Holiday Phishing Scams to Watch Out For

What is Phishing and Why Does It Matter Around the Holidays?

The number of holiday cybersecurity attacks that companies might experience is extensive, but because of the nature of the holiday season, one of the most prevalent is phishing. This is the use of fraudulent emails to gain access to company networks, steal sensitive personal or business information and financial details, and more.

The reason phishing attacks tend to increase during the holidays is because of the sheer amount of sales during popular shopping holidays such as Black Friday and Cyber Monday. Billions of dollars are spent in a span of just of a few days, accounting for significant portions of retailers’ annual sales. And to ensure they got as much of that revenue as possible, retailers sent nearly 8 billion emails in 2018 for Black Friday and Cyber Monday combined.

Clearly, cybercriminals have a large opportunity at this time of year to slip malicious messages containing fraudulent links or infected attachments into your personal and professional inboxes. In both our private and work lives, things are getting busier and busier. At home, we’re trying to plan for the holidays and get our shopping done as quickly as possible. At work, we’re trying to get projects done and budgets finalized before the end of the year.

It can be easy to not pay attention to or miss the signs that indicate whether a message is from a trusted source or a malicious one. That, and not all phishing attempts are the same. Different strategies are used to maximize the number of angles an attacker can employ to try and get their malware on your machine or your sensitive personal or work data into their hands.

Let’s take a look at some of the ways phishing emails are used to take advantage of the hustle and bustle of the holiday season.

Order Receipts and Shipping Notifications

It should come as no surprise that online shopping is huge at this time of year. While online shopping still only accounts for a portion of overall retail sales annually, it’s enough for cybercriminals to make use of holiday phishing scams that seem to just be part of the normal everyday retail emails you receive. One of the most effective scams is creating and sending fake order receipts and shipping notifications.

Email receipts have an exceptionally high open rate — around 65 percent versus the retail industry average of around 13 percent — because consumers want to know that everything was correct with the order. The same goes for shipping notifications. Shoppers simply want to know when their order is expected to arrive. The latter are particularly useful for cybercriminals because shoppers have to click a tracking number to view their order’s progress.

With this strategy, it’s a bit of a numbers game. Unless a hacker already had access to your system and contacts, it would be difficult for them to know that you order from certain retailers. However, with massive companies like Amazon (which owns 49 percent of the eCommerce market in the U.S.), the chance of you opening a fake order notification is higher than with other retailers. While the word “Amazon” in the subject line or From email address might make an email appear to be safe, it’s important to slow down and assess other details.

Does the From email make sense? Are there any grammatical issues or misspellings? If you open the email, does the layout and wording make sense? Is the information even accurate? Or, is there a suspicious PDF attachment (an unlikely thing considering proper eCommerce platforms will have all the details of your order viewable in the email body)? If an email appears suspicious, don’t click any links. Back out and delete it from your system. If you’re at work and accidentally open or click a link, notify your IT or information security team right away.

Marketing Emails

Next up on our list of holiday phishing scams are promotional emails themselves. Around this time of year, you’ll likely notice an uptick in the number of promotional emails you receive. In some cases, some companies are on the verge of spamming with multiple emails per day. While you can of course unsubscribe, the effect isn’t always immediate, and you’ll be stuck with dozens of emails per day (if not more).

It’s important to act carefully during this period of high email traffic for a couple of reasons. First are the phony offers. Designing an email to look like a promotional offer from a major retailer isn’t difficult, and with an enticing offer, it’s bound to grab the attention of many wanting to capitalize on the deal being made. However, all it takes is one click to put you and your company at risk of information theft or malware.

Also consider the act of unsubscribing itself. Perhaps you receive too many of a certain offer over the course of a day. If you don’t click the offer itself, you might instead click the unsubscribe link. However, that text in the email doesn’t necessarily mean you’ll actually be unsubscribing. Instead, that could be a malicious link that redirects you to a phony website or downloads malware onto your machine.

Just as with order receipts and shipping notifications, pay attention to the details. Look to see who sent the email and from what address. Typos happen — but glaring or excessive typos should be a clear indicator that something is up. If you have any concerns or reservations about the email, don’t click anything. Delete the email. If you’re at work, notify your IT team that you received a suspicious email.

Protect Your Company from Holiday Phishing Scams

Inversion6 works with numerous organizations to both prevent phishing attempts and resolve any problems that might arise from accidental interaction with them. We also work closely with leadership and IT teams to educate employees on email best practices and what phishing attempts look like. If you’d like to learn more about our security services, fill out the form below and we’ll be in touch with you right away.