As October winds down, so too is it time to wind down Cybersecurity Awareness Month. So, taking a cue from the department stores and TV ad agencies…let’s start thinking about the holidays! I know, I know. It bugs me as much as it does you seeing the jack-o-lanterns and Christmas trees displayed side-by-side. Or thinking about what to buy Aunt Ellen when you haven’t even yet handed out candy to the little monsters and superheroes knocking at your door. But in this case, it’s necessary to start planning for the next two months. Because sadly, as anyone in the cybersecurity field knows, cybercrime and the holidays go hand-in-hand.
Holiday weekend disasters
In 2021, there has been an estimated cyberattack every 11 seconds. Cybercrime is expected to cost the global economy $6.1 trillion by year’s end, making it the third-largest economy in the world. Recently, the FBI and CISA (Cybersecurity and Infrastructure Security Agency) issued a Joint Advisory, “Ransomware Awareness for Holidays and Weekends”. That’s because this year, the U.S. saw massive ransomware attacks over the Mother’s Day, Memorial Day and Independence Day holiday weekends. And let’s not forget the SolarWinds cyberattack of December 2020. Unfortunately, they expect similar attacks throughout the Thanksgiving, Christmas and New Year’s holidays this year. A lot of focus is put on cybercrime around the Black Friday and Cyber Monday shopping days. But the largest jump in attempted cyber-attacks actually happens the week between Christmas and New Year’s, for a number of reasons.
It’s not just about the shopping
It’s unfortunate that cybercrime and holidays go together so well. Sure, it makes sense when you know everyone is online shopping. But how do you explain all the cybercrime that happens on those holiday weekends that aren’t traditionally about buying gifts? There is clearly more to it.
Businesses on break
During long holiday weekends or over lengthier breaks like those surrounding Christmas and New Year’s Day, security teams at larger organizations might be operating with a skeleton crew and/or might be unsupervised. And at a small organization, the absence of the sometimes lone person responsible for IT might leave security unmanned entirely. Think about it: If a hacker had a choice between breaching your network when your IT security team is fully staffed or when it isn’t, which do you think they’d choose? And it’s not just about getting into your system: There is also less chance of the malware they’ve delivered being spotted in a timely manner. Ransomware can take time to spread throughout a network. The longer it takes for anyone to notice, the more damage the hackers can do. This makes long weekends and other holiday periods absolutely ideal for cybercrime.
Employees at play
Employees are more likely to travel and work remotely during the holiday season and over long weekends in general. Obviously, people are more distracted when working on vacation. This makes them much easier targets for phishing emails. And around the year-end holiday season, people’s guards are down even more as they plan for joyful celebrations (or in some cases, stressful gatherings) with family and friends. Additionally, there is more personal information exposed at this time of the year over an increasing number of devices. Not only is your private information in your phones, laptops and tablets, but also your smart home devices.
Buyer beware: Online scams to look out for
But back to the shopping! Fraudsters have grown skilled at taking advantage of the holidays to push both shopping and travel-themed scams through online ads, misleading calls, phishing emails, and text messages. These scams are often carefully crafted to look like they came from a legitimate retailer or other organization and for a legitimate purpose. And of these factors, alone or in combination, can lead to disaster. Beyond training your employees about the signs of a phishing email, they should also be reminded to have their antennae up about increased attempts at fraud as the holiday season approaches. CISA, as they do every year around this time, is warning shoppers to be alert for some specific scams:
Holiday emails with malicious links
In 2018, attackers reportedly sent holiday-themed phishing emails designed to look like Amazon order confirmations. If the victim took the bait and opened the link or attachment, the emails infected the victim’s computer with malware that logged keystrokes and attempted to steal account credentials.
Fraudulent mobile apps and web pages
Cybercriminals may tout fraudulent mobile apps or web pages related to holidays or current events, such as Black Friday, with the goal of convincing victims to enter personal or financial data.
Yet another past holiday scam used the messaging platform WhatsApp to try to lure victims by promoting popular products at deep discounts, sometimes from seemingly authentic retailers like Amazon.com.
