Avoiding holiday and Christmas phishing attempts
While the holidays for many is a time to celebrate and visit loved ones, it’s unfortunately also a time where scammers and hackers are at their best. Hackers attempt to take advantage of trusted contacts, but also trending events, and holidays are ideal for this. During the holidays, there’s rife opportunity to exploit “deals,” gift card offerings, links, and even trusted contact sources to deliver malware payloads (or similar).
Also, hackers take advantage of sales events (discounts, Black Friday) to potentially lure unsuspecting users into giving away their personal information. It’s a trend that rides any major event, but the holidays are always a consistent time of year to take advantage of.
What they are, how to avoid them
The “good” news about holiday-themed and related scams is that keeping safe is a matter of common sense and extra scrutiny. Another thing to note: holiday scams utilize phishing and social engineering techniques to achieve success. Therefore, what works to protect yourself from phishing can work here too, it’s only a matter of identifying the scams in question.
That said, there are several holiday phishing schemas unique to the season, so it’s important to recognize their characteristics and what subjects scammers take advantage of.
In brief, a phishing scam is a type of social engineering whereby hackers attempt to appear as legitimate sources of contact. They’ll send emails, text, even voice messages claiming to be something they aren’t, whether that’s a coworker, company, or even family member or friend. If not already, this is the perfect time to learn what they’re about and how to identify them.
We’ve covered it in depth before in this article.
Now that you have an idea of what a phishing scam is, it’s time to lookout for holiday specific ones. There are common kinds of holiday phishing scam attempts anyone can be aware of. It doesn’t matter the subject, threat actors will exploit every advantage they can get, holidays notwithstanding.
Scam 1: Falsified Shipping Information
Online orders and purchases are incredibly common around the late November and early December times for holiday related shopping. Therefore, scammers take aim at these with falsified notifications about a shipping order where possible.
This can come in the form of texts or emails related to an order number, usually formatted to inform the recipient something is “wrong” with said order. Or, it’s an alert that appears legitimate, such as a text from a shipment provider like UPS or FedEx. If the recipient clicks on any provided links, they’re prompted to input information about the delivery, or, taken to a malicious website.
Scam 2: Fake Disaster and Charity Websites
In a time where legitimate charity and disaster relief groups try to provide relief to the needy, scammers are just fine exploiting the nature of these programs for personal gain. It’s nothing new, however, as fake donation requests have always been a thing even before the proliferation of digital scammers.
This one is simple: a fake donation website will request funding for disaster relief or other charity programs. Double check to make sure the actual charity is legitimate and be wary of any social media links or pages requesting aid for vague reasons.
Scam 3: Artificial Deals/Websites
People look to save around the holidays, and deals for the season are incredibly common too. That’s ideal for scammers, who take advantage by presenting fake websites for “holiday discounts.” Users may fall victim to these scams via malicious message, whether through email or direct text, declaring a special deal/holiday themed discount. Said messages typically contain a link which leads the user(s) to a malicious web zone.
In other cases, there are falsified websites too. Whether that’s for sales, “charity,” or other holiday themes, they operate as a snare to fool victims into giving away personal data.
Scam 4: Fake Promotions on social media
The prevalence of social media platforms like Facebook means threat actors have a prime foundation to operate from. With phishing and social engineering tactics, holiday promotions and scams are commonplace on these websites.
Similar to “deals,” the idea is to steal user credentials by promising a sale of good(s) for cheaper. But once the “sale” is concluded the victim loses their personal information, which third-parties then use for various dark web purposes.
Part of protecting yourself on the web is early recognition of phishing schema and scam attempts, even during the holidays. Hackers will deploy any method if it translates to a successful breach, and understand busy seasons equates to higher success rates.
The good news, however, is that avoiding these digital pitfalls is much like you would with any other phishing attempt. It’s important to manage a personal philosophy of zero-trust and “trust until verified.” Most scams rely on human error and misconceptions to achieve success.
There’s a “cheat sheet” of things you can do to prevent falling victim to holiday-themed scams, including:
- Always keep your anti-virus services updated to latest versions, including important apps and software
- Use “zero trust” where relevant, such as when receiving messages, texts, and emails from unknown sources
- Only purchase from verified vendors and trusted sources for holiday shopping needs
- Understand the signs of phishing emails
- Enable MFA where relevant on your devices
- Avoid suspicious links found on any platform you aren’t 100 percent certain about
- Maintain a robust library of strong passwords for your various logins
Essentially, common sense strategy is the name of the game and best option to follow. However, not everyone knows what to do. If you need additional help, it’s time to reach out.
Bytagig is dedicated to providing reliable, full-scale cyber security and IT support for businesses, entrepreneurs, and startups in a variety of industries. Bytagig works both remotely with on-site support in Portland, San Diego, and Boston. Acting as internal IT staff, Bytagig handles employee desktop setup and support, comprehensive IT systems analysis, IT project management, website design, and more. Bytagig is setting the standard for MSPs by being placed on the Channel Future’s NexGen 101 list.