Seasonal Phishing Scams: Protect Your Enterprise During the Holiday Spike

The holidays are a hectic time. It’s often the busiest sales period of the year, generating the lion’s share of revenue for many organizations. At the same time, employees are wrapping up their big projects before the office closes for the winter break. Meanwhile, everyone’s trying to work around increasingly packed schedules while caring for their personal and family needs. 

This is also a busy time for cyber attackers, who leverage the increased whirlwind in communication and business activity to sneak in email and mobile phishing attacks designed to gain access to critical systems and sensitive information. 

To help CISOs maximize their cybersecurity stance, we’ve created this guide to cover common phishing scams during the busiest time of the year. We’ll explore common phishing techniques cyber attackers use during the holidays, as well as ways your organization can prevent these attacks. That way, you can keep your employees and sensitive information safe and sound into the new year.

‍

Why are cyberattacks increasing during the holidays?

Both CISA and the FBI have issued warnings surrounding the increase in cyber crime during the holidays. Much like how retail businesses see spikes in theft during this time of year, many organizations see a similar rise in how many cyber attacks happen per day — and the reasons why are eerily similar:

• Businesses are understaffed. Just like how burglars scout neighborhoods for vacant houses during the holidays, cyber attackers do the same for digital infrastructure. Many employees — including those working in IT — take vacation during the holiday season. With fewer eyeballs monitoring and responding to security threats, it’s easier for threat actors to slip through automated defenses undetected.
• An influx of communication. Businesses send more marketing messages to consumers — sometimes over 100 times more than the rest of the year. Consumers buy more products online. Employees send more emails, both internally and externally. There’s simply far more valuable data out there for cyber attackers to grab during this time. Plus, the sheer volume of emails makes it easier for phishing attempts to blend in with the real thing, allowing malicious actors to sneak past the untrained eye. 
• People are distracted. Your fellow employees are only human. They’re juggling multiple meetings, managing projects, and trying to get their work done on top of planning family get-togethers and picking up presents for their kids. Someone who is stretched thin as it is will be less likely to pay close attention to that suspicious email — especially if it looks just like the real thing.

‍

Common holiday phishing scams

The following phishing attacks are relatively common throughout the year, but cyber attackers lean on them during the holidays because they are especially effective when your employees are at their busiest and most distracted.

• Fishing for out-of-office email responses. This isn’t necessarily an attack in itself but can act as a prelude to future attacks. Malicious actors will spam employee emails looking for automated out-of-office responses. The goal is to sift for information, like which days employees will be away, alternate phone numbers to contact, and other details. Attackers can then use this information to further improve their attempts to gain access through social engineering.
• Fraudulent package delivery and payment texts. The increase in online purchases and package deliveries means an increase in package or payment-related phishing scams. Attackers try to convince victims that an incoming package has been misdelivered or that a recent payment failed. They’re encouraged to click a link within the text or email and enter their credentials into a website designed to look like the postal service or online retailer to rectify the issue. When the user tries to log in, their password, username, and relevant MFA codes will end up in the attacker’s hands — and the victim will be left scratching their head.
• Fake emails and texts from businesses. Similarly, malicious actors will try to send out emails and texts pretending to be from businesses that victims may have interacted with. The messaging and layout may be different, but the goal is the same: to trick the victim into entering their credentials into a phony landing page so the attacker can use them to gain access to critical infrastructure.
• Messages from the CEO or co-workers. In the spirit of the holidays, it’s easy to see a request for help from a fellow employee, manager, or even the head of the company and immediately want to offer assistance. In many cases, these texts or emails are phishing attempts designed to get you to hand over your credentials, much like other social engineering attacks. 

‍

How to prevent phishing scams during the holidays

Fighting back against phishing is challenging work — but it isn’t impossible. It requires a concerted effort between your security team, key stakeholders, and the rest of the organization to follow best practices and stay alert for potential attacks. Keep the following tips in mind as you prepare for the holidays:

• Put your security teams on alert. Even if everyone’s at home for the holidays, you should keep a team of IT professionals available and on call to handle any emergencies should they arise. They don’t need to be tied to their desks, but they should regularly monitor the network for suspicious activity and be ready to go if alarm bells start ringing.
• Be diligent with your email filters. Leverage automation to detect and quarantine phishing messages and other spam from employee’s inboxes so these hacking attempts never reach them in the first place.
• Stay on top of employee training. Yes, everyone’s busy during this season, but a quick refresher on how to spot phishing scams and alert IT will be beneficial to keep employees vigilant. You can also take this time to go over other steps to prevent malicious actors from learning too much about employee whereabouts or contact details, like setting generic out-of-office messages or waiting until employees return from vacation to share photos on social media. 
• Know who will be working during office closures ahead of time. Being aware of who might be accessing sensitive data — whether remotely or in the office — during the holidays will help you avoid investigating false positives. That way, you can spend more resources looking into legitimate intrusion attempts. 
• Lean on your security tools and best practices. Confirm that employees have enabled multi-factor authentication, that they’re using unique, high-quality passwords for each account, and that your internal security policies adhere to least-privilege access practices. Mobile endpoint security tools can also help fill the gaps on unmanaged devices, allowing you to detect and prevent intrusion attempts across numerous points of entry.

‍

Are you ready for the holidays? Find out in our assessment

Don’t wait until it’s too late to find out if your security stance is strong enough to withstand the tide of holiday phishing scams. Request a free SMS phishing assessment from Lookout today, and we’ll help you determine if your organization is up to snuff.