Holiday Cybersecurity: Are You Prepared for These Common Attacks?

The Holidays Bring More Than Just Cheer

The holidays bring a change of pace for individuals and businesses alike. At home, we get to enjoy good food, gifts, and time with friends and family. In business, companies are gearing up for huge sales that will make or break their year as well as pushing work across the finish line to make the most use of their budgets (while also planning their strategies for the new year). Unfortunately, this time of year also brings with it a number of holiday cybersecurity threats — for both individuals and organizations. 

For retailers, the holiday season can account for as much as 30 percent of total sales for the entire year. In 2018, more than 165 million people shopped between Thanksgiving and Cyber Monday and spent an average of $313 during that period (and $846 total — up 14 percent from 2017). Online sales were responsible for $126 billion last year, a 16.5 percent increase from 2017’s $108 billion. Overall, we spent more than $1 trillion dollars last year shopping for the holidays — the first time we’ve ever crossed that mark.

For both online and in-store shoppers, data is being passed around between point-of-sale (POS) devices, company servers, financial institutions, mobile and desktop browsers, and more. And because we’re all in a hurry to get our holiday shopping done as quickly and stress-free as possible, we tend to forget or ignore cybersecurity best practices, both in our professional worlds and our personal lives. And because of that, cybercriminals increase their efforts to steal your information, gain access to company networks, and cause all manner of havoc.

Let’s explore a few of the most common holiday cybersecurity attacks and problems that occur during this time of year, as well as what you can do to protect yourself and your company.

Already have a grasp on phishing prevention? Are you confident that your employees would pass a test? Inversion6 can assess your readiness for a phishing attack. Contact us to learn more.

Don’t Get Caught on a Phishing Line

In 2018, email was the third-highest driver of revenue for retailers on Cyber Monday, contributing to more than 24 percent of sales. Retailers also sent more than 3.5 billion emails on Black Friday and more than 4 billion on Cyber Monday. That’s a lot of email marketing — and a big opportunity for cybercriminals to increase their efforts in getting an open or click. 

When it comes to holiday phishing scams, it’s important to know what to watch for. Look at the email address it was sent from. If it’s misspelled or completely unrelated to the company that should’ve sent it, don’t open it. Check for misspellings and grammatical errors in subject lines as well. If you happen to open the email, don’t click or download anything. Phishing emails typically contain links to fake websites designed to steal your information. 

It can be easy to miss these small indicators of a phishing email, especially when an offer for 50% off comes in from a favorite retailer. But taking time to verify authenticity can save you significant time, money, and hassle in the long run. The last thing you need is to be deactivating stolen credit and debit cards or — even worse — trying to undo damage to your identity.

Beyond promotional emails, other effective phishing strategies include fake receipts and invoices. These often include an attachment like a PDF designed to get you to open it, thereby allowing malware to be installed on your machine. With so much online shopping occurring during the holidays, it can be easy to think something is wrong upon receiving a notification or unexpected receipt from one of your preferred retailers.

One important thing to keep in mind is that marketing emails will be sent to whatever email address the retailers have for you. Because many people use their work email so frequently, it can often be easy to just use that account for personal matters as well. However, doing so can put your company at risk. This, and using your personal email account while on a work machine. Opening a potentially risky attachment on a work device can allow harmful software to infiltrate your company’s network despite the best efforts of your IT team to prevent such incidents.

Manipulation Through Social Engineering

Another holiday cybersecurity concern is social engineering. Social engineering cyber attacks use various forms of manipulation and deception in order to achieve a specific aim. This might include getting malicious software installed on your device, obtaining your passwords, or obtaining financial information. These attacks make use of our tendency to trust others — especially when we’re hearing from what we believe is a friend, family member, or co-worker.

The reason attackers use this strategy is because people often tend to take messages from these groups at face value. Who wouldn’t naturally believe an email from their loved one was valid? However, if the attacker already has access to your email or social network, they would know that you interact with that person often and would be more likely to respond to a request for information or take an action that they requested from you. 

In our personal lives, examples of a social engineering attack might include an email from a relative or friend with a link to download some pictures, a document, or some similar file. Once you download that file, it’s too late — the malicious software is installed, the attacker has access to your machine and all information on it, or both. Be wary of emails or social messages asking you to check something out. If the link looks suspicious, treat it as such as don’t click it.

Professionally, receiving a request from a co-worker and especially from a superior would naturally elicit a response. You want to be helpful and not appear as if you’re not contributing or are holding things up, so you take action. However, an attacker that has researched the company could easily find out who you and your boss are, then use that dynamic to target you and get you to do something. If you download a file, click a link, or respond with sensitive information, you’ve opened up your organization’s network to attack.

As the year comes to an end, social engineering becomes another preferred method of attack because companies are frantically trying to complete their projects, place orders, plan budgets, and complete other tasks before the year resets. Communications increase despite time off. Customer communications also increase as more orders are placed. Always be on the lookout for messages from strange senders with errors, or those urging you to do something. Effective holiday cybersecurity starts with careful, watchful employees.

Get More Holiday Cybersecurity Best Practices from Inversion6

Cybersecurity must be a priority for your organization year-round — not just at year-end. Phishing and social engineering can happen at any time, but because of the natural busyness of the holiday season, the chance of these attacks succeeding increases dramatically. Inversion6 works with companies to educate employees on what to look for when it comes to phishing, social engineering, and other holiday cybersecurity threats. We work closely with leadership teams and the rest of the organization to ensure best practices are used. Contact us to learn how we can help you as the year comes to a close.