Security Tips to Stay Safe from Phishing Over the Holidays

While phishing is the threat that never sleeps, it certainly ramps up around the holiday season. It’s almost irresistible – people cramming into online sites to buy, buy, buy, a natural sense of urgency, dopamine clouding our judgment as we excitedly pick out gifts, and the rush of getting that “1 item left” in a cyber-Monday deal. It’s a recipe for disaster. 

Hackers have capitalized on the holiday craze and lay their best traps between October and December. Reports from last year showcased an estimated 8 million cyber attacks happening every single day. Keeping a few key tips in mind can help enterprises, users, and the users who remotely use their enterprise devices avoid becoming Phish-bait this holiday season. 

Why the Rise in Holiday Attacks?

Phishing attempts around the Christmas season are so rampant that the FBI issued a warning against holiday scams. Phishing can lead to sites where items are purchased, but never delivered. Or, to mis-represented products and prices, and payment methods that clear the card, not the balance. IT teams are already resource restrained to begin with, and with so many people taking time off of work for the holidays, unwatched vulnerabilities can be exploited. 

While this is alarming – and disappointing – for consumers, the problem is now widely an enterprise one. With the high amount of remote workers, an employee shopping for gifts on a company device could fall prey to a scam that could then compromise the company, giving the hacker a “daily double” by not only forfeiting personal information but access into the organization’s network as well. 

Research published by Akamai revealed that there was a 150% increase in phishing victims between the second half of October and the end of November. Interestingly, this same research reported that enterprise-owned devices saw a dramatic increase in the consumption of (presumably) non-work related services such as streaming, gaming, and social-media. The fact that many employees use the same device for work and play makes every online interaction a liability and drastically increases risk to corporate networks.

Staying Safe

“Hacking” is just a way to out-think a problem, and bad actors don’t have to be the only ones good at that this year. Here are several FBI-backed tips to hack the phishing attempts your organization might receive this year:

• Check your list  links twice
  Avoid clicking on suspicious links – on social media, in an email, via text – by being proactive and reading the URL through for errors, and approaching the retailer’s site from a Google search or direct visit, rather than giving in to the impulse to click whatever hyperlink was offered. If it really is a valid link, you should be able to get there in the usual ways. 
• Know your seller
  If you have to look up the vendor on the Better Business Bureau website, do it. Don’t send your money to new pop-up shops that seem to have sprang up like mushrooms right around the holidays. Due to the nature of online business, some might be legitimate (take Amazon sellers). Unfortunately, some might not. Make sure the seller’s website has the HTTPS padlock, and check out feedback and reviews. 
• Pay carefully
  This may go without saying, but never wire money directly to a seller. This means no Venmo, PayPal (in most cases) or prepaid gift cards. In the case of the latter, hackers will often ask for the gift card number and pin, then use it as their own. It can be safe practice to use a credit card for online purchases and check the balance regularly. 
• Keep an eye on shipping
  Track your packages and follow the delivery process to make sure your hard-bought item doesn’t end up under some scammer’s Christmas tree. If you’re a seller yourself, be wary of billing addresses that don’t match the ultimate destination. Authorize the cardholder (using MFA or some other form of verification) before sending. 

And a few from us:

• Anti-Phishing Solutions
  A defense-in-depth solution is always smarter than just one layer. Security awareness training is necessary for an ongoing culture of cyber safety and to bring down those numbers over time. However, human error will always allow for some gaps, so posting up a good defense mechanism behind the scenes is always smart.
  
  Products like KnowBe4 PhishER present a lightweight SOAR option that manages high email alert volumes and helps orchestrate automated responses. Email security platforms are also a good way to prevent users from mistakenly sending sensitive information outside the network, and can block advanced phishing attempts, defend against malicious attachments, and secure email clients in the cloud. As attack rates rise around the end of the year, it helps to have an automated solution to pick up the slack.

• Train your users
  When it comes to social engineering attacks, it’s all about what you know. Don’t let cybercriminals get the upper hand by catching your workforce unaware. Vendors like KnowBe4 provide enterprise-level security awareness training so you know the baseline habits of your users, what they need to work on to improve, and increase over time rates as your employees are regularly “phished” with fake attacks to test their knowledge. Investing in something like this ahead of time can help your workers be ready for the holidays.

As phishing rates rise, end-of-year defenses need to, too. You don’t want to end the fourth quarter with a massive data breach, hemorrhaging data and cash. Keep an eye out, put up additional automated defenses, look to a managed service provider to help bear the load, and train your users so you have all hands on deck when protecting your network. Phishing is a social-engineering mind game that hackers win when we are unprepared. Re-shuffle priorities so that security is top of mind when investigating ads, emails and websites, and remember: if it looks too good to be true, it probably is.