Crooks don’t take time off like the rest of us. Our holiday shopping, travel and charitable giving provide a rich hunting ground for the bad guys, many of whom will use computer hacking to steal our identities and invade our devices. Corporations are also exposed to exceptional security risks during the holidays as phishing attacks target their employees with seasonal scams.
Using deceptive emails and fake web URLs, phishing’s goal is to trick employees into disclosing login credentials and personal information or downloading malware. The primary goal of phishing attacks directed at employees is to steal login credentials and get access to enterprise data or create other mischief. Unfortunately, phishing is increasingly common in the corporate realm and it’s getting more sophisticated over time. There were well over 100,000 unique phishing attacks in 2014. Some major brands receive more than 1,000 phishing attacks every month.
8 Out of 10 Smart People Fall for Phishing Attacks
CBS News researched phishing during the 2014 holiday season in partnership with Intel Security and discovered that an astonishing 80% of email recipients could easily be duped into clicking on at least one malware link in a series of messages. How can this happen? It turns out that otherwise savvy people click on links in emails due to sophisticated impersonation techniques. Phishers are able to create replicas of real websites that can easily fool employees during the holiday season.
Employees are also lulled into lowering their guard through the even more dangerous practice known as “Spear phishing,” which uses the identities of friends and colleagues to make the email more convincing. For instance, a spear phisher might look at LinkedIn and determine that Bob and Jeff work together at the same company. Then, posing as “Bob,” the phisher might send an email to Jeff that says, “Hey, Jeff — check out this cool charity everyone in the office should donate to for the holidays.” The email contains a link either to a completely bogus charity or a “spoofed” version of a well-known charity such as United Way. Either way, the phisher has increased his odds of getting Jeff to click on the link. Once Jeff is there, the phisher can download key logging software onto Jeff’s devices and then steal his credentials to access the corporate network and data stores.
Other holiday phishing scams include fake advertising for Black Friday or Cyber Monday sales. Or, phishers pose as credit card companies seeking to validate “suspicious charges” on an employee’s statement. Because people are typically charging their cards frequently during the holidays, they may not pay very close attention to an email like the actual phone American Express phishing attack shown below.