Keep the Holidays Merry & Bright - Beware of These Sneaky Seasonal Phishing Scams
- by Brittany Day
Phishing attacks are in hyperdrive this holiday season. Cybercriminals know that users are distracted and stressed by holiday shopping and preparations - and are taking advantage of this hectic time to lure employees into unknowingly giving up sensitive credentials which can be used to gain access to confidential business information. Although phishing attacks spike during this festive time each year, holiday phishing risk has been heightened due to the recent increase in remote workers, the proliferation of inherently vulnerable and frequently misconfigured cloud platforms and widespread anxiety surrounding the pandemic.
A successful attack is guaranteed to put a damper on your company’s holiday cheer with severe consequences including financial loss, data theft, reputation damage and significant downtime or worse - permanent business closure. To help keep your holiday season merry, bright, productive and successful, we’ll examine some of the most notorious and dangerous holiday phishing scams, and offer expert advice for staying safe in this season of increased digital risk.
A Quick Review: What is Phishing?
Phishing is a scam in which a malicious actor masquerades as a reputable individual or organization with the aim of tricking targets into unknowingly giving up sensitive information. In an email-borne phishing attack, a threat actor sends fraudulent, deceptive emails from a spoofed or compromised account that are crafted to steal sensitive data or infect victims’ systems with malware.
Phishing has been a favorite attack method among cyber criminals for decades and is currently the number once cyber threat businesses face, accounting for over 90% of all cyberattacks. While phishing emails have traditionally relied on malicious URLs or attachments, modern attacks have evolved to become highly sophisticated, targeted and difficult to detect, often leveraging advanced social engineering techniques to manipulate psychology and stealthy fileless tactics to evade detection.
Recently, there has been a resurgence in phishing attacks due to the proliferation of popular cloud platforms like Office 365 and G Suite to accommodate remote workers’ communication and collaboration needs. Phishers have experienced great success targeting cloud email users, as they have direct access to all users within an organization and the uniformity of cloud platforms provides the ideal environment to test their malicious tactics and then conveniently reuse the same campaign on thousands of different accounts. Credential phishing is ubiquitous in Office 365 and, despite built-in security defenses, Osterman Research reports that 40% of Office 365 users have experienced credential theft.
Top Four Holiday Phishing Scams to Be On The Lookout For
Phishing is a persistent, year-round threat; however, it is of heightened importance that users are on the lookout for phishing attempts during the 2020 holiday season. Here are the four most common phishing scams to beware of this December:
Fraudulent Shipping Notifications
Phishing emails that impersonate shipping notifications are more problematic than ever, as most people now do the majority of their shopping online due to pandemic. As a result of this trend, cyber criminals are now more likely to reach into your inbox with a phishing email disguised as a shipping notification. These malicious emails either contain links to fraudulent websites that harvest credentials or malicious attachments designed to capture keystrokes, install ransomware, or steal sensitive data that can be monetized for personal gain.
Gift Card and Coupon Scams
Along with shipping notification scams, phishers are exploiting the dominance of online shopping this holiday season to steal money and personal information in scams that leverage fraudulent coupons and gift cards. These scams create a sense of urgency by offering a great deal on a popular product for a limited time. Attackers ask for payment through gift cards, directing users to a fraudulent landing page that steals credentials which can be used to make multiple transactions.
Many of us have had a tough year, and could use a safe and relaxing vacation. If you’ve booked a trip online, you are at risk of being targeted by phishers in a travel scam. In many travel scams, a threat actor sends a fraudulent notification email, informing the target that his or her trip has been cancelled due to the pandemic and asking the recipient to fill out a form in order to claim a refund. This form captures personal information which can be used to steal money and launch further attacks. Other travel scams impersonate airlines, offering free tickets if a user either forwards a link secretly leading to a phishing site or shares the malicious link on social media.
