Holidays are just ahead of us and most cannot wait to put 2020 in the rearview mirror. Sadly, cybercriminals aren't taking time off. As always, the Christmas holidays bring a lot of shopping and presents - and a heightened degree of phishing attacks as well. Social engineering techniques are being updated and adjusted with creative and tricky twists, enabling “Grinches” to execute their evil plans and steal the joy of holidays once again. Below are some of the most popular holiday scams of this year.
The CEO Scam
This is a type of spear phishing scam, where cybercriminals make their way into an account of an executive of a large organization and send requests to their victims from that executive’s email.
Prior to sending their requests, scammers conduct thorough research through open-source intelligence channels (e.g. social media, press releases) and make those emails look and sound very trustworthy and believable, which makes it difficult for some to recognize the attack. Usually, hackers would ask their victims to disclose sensitive information (for example payroll history for the past quarter) or to transfer funds. Check out this scam with a holiday twist, where a government employee was duped into buying $500 in gift cards.
How to stay safe?
Implement strict policies regarding any financial transactions that would involve either a written request approved by more than one person or an in-person verification of such requests
Educate your employees and executives about holiday-themed scams and how to avoid them. Keep your passwords updated, make them complicated, and enable Multi-Factor Authentication, making it harder for cybercriminals to brute-force their way into company accounts
Avoid connecting to public Wi-Fi in coffee shops or while travelling, as those networks are often insecure (or have an evil twin) and would allow hackers to access your accounts
Fake Delivery Attempt
This is a variation of a phishing scam, where an attacker would send out an email impersonating a delivery company (such as FedEx, UPS, Canada Post, you name it) and informing the victim that their package has been shipped or delayed and prompting to click on a link to track the shipment.
Needless to say, the link doesn’t lead to any legitimate tracking website - instead, it takes you to a malicious website loaded with malware or harvesting credentials, and can often be near-indistinguishable from the real thing. As many of us have bought presents online, or are expecting to receive gifts from friends, we would not think twice before opening such an email and clicking on a link, which is exactly what the attacker is hoping for.
How to stay safe?
Carefully examine each email you receive, verifying that the sender is exactly who they claim to be
Don’t open attachments or click on the links from emails you did not expect to receive
Track your shipments directly through the website (or an app) of a delivery company you are using, not through the links in the emails someone might send you
At the peak of the holiday shopping season, the Internet is full of unbelievable holiday deal offers, as well as fake shopping apps that promise incredible discounts and promotions. As you can guess, it wouldn't be profitable for a business to provide unreasonable discounts during the hottest shopping month (and ironically one of the coldest months of the year) of December. Ads and websites that promise to shave 90% off the original price or apps that would magically allow you to buy a sparkling new iPhone 12 for $100 are nothing but a scam. Clicking on those links and downloading those apps will leave you with a device full of malware instead of the promised goodies.
How to stay safe?
Beware of offers that seem too good to be true. Do not follow links that offer unreasonable discounts or unbelievable promotions
Shop only at the online stores you trust and avoid those that you’ve never heard of
If you decide to follow the link to a shopping website, verify that link leads you exactly where it says it would by hovering over it with a cursor
Verify the legitimacy of a deal or a discount by navigating directly to the company’s website instead of clicking on the advertisement
Many organizations are sending out holiday greetings to their valued clients, partners, and vendors, which makes electronic greeting cards a very convenient disguise for malicious links and attachments. Hackers will try to impersonate large companies, such as Amazon or Apple, and send out emails that look like holiday greeting cards. In some cases, they would prompt victims to click on a link to see the video “crafted specifically for you” or download an attachment that looks like a card. Just like in all previous scenarios, such links and attachments can be very dangerous and should not be engaged with.
How to stay safe?
Do not open attachments or click on links to greeting cards you did not expect to receive
If you receive one from a friend and it looks suspicious – contact that person via phone call or a text and confirm that the email was sent by that person
Of course, these examples make up only the tip of the scamming iceberg. This year has been exhausting for many, and with the upcoming holidays and news of effective COVID-19 vaccines, it is easy to let your guard down - and the cybercriminals are aware of this. Please pay close attention to the items described above to avoid making your 2020 even more eventful than it already was.
Stay safe and Merry Christmas from our team at Wembley Partners!