Keep the Holidays Merry & Bright - Beware of These Sneaky Seasonal Phishing Scams

Phishing attacks are in hyperdrive this holiday season. Cybercriminals know that users are distracted and stressed by holiday shopping and preparations - and are taking advantage of this hectic time to lure employees into unknowingly giving up sensitive credentials which can be used to gain access to confidential business information. Although phishing attacks spike during this festive time each year, holiday phishing risk has been heightened due to the recent increase in remote workers, the proliferation of inherently vulnerable and frequently misconfigured cloud platforms and widespread anxiety surrounding the pandemic.

A successful attack is guaranteed to put a damper on your company’s holiday cheer with severe consequences including financial loss, data theft, reputation damage and significant downtime or worse - permanent business closure. To help keep your holiday season merry, bright, productive and successful, we’ll examine some of the most notorious and dangerous holiday phishing scams, and offer expert advice for staying safe in this season of increased digital risk.

A Quick Review: What is Phishing?

Phishing is a scam in which a malicious actor masquerades as a reputable individual or organization with the aim of tricking targets into unknowingly giving up sensitive information. In an email-borne phishing attack, a threat actor sends fraudulent, deceptive emails from a spoofed or compromised account that are crafted to steal sensitive data or infect victims’ systems with malware. 

Phishing has been a favorite attack method among cyber criminals for decades and is currently the number once cyber threat businesses face, accounting for over 90% of all cyberattacks. While phishing emails have traditionally relied on malicious URLs or attachments, modern attacks have evolved to become highly sophisticated, targeted and difficult to detect, often leveraging advanced social engineering techniques to manipulate psychology and stealthy fileless tactics to evade detection.

Recently, there has been a resurgence in phishing attacks due to the proliferation of popular cloud platforms like Microsoft 365 and Google Workspace to accommodate remote workers’ communication and collaboration needs. Phishers have experienced great success targeting cloud email users, as they have direct access to all users within an organization and the uniformity of cloud platforms provides the ideal environment to test their malicious tactics and then conveniently reuse the same campaign on thousands of different accounts. Credential phishing is ubiquitous in Microsoft 365 and, despite built-in security defenses, Osterman Research reports that 40% of Microsoft 365 users have experienced credential theft. 

Top Four Holiday Phishing Scams to Be On The Lookout For

Phishing is a persistent, year-round threat; however, it is of heightened importance that users are on the lookout for phishing attempts during the 2020 holiday season. Here are the four most common phishing scams to beware of this December:

Fraudulent Shipping Notifications

Phishing emails that impersonate shipping notifications are more problematic than ever, as most people now do the majority of their shopping online due to pandemic. As a result of this trend, cyber criminals are now more likely to reach into your inbox with a phishing email disguised as a shipping notification. These malicious emails either contain links to fraudulent websites that harvest credentials or malicious attachments designed to capture keystrokes, install ransomware, or steal sensitive data that can be monetized for personal gain.

Gift Card and Coupon Scams

Along with shipping notification scams, phishers are exploiting the dominance of online shopping this holiday season to steal money and personal information in scams that leverage fraudulent coupons and gift cards. These scams create a sense of urgency by offering a great deal on a popular product for a limited time. Attackers ask for payment through gift cards, directing users to a fraudulent landing page that steals credentials which can be used to make multiple transactions.

Travel scams

Many of us have had a tough year, and could use a safe and relaxing vacation. If you’ve booked a trip online, you are at risk of being targeted by phishers in a travel scam. In many travel scams, a threat actor sends a fraudulent notification email, informing the target that his or her trip has been cancelled due to the pandemic and asking the recipient to fill out a form in order to claim a refund. This form captures personal information which can be used to steal money and launch further attacks. Other travel scams impersonate airlines, offering free tickets if a user either forwards a link secretly leading to a phishing site or shares the malicious link on social media.

Charity fraud

Charity fraud involves deceiving victims into believing that they are making donations to legitimate charities, and has become increasingly prevalent due to a widespread eagerness to contribute to pandemic research and relief efforts. In charity fraud scams, attackers pose as a charity organization and send phishing emails asking for donations to a charity that doesn’t exist. 

Tips & Advice for Avoiding Holiday Phishing Scams

Awareness and preparation are critical in preventing phishing attacks this holiday season. Here are our top tips for recognizing and avoiding phishing attacks:

• Do not open emails from suspicious email addresses, such as ecommerce emails with generic domains.
• Do not click links leading to external pages. Shipping details should be provided in the email body.
• Confirm the legitimacy of a charity before you consider making a donation.
• Beware of emails that convey a sense of urgency, or offer good deals on popular items.
• Avoid sharing personal information online with someone you don’t know or trust.
• Be on the lookout for spelling and/or grammatical errors, as well as vague greetings and/or signatures. These are all common signs of phishing.
• Educate employees on phishing and other email threats.
• Critically Important: Implement a layered supplementary email security solution - preferably accompanied by managed services - that provides real-time malicious URL protection and impersonation protection. An effective solution should also implement layered email authentication protocols such as SPF, DMARC, DKIM to protect against spoofing and sender fraud. Human behavior is ultimately unpredictable and modern phishing attacks are so sophisticated and deceptive that even the most security-aware users can fall for a scam. Thus, it is crucial to have a solution in place that prevents all malicious mail from being delivered - creating a safeguarded environment around the user and mitigating the risk of human error.

Key Takeaways

The holiday season coupled with pandemic has resulted in greater phishing risk than ever this December. A phishing attack can have devastating consequences for any organization, and can have a profound negative effect on business success. According to Verizon, data breaches that occur as a result of phishing cost an average of $3.9 million for businesses.

Modern phishing attacks are highly sophisticated, targeted and evasive, but can be prevented with a combination of cybersecurity awareness, smart online behavior and the implementation of a comprehensive, effective email security solution. 

Email security is a gift that keeps on giving in terms of safety, success and peace of mind. Let your heart be light this holiday season and heading into 2021 - Learn how to secure email against phishing attacks with reliable, fully-managed supplementary defenses.>