The run up to the holiday period is a prime time for cyber attackers as they try to exploit the rise in online activity to launch phishing and spoofing attacks, distribute malware, and create fraudulent schemes.
Online retail brands are a prime target. Last year UK shoppers lost more than £11.5 million to online scammers between November and January. However, it’s important to remember that the risks also extend to other industry sectors, as employees may use work devices for last minute festive shopping and other end-of-year activity. Here we explore how scammers take advantage of this annual trend and how to protect against these threats.
Spoofing trusted brands
Emails designed to steal credentials, data and money that appear to come from well-known consumer brands, delivery services or payment processors are prevalent this time of year.
They can take the form of special offers, delivery issues or payment rates. Attackers commonly create counterfeit domains resembling trusted brands to trick users into entering personal information and payment details.
The fact that shoppers may be in a rush or lack online experience may boost the attackers’ success rate, as targets are less cautious about verifying the legitimacy of website URLs or emails.
Impersonating suppliers and executives
Coming up to the end of the calendar year, organisations can be hit with fake invoices, supposedly from suppliers looking to clear up their finances before the end of the year.
Attackers may also impersonate HR and finance departments by messaging personnel with emails about holiday parties, raffles, and end-of-year bonuses. Another tactic is for staff to receive emails impersonating the company management recommending that employees purchase specific e-commerce gift cards for clients.
The role of generative AI
The use of generative AI can make such tactics more convincing. AI-powered tools allow attackers to create authentic-looking emails and websites and trick even vigilant users. AI tools also enable threat actors to launch attacks more quickly and in higher numbers, as well as lowering the bar for less technically skilled criminals.
Understanding these methods is the first step for businesses to implement effective defences.
How companies can protect against festive holiday cyberattacks
A multi-layered approach is essential against modern cyber threats, reducing the likelihood of a single breach compromising sensitive data or disrupting operations in the critical holiday period.
Keeping websites safe and operational
Retailers can find themselves a target of mass attacks, often through automated bots, at a time when they’re processing high volumes of transactions. These can either intentionally or accidentally result in a denial-of-service, slowing down the website or stalling operations completely.
A Web Application Firewall (WAF) is a critical first line of defence, filtering malicious traffic and ensuring websites remain operational under increased demand.
A WAF can also be configured to either warn administrators of unauthorised login attempts or block them outright. This is an effective defence against brute-force password cracking attacks as it can detect and stop suspicious login patterns before they escalate into compromising customer accounts.
Understanding IT weaknesses and exploring advanced tools
Alongside the email threats, attackers will also look for security gaps and misconfigurations that can be easily exploited. Many such attempted attacks can be prevented by tightening up email security configurations and policies.
Organisations should also explore using AI-powered solutions for defence. AI analytics can quickly spot more subtle attack methods, as well as keeping up with the continual shift in tactics.
Safeguarding businesses from attacks targeting employees
Businesses in all sectors must consider the risk posed by employees using their work devices.
One essential measure is implementing Multi-Factor Authentication (MFA) across all business accounts. MFA adds an effective additional layer of security, ensuring that attackers cannot simply breach the network simply by phishing user credentials. Endpoint security tools can monitor devices for unusual activity and block access to malicious websites or files.
The importance of employee education
Security awareness training helps staff identify common phishing tactics, reducing the chances of them being deceived. More specific training on compliance with data protection regulations ensures secure handling of customer information.
While there should an ongoing programme of cyber awareness year-round, the approach to the holidays is a good time for reminders on best practices. This could include guidelines on handling payments, checking email senders and URLs, and avoiding links and attachments from unknown senders.
Combining these practices with clear communication about acceptable device use during the holidays ensures that businesses can maintain a secure environment without disrupting employee productivity.
Keeping the season festive
All organisations must be aware of the heightened risk to both their employees and core business operations during this busy time.
However, these risks can be effectively managed with a proactive and comprehensive approach. Implementing layered security measures that combine security tools, best practice, and employee education can prevent the holiday scammers from reaching their intended victims.
Image Credit: Elnur / Dreamstime.com
Paul Drake is Regional VP Sales for the UK and Ireland at Barracuda Networks Inc