Don’t Get Reeled in by Holiday Phishing Attacks
We expect the holiday season to be a time of good cheer, and peace and goodwill to all, right? This is the perfect time for cyber-attackers to pounce - they are more likely to attack businesses with phishing attempts during the holidays. Avoid coming back to issues in the new year by knowing what to expect.
Cyber crime research shows that the holiday season dramatically impacts the volume of phishing attacks. Phishing attacks "spiked to more than 150% above average” the week before Christmas. After the holidays, the number of attacks dwindled significantly in Barracuda research.
Why would hackers target a business during the holidays? Because they know things can slow down and people aren't paying the same diligent attention. They’re already mentally out the door, thinking about last-minute shopping, and planning their summer getwaway. Oops! They unthinkingly click on a malicious link, or fill out a form asking for sensitive information.
Hackers expect that businesses are overwhelmed leading up to Christmas, trying to get everything sorted before the holidays. Purchase orders, invoices, and emails are flying around. They bank on people overlooking the finer details.
The Basics of Phishing
Phishing uses social engineering to expose security weaknesses and leverages potential vulnerabilities. Hackers dupe someone into responding to a fake request from a bank, supplier, or colleague. They are hoping to get a nibble from unsuspecting employees who momentarily forget to:
check the spelling of the URLs in email links;
be wary of URL redirects to fake sites made to look legitimate;
question why Jamie in HR needs their access credentials;
contact the sender of a suspicious email for verification before responding.
During this season in the workplace, everything can feel urgent, and staff are more likely to fall for emails telling them to do something right now. They might not notice that the invoice from a usual supplier has a new bank account number, or they could fall for something simple, because they are distracted or too busy.
Top email subject lines that target employees for phishing attempts include:
“Undelivered mail”
“Payroll information request”
“Urgent: invoice due”
“Microsoft Teams: Rick sent you a message.”
It's easy to imagine how someone would click on those without thinking twice.
What to Do About Phishing
You should communicate regularly with your team about the dangers of phishing, and educate them about prevention. Also, reiterate policies around payment, bank account changes, data sharing, and sending confidential data.
Other preventative measures include:
Make sure all security patches/updates are current and installed to fix known vulnerabilities.
Set up automated mail filters to check the safety of links in inbound emails before they get to the user.
Test your infrastructure to identify any weak points.
Establish geofences to inspect traffic coming from certain regions associated with phishing.
Finally, if you hire any temporary staff to help handle the holiday rush, be sure to limit their access. And, when their contracts finish, immediately revoke their systems and network access.
Is your business doing everything it can to safeguard against phishing attacks? We can help with mail management and filtering tools, cyber security staff awareness training, and more. Contact Swerve today on it.help@swerve.nz.