBI: Existing Cloud Email Protection Inadequate Against Phishing, Ransomware
- Email Risk is Universal: Securing Business Email in Every Industry Sector
- The Remote Worker's Guide to Safely Navigating Office 365
- Why Your Business Needs Superior Email Protection
- Defending Against COVID Email Spoofing Attacks with DMARC
- You’ve Got Mail: How To Tell If It’s Fraud
- Open-Source Security Is Opening Eyes
- Think Like A Criminal: How To Write A Phishing Email
- The Four Biggest Email Threats Your Business Faces Today
- Everything On DocuSign Phishing Attacks in 3 Minutes
- Understanding Payload-Less Email Attacks in Under 3 Minutes
- Demystifying Fileless Malware in Less than 3 Minutes
- Apache SpamAssassin Leads A Growing List of Open-Source Projects Taking Steps to Correct Instances of Racism and White Privilege
- Cyber Risk Is Greater than Ever in the Legal Industry
- Understanding Malicious URL Protection - And Why You Need It to Secure Your Email
- Email Security for SMBs Beyond COVID-19
- Email Risk Is BIG for SMBs - How To Protect Your Business Now
- Why Email Security Is More Important Than Ever in This 'New Reality'
- The Threat of CEO Fraud Extends Beyond the C-Suite
- Top Email Security Trends Putting Your Business at Risk of Attack
- Managed Services: A Key Element of Effective Email Security that Even Modern Solutions Lack
- How to maintain security when employees work remotely: Advice from Leading Security Experts
- FBI: The 2020 Presidential Election Is Under Attack by Email Scammers
- AT&T Security Researchers Identify a Correlation between Strong Cybersecurity and Business Success
- The Aftermath of a Cyberattack Pt. 1: Phishing Recovery Basics
- It Pays to be Prepared! Ransomware Preparedness & Recovery Basics
- Breaking Down Fileless Malware: Anatomy of an Attack
- Keep the Holidays Merry & Bright - Beware of These Sneaky Seasonal Phishing Scams
- Migrating Business Email: The Hidden Complexities You Need To Know
- SPF, DKIM & DMARC: Definition & How They Secure Email Against Sender Fraud?
- Your Current Approach to Email Security May Not Be Enough
- Ways to Prevent Email Account being compromised in a Breach
- Celebrating 20 Years of Revolutionizing Digital Security
- IBM Closes its $34 Billion Acquisition of Red Hat
- Interview with Security Expert and Author Ira Winkler
- What is Phishing Email? How to prevent Phishing email scams?
- Ways Our Business Email Exceed Your Expectations
- Spear Phishing Protection - Definition & How To Recognize Spear Phishing Email
- What is Whaling (Whaling Phishing)? & How to Prevent Whaling attacks?
- Business Email Compromise (BEC) - Definition & Prevention From BEC Attacks
- Wire Transfer Scams Involving Real Estate Transactions: How to Prevent Fraud with Effective Email Security
- Guardian Digital and Mautic: A Dynamic Open-Source Duo
- Email Malware - How to Recognize & Prevent Malware Email Attack
- An Open-Source Success Story: Apache SpamAssassin Celebrates 18 Years of Effectively Combating Spam Email
- What is Spam Email - Types & How to Prevent Spam Emails?
- 2020: A New Decade of Digital Threats - Is Your Business Email Secure?
- Linux: An OS Capable of Effectively Meeting the US Government’s Security Needs Heading into 2020
- Complete Guide on Email Security & Threats Faced by Organizations
- Email Virus - Complete Guide to Email Viruses Plus Best Practices
- What Are Zero-Day Attacks & How Can I Prevent Them?
- Guardian Digital Keeps its Customers Protected from Intel Design Flaw
- Security Spotlight: Open Source Email Security Solutions
- Top Six Advantages of Open Source Development/Products
- Python and Bash - Contenders for the most used scripting language
- Guardian Digital Outlines Top 4 Benefits of Choosing Cloud
- Unrivaled Protection Against Today’s Most Dangerous Threats
- Guard Your Email Accounts Against Today’s Most Dangerous Threats
- Security Highlights from Defcon 26
- Linux / Open Source FAQs: Common Myths / Misconceptions
- Email Security FAQs Answered by Guardian Digital
- Guardian Digital Mail Systems: Designed to be Secure Without Fail