Charity fraud involves deceiving victims into believing that they are making donations to legitimate charities, and has become increasingly prevalent due to a widespread eagerness to contribute to pandemic research and relief efforts. In charity fraud scams, attackers pose as a charity organization and send phishing emails asking for donations to a charity that doesn’t exist.
Tips & Advice for Avoiding Holiday Phishing Scams
Awareness and preparation are critical in preventing phishing attacks this holiday season. Here are our top tips for recognizing and avoiding phishing attacks:
- Do not open emails from suspicious email addresses, such as ecommerce emails with generic domains.
- Do not click links leading to external pages. Shipping details should be provided in the email body.
- Confirm the legitimacy of a charity before you consider making a donation.
- Beware of emails that convey a sense of urgency, or offer good deals on popular items.
- Avoid sharing personal information online with someone you don’t know or trust.
- Be on the lookout for spelling and/or grammatical errors, as well as vague greetings and/or signatures. These are all common signs of phishing.
- Educate employees on phishing and other email threats.
- Critically Important: Implement a layered supplementary email security solution - preferably accompanied by managed services - that provides real-time malicious URL protection and impersonation protection. An effective solution should also implement layered email authentication protocols such as SPF, DMARC, DKIM to protect against spoofing and sender fraud. Human behavior is ultimately unpredictable and modern phishing attacks are so sophisticated and deceptive that even the most security-aware users can fall for a scam. Thus, it is crucial to have a solution in place that prevents all malicious mail from being delivered - creating a safeguarded environment around the user and mitigating the risk of human error.
The holiday season coupled with pandemic has resulted in greater phishing risk than ever this December. A phishing attack can have devastating consequences for any organization, and can have a profound negative effect on business success. According to Verizon, data breaches that occur as a result of phishing cost an average of $3.9 million for businesses.
Modern phishing attacks are highly sophisticated, targeted and evasive, but can be prevented with a combination of cybersecurity awareness, smart online behavior and the implementation of a comprehensive, effective email security solution.
Email security is a gift that keeps on giving in terms of safety, success and peace of mind. Let your heart be light this holiday season and heading into 2021 - Learn how to secure email against phishing attacks with reliable, fully-managed supplementary defenses.>
- Effectively Securing Business Email Accounts: Are Employees the Weakest Link?
- Encryption: An Essential Yet Highly Controversial Component of Digital Security
- Business Email Security Redefined: Key Benefits of Securing Your Business Email with Guardian Digital
- 8 Business Email Security Best Practices
- Demystifying Email Encryption: Stop Sender Fraud
- Demystifying Phishing Attacks: How to Protect Yourself Now
- Demystifying Tax Fraud: How to Avoid Falling Victim to Deceptive, Costly Scams This Tax Season
- Coronavirus Phishing Scams are On the Rise - Is Your Business Email at Risk of Infection?
- Dave Wreski: Founder of Guardian Digital – Open Source Cloud Email Security
- New Ransomware Warnings: Is Your Business Safe from This Silent Threat?
- FBI: Existing Cloud Email Protection Inadequate Against Phishing, Ransomware
- Email Risk is Universal: Securing Business Email in Every Industry Sector
- How To Safely Navigate Office 365 While Working Remotely
- Tips and Advice for Staying Safe Online During COVID-19
- Why Your Business Needs Better Email Security
- Defending Against COVID Email Spoofing Attacks with DMARC
- You’ve Got Mail: How To Tell If It’s Fraud
- Open-Source Security Is Opening Eyes
- Think Like A Criminal: How To Write A Phishing Email
- The Four Biggest Email Threats Your Business Faces Today
- Everything On DocuSign Phishing Attacks in 3 Minutes
- Understanding Payload-Less Email Attacks in Under 3 Minutes
- Demystifying Fileless Malware in Less than 3 Minutes
- How to Protect Sensitive Data & Maintain Client Trust in Financial Services Industry
- Exchange Servers Are Vulnerable - Learn How To Secure Your Email Server Now
- Apache SpamAssassin Leads A Growing List of Open-Source Projects Taking Steps to Correct Instances of Racism and White Privilege
- Cyber Risk Is Greater than Ever in the Legal Industry
- Understanding Malicious URL Protection - And Why You Need It to Secure Your Email
- Email Security for SMBs Beyond COVID-19
- Email Risk Is BIG for SMBs - How To Protect Your Business Now
- Email Threats By The Numbers: How Big Is My Risk?
