While most of us are lucky enough to enjoy some downtime over the festive season, cyber criminals don’t go on vacation. In fact, Christmas and New Year tend to bring greater risks to individuals and organisations alike. Many companies that close over the holidays operate with a skeleton staff, leaving networks and systems unsupervised during this time.
And as always, threat actors are watching closely, looking for every opportunity to exploit the holidays, and prey on eager shoppers through clever phishing scams while their guards are down. Unfortunately, many individuals and businesses, fall for these scams.
Let’s take a closer look at some of the scams we typically see at this time of year.
The first, are Christmas themed emails, as during this time, these increase in both volume and sophistication. Because we tend to receive many genuine emails wishing us a happy holiday from colleagues and partners, or genuine special offers during this time, these emails can easily slip through our defences.
Users need to scrutinise all Christmas email invitation, special holiday offers, pleas for donations for supposed charities, travel deals, COVID-19 travel updates, and the like, as too often the links or attachments in these mails are riddled with malware.
Often, at a glance, these emails appear legitimate, but many of the executable files or links
are cleverly disguised as links to special offers, surveys or similar.
Another popular scam, employs fake emails that seem to have come from the payroll or HR department. As people wait in anticipation for their final salary at the end of the year, phishers send out emails entitled ‘Christmas bonus’ or ‘Thirteenth cheque’, capitalising on employees’ excitement. Many of these scams come with links to a malware-laden Google Drive document, or even a Word or Excel document containing embedded malware.
Another scourge we find increasing over the holiday season, is typo squatting. This is a type of social engineering attack that preys on individuals who accidentally type the wrong URL into their browser. In this instance, users are tricked into visiting malicious Web sites with URLs that are common misspellings of genuine Web sites, and too often enter their login credentials into these fake sites, which can cause significant damage.
Bad actors register domains with commonly misspelled names of popular Web sites, to lure visitors there with malicious intent. Often, these sites are designed to defy all but the closest scrutiny, cleverly crafted to emulate the look and feel of the real site, and ask for credit card or bank details.
Finally, there are the emails claiming that the user has won something, which is a trick as old as phishing itself. In excitement, too many people click on these links to see what luck has come their way, and end up being phished for their banking details or credit card information. When combined with typosquatting, these scams can be highly effective, and users should be encouraged to remember the old adage - “there is no free lunch”, and that if something seems too good to be true, it probably is. For example, there’s no way you’re getting a new MacBook Air for 30 euro.
So how can we avoid these scams?
It’s pretty simple. Examine the email address and sender’s name to make sure they match, and remember that any legitimate company will not mail from an address like firstname.lastname@example.org, but from a proper company name. Also scrutinise links in emails, looking for typos that make them appear like the legitimate article, and hover your mouse over the link to see what comes up. Be very suspicious of any email urging an immediate call to action, in which the failure to do so will result in your account being suspended, or claiming your details need to be updated, or that the sender needs to be contacted at once.
Critically, never open any attachments or click on links from unknown senders. If something doesn’t pass the ‘sniff test’, don’t open it, and advise your IT department.