The Rise of Holiday Cyber Threats: What Organizations Need to Know

For most people, the holidays may be a time for winding down and taking a break. For cyber criminals, it’s just the opposite. With many of your staff out of the office or signing in remotely, and a large percentage of business being done at the end of the year, organizations are a prime target for cyber threats on and around the holidays.

To protect your organization, you’ll want to enact a firm security framework. Even better if it includes security measures that are largely automated or can be monitored by a relatively small IT staff. You don’t want the fact that your team is on holiday to leave the door open for cyber attackers.

We’ve assembled the following tips and techniques to help you secure your organization for the holidays. With an emphasis on the most common cyber threats around this time of year, and the tools you can use to stop them, this guide will help you keep your system safe from holiday hackers.

‍

Holiday cybersecurity tips for enterprises

If you have a firm security framework in place, you’re already a step ahead of would-be attackers. If you don’t, then now is the time to start practicing strict cybersecurity measures. The following methods are a good way to secure against cyber threats.

Embrace zero trust

Zero trust architectures operate under the “never trust, always verify” principle. They assume any user account could be compromised, even if the login credentials are accurate. This is an especially useful philosophy during the holidays, when many of your users may be traveling, accessing your network from unfamiliar endpoints, or potentially exposing their credentials to holiday hackers.

In a zero trust system, users must continuously verify their identities through multifactor authentication (MFA), continuous logins, behavioral analysis, IP scanning, and other means. The system will then limit access to files and applications based on the results of those challenges or terminate the user’s access entirely. While this can be potentially burdensome to legitimate users, for attackers, it presents an incredibly challenging wall of obstacles.

Use a security service edge (SSE) solution

A security service edge (SSE) solution protects against a wide assortment of threats, including malware and unauthorized logins. Administrators can use a single, unified cybersecurity platform to quickly identify and isolate threats, making SSE a useful tool over the holidays when many of your teams may be unreachable.

SSE incorporates technologies like zero trust network access (ZTNA), secure web gateway (SWG), and cloud access security broker (CASB) to securely provide users with access to cloud data no matter where they are. It also provides administrators with full access and control over what’s happening on the network.

Train your staff

People are often the weakest links in any security chain. This makes training essential as the holiday season (and holiday scams) get underway. If employees know how to recognize and avoid some of the most common social engineering schemes, they’ll be much less likely to provide bad actors access to your systems.

Before the holiday season begins, give your teams a refresher course on common cybersecurity risks and best practices. Remind them of phishing, smishing, missing package, and executive impersonation (known as whaling) scams that are common around the holidays. And be sure that everyone has the latest security software and updates installed. 

For more tips, read 5 Essential Holiday Cybersecurity Tips for Enterprises: Safeguarding Against Seasonal Threats and How to Prevent Hacking During the Holiday Season.

‍

Holiday phishing scams

Some phishing scams are common throughout the year, but bad actors tend to lean in on them during the holidays when workers might be most distracted. Here are the most common holiday phishing scams to be aware of.

• Fishing for out-of-office emails. This can be a precursor to a phishing scam. Attackers will flood email addresses, looking for out-of-office replies that have detailed information about when a person will be away and contact information for other accounts they might target with social engineering scams. They will then use this information to carry out more targeted attacks.
• Missing package or payment scams. The increase in online ordering during the holidays means users can be more susceptible to this scam. Attackers send a fake message claiming a package has been held or misdelivered or a payment has not gone through. The message will ask the user to click a link to sort out the issue, and the link will lead to a fraudulent site that will capture the user’s login credentials when they attempt to correct the issue. Training users to carefully check the legitimacy of the sender’s email addresses or phone numbers and spot impersonators can help stop these scams in their tracks.
• Fake emails and texts from businesses. Attackers will try to convince users that a message is coming from a business a user has patronized in the past, asking them to log in to their account. Similar to the above, when the user does so, they will be led to a fraudulent site that captures their credentials. Often, attackers will use fake images or impersonate URLs to make their messages look authentic. Again, knowing how to spot a fake can make a huge difference. 
• Executive message scams. These phishing attempts purport to be from a higher-up asking for help. Instead, they are social engineering attempts designed to capture your details. Make sure your people know how to verify a message is real before responding, or to simply not offer any sensitive information via text. If you’re in doubt, use a company-approved message system to check if the sender is really who they say they are.

