It’s the Season for Holiday Phishing Scams! 5 Ways to Stay off the Hook

The holidays are time for family, fun, and to be extra vigilant about phishing attacks.

Will some Grinch try to ruin your 2019 holiday season with phishing scams?

We’ve once again reached that fun but frenetic time of year. Online shopping, social media sharing, emails promoting new or hard-to-get items and big discounts – everything accelerates during these weeks.

Industry experts expect 2019 to bring one of the biggest online shopping seasons yet. The National Retail Federation reports that of the more than 174 million Americans who shopped from Thanksgiving through Cyber Monday, 58 million shopped online only, and 65 million shopped both online and in stores.

Deloitte says that 50% of this year’s holiday shoppers claim to prefer shopping online over the in-store experience. When it’s all said and done, Adobe Analytics is predicting more than $143.7 billion in 2019 holiday sales!

Tis the Season... for Phishing Scams

But the holidays can bring anything but a consumer’s paradise. More people shopping online, and more emails being sent about purchases, deliveries, exchanges and promotions, means more opportunities for scammers to impersonate legitimate shopping-related correspondence.

With our overly-busy schedules during this season, it’s even easier to fall victim to phishing scams – both at home and at work.

People share all kinds of seasonal emails on the job, and yes, whether bosses like it or not, sometimes holiday shopping is done from work computers.

Here are five of the most common phishing-related threats with tips to help you stay off the holiday phishing hook, at home or at work.

The Classic Phish

Email is the most common way phishing attacks are carried out, and the holidays are no exception.

The New York Times offered a recent example of a small online business, Mantra Magnets, whose owner was phished by an email offering to list her products in a holiday catalog. While she “instantly regretted” clicking, it was too late and many attempts to access her email account from all over the world ensued.

Broad phishing attacks commonly use emails that include links or attachments containing malware or that prompt users to enter in personal data. Learning how to spot these messages is important. Some common signs include:

  • Misspellings of a major brand name
  • Disguising a message as a regular update email
  • Invitations to click on multiple links to either review security “enhancements” or your privacy settings
  • Too-good-to-be true announcements that you’ve won a large sum of money

But as attackers become increasingly sophisticated, these known “spray-and-pray” techniques are diminishing and the quality of phishing emails is improving, making them harder to spot.

Even the savvy owner of Mantra Magnets, who had written a book about getting hacked, still fell victim because attacks are getting so clever.

Training Tip

Never open an unsolicited email attachment, unless you have confirmed the validity of the sender. Rolling your mouse over the “from” address can verify the sender is legit.

At the holidays, be particularly cautious of phishing scams using any of the following tactics:

  • Attached coupons or other offers
  • Holiday-specific images or animations claiming to be shocking or “breaking news”
  • Order or shipping confirmation links and documents for unexpected packages

How to Spot A Phishy Email

To serve as a reminder of what a phishy email looks like, we've created a shareable infographic that details exactly what to look for.

Download Infographic

Spear Phishing

Adoption of these highly personalized forms of socially engineered phishing scams is growing. In fact, a November 2019 report from Europol found that 65% of cyberattack groups use spear phishing as their primary infection vector.  The main motivation behind it is usually gaining access to business secrets, confidential information, or financial credentials.

Spear phishing attempts will often involve attackers creating email accounts that are near-identical to that of someone on a corporate network (like a high level executive), and posing as them. That way, they can glean private information, request fund transfers, and deliver malware to unwitting employees.

Training Tip

At holiday time, be extra aware of communications from company leadership regarding things like holiday policies, bonuses or anything out of the ordinary. Verify the sender’s email; ask your manager; for anything suspicious talk to HR or IT security.

Phishy Friend Requests

Fake accounts and friend requests via social media are a common way scammers begin their phishing scams.

By successfully “friending” you, they have access to your profile and can use personal details to create more convincing messages in the future. Especially at the holidays, we may be excited to hear from those we think are old friends or classmates wanting to reconnect.

Training Tip

Don’t “friend” people you don’t know in some capacity in the real world.

Be especially wary of friend requests from individuals who are already in your contact list, as a second request from an existing friend may be a sign their account was compromised. Before accepting invites from someone you knew in the past, check out their publicly available profile to make sure it’s them.

Social Media Phishing Scams

Use of social media is pervasive. And whether businesses like it or not, social media use spills into employee work time, spreading the risks for users both at home and at work.

Social media by its nature results in people divulging personal details or clicking and sharing links. This is even more prevalent at holiday time, with people posting photos of parties and events (or their kids!), sharing holiday memes and shopping tips, or linking to specialized websites.

Training Tip

Consider keeping content viewing to just your main feed level; don’t click on images, animations or links. And be extra careful about what you share. Don’t post company details, don’t “tag” people in photos without their permission, and especially – protect children’s identities.

Telephone Scams

Email isn’t the only way to be phished. Voice phishing, called vishing, happens over the phone.

For instance, during the holiday season, there may be more calls purportedly made from “charities” soliciting donations (people are more inclined to give around this time) or “companies” claiming they need more information (like credit card data) in order to resolve issues with product orders or package deliveries of important gifts being sent to loved ones.

Robocalls are also a real problem. YouMail, Inc. reports a record 49 billion robocalls made in the U.S. in 2019 through October – and that’s before the holiday season started! RoboKiller says that 5.9 billion calls were made just in November.

These calls are more likely to come during the work day when people are more apt to answer the phone, but they could come at any time, especially during the holidays when vishers know people will be expecting more calls than usual.

Training Tip

Never give your credit card number to anyone who calls you first. Call the organization’s 800 number yourself to verify the legitimacy of any requests or open items discussed in the suspect call you received.

With any unexpected texts, as with emails, verify the sender before clicking on any links. Stop and think – do I know this person? did I order something? am I expecting a delivery?

Wrapping Up

The holidays are a wonderful time to spread good cheer, reconnect with family and friends, and be a little kinder to each other at work or wherever we are.

But the “holiday spirit” for cyber attackers means something else. Stay mindful of the many ways you could be phished, so your holidays stay merry and bright!

Share this Post