Gift card fraud is becoming more common among financial scammers. Scammers can use bots to test millions of combinations of gift card numbers and PINs on retailer websites. Once they find an active card, they drain the money—either by purchasing items for themselves or selling the card’s credentials on the dark web. When the recipient attempts to use the card, they discover that it has little to no funds available. Other scammers target legitimate sites that people use to resell gift cards, where it can be difficult for buyers to discern if the cards are being sold legitimately or belong to a scammer.
Online shopping safety tips for employees
Cybercrime and the holidays don’t need to be a forgone conclusion for your organization. Fortunately, there are some steps employees can take to better protect both themselves and the organization (in the cases where your organization’s network or other resources are involved). You would be wise to pass these along!
One of the best ways to avoid online shopping scams is to shop directly through the websites of retailers you already know and trust. However, if you find an unfamiliar retailer that has an item you just can’t find anywhere else, take time to do a bit of research: If the retailer is based in North American, you can check out the Better Business Bureau website for prior complaints. Study the URL to make sure it seems legit. Sometimes even a quick Google search can reveal the reputation – stellar or suspicious – of an online retailer. If you have any doubts, move on!
Storing credit card information
Keep in mind that large retail chains are not immune to cybersecurity breaches. In fact, they are often the biggest targets! (And I didn’t use the word “target” by coincidence…) Be aware that any financial information you have stored for your own convenience with an online retailer comes with risk.
Be more suspicious this time of year. Avoid clicking on links in unsolicited emails. If you receive an unsolicited email from a business but wish to learn more about the offer, log on to the authentic website directly by opening a browser and typing the web address yourself. Never provide sensitive information through email.
Look for indications that your information will be encrypted on online shopping websites. This is typically identified by a URL that begins with “https:” (instead of “http:”) and a padlock icon. Unbelievably, some hackers have gotten really good and may try to trick you with a fake padlock icon. So be sure that the icon looks authentic and is in the appropriate location for your browser. (Compare it to a safe site you are familiar with).
Credit, not debit
There are laws that limit an individual’s liability for fraudulent credit card charges. Your debit card may not have the same level of protection. Also, because a debit card draws money directly from a bank account, unauthorized charges could immediately leave you without funds to pay bills or other necessities. Be sure to use a credit card and not a debit card for payment gateways like Apple Pay, PayPal and Google Wallet.
Mobile shopping apps
Some might actually be scams; others may be legitimate but may collect more personal information than you feel comfortable with. Look for apps that tell you what they do with your data and how they keep it secure.
The Retail Gift Card Association recommends purchasing gift cards only from trusted online sources. Store it in an online account or mobile wallet that requires a password until you give it to the recipient. If it’s being sent to them online, use a means that is password protected. And if you receive a gift card this holiday season, use it as soon as possible to avoid loss or theft, or register it and change the PIN.
According to the Better Business Bureau, make sure that the sender’s name is visible on the eCard. And be wary if you are required to enter personal information in order to access it. Also, avoid opening eCards with an attachment that ends in “.exe”, which could download a virus.
Basic tips for organizations
I won’t go too much into detail on how organizations can protect themselves from cybercrime over the holidays (and any other time, really); we cover cybersecurity topics in our CGNET blog regularly. Go take a look! In this post I’ll just summarize the FBI/CISA Joint Advisory’ recommendations:
- Make an offline backup of your data.
- Keep your OS software updated and scan it for vulnerabilities.
- If you use Remote Desktop Protocol—or other potentially risky services—secure and monitor.
- Use complex and unique passwords.
- Use multi-factor authentication.
- Secure your network(s): implement segmentation, filter traffic, and scan ports.
- Secure your user accounts.
- Have an incident response plan.
- Use the Ransomware Response Checklist (from cisa.gov) in case of infection.
(A footnote about that recommendation for an incident response plan: Consider including a specific security strategy for cyberattacks during holidays and on weekends.)