Don't Get Reeled in by Holiday Phishing Attacks

We expect the holiday season to be a time of good cheer, and peace and goodwill to all, right? Except cyberattackers didn't get the memo. They are more likely to attack businesses with phishing attempts during the holidays. Prevent issues by knowing what to expect.

Cybercrime research shows the season "dramatically impacts" the volume of phishing attacks. Phishing attacks "spiked to more than 150% above average" the week before Christmas. After the holidays, the number of attacks dwindled significantly in Barracuda research.

Why would hackers target a business during the holidays? Because they know things can slow down and people aren't paying the same diligent attention. They're already mentally out the door sipping eggnog and planning where to do last-minute shopping. Oops! They click on a malicious link or fill out a form seeking sensitive information.

Or they expect you're overwhelmed, trying to get everything done before the holidays. Purchase orders, bills, and emails are flying around. They bank on people overlooking details.

The Basics of Phishing

Phishing uses social engineering to expose security weaknesses and leverages potential vulnerabilities. The hacker dupes someone into responding to a fake request from a bank, vendor, or colleague. They are hoping to get a nibble from unsuspecting employees who don't think to:

  • check the spelling of the URLs in email links;
  • be wary of URL redirects to fake sites made to look legitimate;
  • question why Jamie in HR needs their access credentials;
  • contact the sender of a suspicious email for confirmation before responding.

During this season at the office, everything can feel urgent, and employees are more likely to fall for emails telling them to do something right now. They might not notice that the invoice from a usual supplier has a new bank account number, or they could fall for something dumb because they are distracted or too busy.

Top email subject lines that target employees for phishing attempts include:

  • "Undelivered mail"
  • "HR: Your Action Required"
  • "HR: Download your W2 now"
  • "Microsoft Teams: Rick sent you a message."

It's easy to imagine how someone would click on those without thinking twice.

What to Do About Phishing

You can communicate with employees about the dangers of phishing, and educate about prevention. Also, reiterate policies around payment, wire transfer, data sharing, and sending confidential data. But this may not be the best time to present the information.

Other preventative measures include:

  • Make sure all security updates are current and installed to patch known vulnerabilities.
  • Set up automated filters to check the safety of links in inbound emails before they get to the user.
  • Test your infrastructure to identify any weak points.
  • Establish geofences to inspect traffic coming from certain regions associated with phishing.

Finally, if you hire any temporary staff to handle a holiday crush, be sure to limit their access. Then, when their contracts expire, immediately revoke their systems and network access.