- The Modern Email Threat Landscape: Where Traditional Defenses Fall Short
- Why Email Security Is More Important Than Ever in This 'New Reality'
- The Threat of CEO Fraud Extends Beyond the C-Suite
- Top Email Security Trends Putting Your Business at Risk of Attack
- Think Like A Criminal: What You Need to Know About Social Engineering Attacks in 2020
- Managed Services: A Key Element of Effective Email Security that Even Modern Solutions Lack
- How To Secure Your Remote Workforce: Advice from Leading Security Experts
- FBI: The 2020 Presidential Election Is Under Attack by Email Scammers
- AT&T Security Researchers Identify a Correlation between Strong Cybersecurity and Business Success
- The Aftermath of a Cyberattack Pt. 1: Phishing Recovery Basics
- It Pays to be Prepared! Ransomware Preparedness & Recovery Basics
- Breaking Down Fileless Malware: Anatomy of an Attack
- Office 365 Email Is Vulnerable to Attack Without These Critical Supplementary Defenses in Place
- Keep the Holidays Merry & Bright - Beware of These Sneaky Seasonal Phishing Scams
- Migrating Business Email: The Hidden Complexities You Need To Know
- How Do SPF, DMARC & DKIM Secure Email Against Sender Fraud?
- Top Email Security Risks Heading into 2021 - How To Set Your Business Up for Safety & Success
- Your Current Approach to Email Security May Not Be Enough
- Ways to Prevent Email Account being compromised in a Breach
- Celebrating 20 Years of Revolutionizing Digital Security
- IBM Closes its $34 Billion Acquisition of Red Hat
- Interview with Security Expert and Author Ira Winkler
- What is Phishing Email? How to prevent Phishing email scams?
- Ways Our Business Email Exceed Your Expectations
- Spear Phishing Protection - Definition & How To Recognize Spear Phishing Email
- What is Whaling (Whaling Phishing)? & How to Prevent Whaling attacks?
- Ransomware Attack Explained - Best Practices For Ransomware Protection
- Business Email Compromise (BEC) - Definition & Prevention From BEC Attacks
- Wire Transfer Scams Involving Real Estate Transactions: How to Prevent Fraud with Effective Email Security
- Guardian Digital and Mautic: A Dynamic Open-Source Duo
- Email Malware - How to Recognize & Prevent Malware Email Attack
- An Open-Source Success Story: Apache SpamAssassin Celebrates 18 Years of Effectively Combating Spam Email
- What is Spam Email - Types & How to Prevent Spam Emails?
- Email Virus - Complete Guide to Email Viruses Plus Best Practices
- What Is A Zero-Day Attack & How To Prevent Zero Day Exploit?
- 2020: A New Decade of Digital Threats - Is Your Business Email Secure?
- Linux: An OS Capable of Effectively Meeting the US Government’s Security Needs Heading into 2020
- Complete Guide on Email Security & Threats Faced by Organizations
- Guardian Digital Keeps its Customers Protected from Intel Design Flaw
- Security Spotlight: Open Source Email Security Solutions
- Top Six Advantages of Open Source Development/Products
- Python and Bash - Contenders for the most used scripting language
- Guardian Digital Outlines Top 4 Benefits of Choosing Cloud
- Unrivaled Protection Against Today’s Most Dangerous Threats
- Guard Your Email Accounts Against Today’s Most Dangerous Threats
- Security Highlights from Defcon 26
- Linux / Open Source FAQs: Common Myths / Misconceptions
- Email Security FAQs Answered by Guardian Digital
- Guardian Digital Mail Systems: Designed to be Secure Without Fail