For more information about seasonal phishing scams and how to avoid them, read Seasonal Phishing Scams: Protecting Your Enterprise During the Holiday Spike.  

‍

The most common holiday cyber threats

Phishing isn’t the only risk during the holidays. Cyberattacks of all kinds ramp up during the end of the year. Knowing what risks you face and how to thwart them can make the difference between a happy holiday and a painful experience with cyber attackers.

• Ransomware attacks. Ransomware attacks involve an attacker blocking access to a system or capturing data and threatening to damage or erase it if their demands, usually large cash payments, are not met. While 72% of cyber attacks happen on a weekend or holiday, when it comes to ransomware attacks, that number rises to 86%. Although ransomware attacks are not new, the rise of cloud data services has advanced the threat, making them more potentially severe.
• Credential theft. Most cyber attackers use stolen credentials, letting them simply log in as if they belonged. Attackers gain these credentials through social engineering, from data stolen and sold on the dark web, or through other means, and once they’re in, they have total access to your system (unless you employ zero trust measures). 
• Typosquatting attacks. Typosquatting, also known as URL hijacking, targets users who are in a hurry or have limited familiarity with their intended destination. This threat involves fake websites that are difficult to distinguish from the real thing, with similar-looking web addresses. Typosquatters take advantage of people to capture their payment information or login details and potentially sell them. On top of monetary costs to exploited users, the damage to the real business’s reputation can be severe.
• Supply chain attacks. Sometimes, an attacker doesn’t need to target your organization directly to get to your system. They can instead target an organization in your supply chain, as in the infamous 2020 SolarWinds hack. In this case, the attackers deployed malicious code into an IT monitoring system and used that breach as a back door to access unsecured data. The result was a massive breach involving tens of thousands of organizations and prompting a US government response. 

For more common holiday cyber attacks and tips on how to avoid them, read The 7 Most Common Types of Cyber Attacks During the Holiday Season and Holiday Season Cyber Attack Patterns and Their Impact on Enterprise Operations.

‍

How to strengthen your digital defenses against holiday hacking

Over a third of organizations say it takes longer to stop attacks during the holidays, and 31% say holiday hacks cost them more than the average breach. In short, prevention is even more important at this time of the year. These tools and tips will help you harden your defenses.

Multifactor authentication

Multifactor authentication (MFA) means adding a second layer to users’ login credentials. MFA will either send them an email or a text message or require a code from an authenticator program. It’s an additional layer of security that makes a big difference in preventing unauthorized access. Even though login credentials can be lost, guessed, or stolen, MFA greatly reduces the risks that an attacker can brute force their way into your system. 

MFA does add some complexity for users. Logging in may take a few extra seconds, and keeping track of additional security programs can be a chore. But the benefits outweigh the minor hassle.

Mobile endpoint detection and response

Given the likelihood your teams will be scattered to the winds during the holidays, you need a system that can monitor and secure your network automatically. Mobile endpoint detection and response (EDR) constantly monitors logged-in mobile devices, comparing their activity to established standards. This enables your IT teams to verify activity at a glance. AI-powered responses even help secure your organization when your cybersecurity pros aren’t online.

If a device begins behaving strangely or accessing parts of the system it doesn’t ordinarily, mobile EDR can automatically shut it down or quarantine sensitive data. While this may cause an occasional inconvenience for a legitimate user, it’s a lot better than giving threat actors unrestricted access.

To learn more about strengthening your defenses, read ’Tis the Season: How to Strengthen Your Defenses Against Holiday Hacking.

‍

Harden your holiday security posture with Lookout

Your teams work hard. They deserve to take a break during the holidays and not worry about cyber threats. And you deserve to celebrate the holidays without worrying that cyber attackers will rob the store while everyone is away.

Protecting your organization against phishing attempts is one way to ensure you have a happy and safe holiday. With the Lookout Free SMS Phishing Assessment, you can test to see if your people know the difference between a legitimate email and a scam designed to lower their defenses. Try it out today.