Don’t Be a Turkey: Avoiding Holiday Phishing Scams

Crooks don’t take time off like the rest of us. Our holiday shopping, travel and charitable giving provide a rich hunting ground for the bad guys, many of whom will use computer hacking to steal our identities and invade our devices. Corporations are also exposed to exceptional security risks during the holidays as attacks target their employees with seasonal holiday phishing scams.

Using deceptive emails and fake web URLs, phishing’s goal is to trick employees into disclosing login credentials and personal information or downloading malware. The primary goal of phishing attacks directed at employees is to steal login credentials and get access to enterprise data or create other mischief. Unfortunately, phishing is increasingly common in the corporate realm and it’s getting more sophisticated over time. There were well over 100,000 unique phishing attacks in 2014. Some major brands receive more than 1,000 phishing attacks every month.

8 Out of 10 Smart People Fall for Phishing Attacks

CBS News researched phishing during the 2014 holiday season in partnership with Intel Security and discovered that an astonishing 80% of email recipients could easily be duped into clicking on at least one malware link in a series of messages. How can this happen? It turns out that otherwise savvy people click on links in emails due to sophisticated impersonation techniques. Phishers are able to create replicas of real websites that can easily fool employees during the holiday season and launch devastating holiday phishing scams.

Holiday phishing scams - how to Prevent Phishing Attacks

Employees are also lulled into lowering their guard through the even more dangerous practice known as “Spear phishing,” which uses the identities of friends and colleagues to make the email more convincing. For instance, a spear phisher might look at LinkedIn and determine that Bob and Jeff work together at the same company. Then, posing as “Bob,” the phisher might send an email to Jeff that says, “Hey, Jeff — check out this cool charity everyone in the office should donate to for the holidays.” The email contains a link either to a completely bogus charity or a “spoofed” version of a well-known charity such as United Way. Either way, the phisher has increased his odds of getting Jeff to click on the link. Once Jeff is there, the phisher can download key logging software onto Jeff’s devices and then steal his credentials to access the corporate network and data stores.

Spurious Sales

Other holiday phishing scams include fake advertising for Black Friday or Cyber Monday sales. Or, phishers pose as credit card companies seeking to validate “suspicious charges” on an employee’s statement. Because people are typically charging their cards frequently during the holidays, they may not pay very close attention to an email like the actual phone American Express phishing attack shown below.

Holiday phishing scams

Tickets to Nowhere

Travel is another vector of corporate holiday phishing. Emails offering last minute travel deals can lure employees into clicking on malicious links. The fake Air Canada website shown below was used in a phishing attack in 2014, according to the site isitphishing.org. In this case, the site’s URL was http://pupidolly.com/tr/aircanada/, which should have raised a red flag with employees who saw it.  However, as the research shows, most people are too busy to notice.

High Impact Attacks

Phishing carries serious business impacts. The average cost for a security incident of the 350 corporations surveyed by the Ponemone Institute was $3.79 million. Consequences include reputation damage, loss of intellectual property or trade secrets and exposure of customer records. There can also be direct financial costs such as regulatory fines, legal liability, costs to compensate identity theft victims affected by the attack and outright financial theft.

Standard Security Solution are Not Enough

The big security challenge in mitigating the phishing risk is that standard countermeasures such as anti-spam filters, web-filtering, and anti-virus protections don’t reliably protect against phishing.

The answer is that the email evades your anti-spam filters because they aren’t “spammy” and they feature URLs that appear harmless when being examined by standard email filtering software. After passing the filter, the phishing email waits in the recipients’ in-box. Within a short time, perhaps an hour, the hacker will redirect that link to a malicious site. When the recipient opens the email, the link it contains is now toxic and leads, for example, to a phishing site that is stealing user credentials. This won’t be stopped by your web-filtering software because phishing sites are generally not online long enough to get black-listed.

Anti-virus systems won’t help in this case because there is no virus involved. The site is brand new, so it would not appear on any black-lists and would not trigger standard web filters. Your employees are vulnerable without specific anti-phishing solutions.

Specific Anti-Phishing Tools Are Needed

Vade anti-phishing solution offers unique protections that can be layered on top of existing anti-spam solutions to provide better overall email protection to healthcare employees and organizations.

Give us a call at 415-745-3630 or contact us, if you want to discuss how you can quickly add anti-phishing measures to your current email setup.