Phishing attacks have been a nuisance for the IT industry for a long time. As the holiday season approaches, organizations must focus their efforts on raising cyber security awareness to counter the effects of social engineering.
Every day, cyber criminals find new ways to cheat individuals and businesses online. Whether it’s credential theft, ransomware or corporate espionage, new technologies make it increasingly easy for cyber criminals to disrupt our daily lives. Phishing continues to do damage, especially at the enterprise level, as tools and techniques innovate as quickly as the most sophisticated firewalls. Security awareness has become paramount for boards, HR managers and directors as organizations start to prioritize cyber security culture.
Phishing attacks will likely increase during the holiday season as individuals spend more time online shopping for gifts and planning festivities. Social engineering attack techniques work by tricking victims into clicking malicious links in fake emails designed to resemble authentic institutions.
Top 10 Email Phishing Attacks Deployed During the Holiday Season
The end of the year holiday season provides ample opportunity for cyber attackers to deploy successful phishing schemes, with the last two months seeing a noticeable hike in spam emails. In this environment, security awareness can play a significant role in protecting enterprise information assets. Here are a few ways bad actors will attempt to phish employees:
- Social Media Account Lockout: Alert emails may come from an unknown source alerting malicious activities on social media platforms like Facebook or Instagram, directing users to click on a 'More information' link embedded within the email.
- Order or Delivery Confirmation: Even though the user may not have ordered anything, such emails contain fake order details and include a link to check an order’s status.
- Job Search or Recruitments: These emails will have attachments or links to view job descriptions or resume formats. They often impersonate high authority professionals to look authentic.
- Financial Account Notifications: These emails pretend to be from banks or investment establishments and request users to log in to view monthly statements or perform some action using the link.
- Refunds or Prize Notifications: Usually in the form of notification for prize winners, some emails request user details for claiming their rewards.
- Donation Requests: These emails tug on the heartstrings of the recipient by requesting funds for the downtrodden or victims of natural disasters during the holidays. They include a link to the spammer’s bank account to send “donations.”
- Legal Scares: These emails force users to pay immediately to avoid legal actions. However, the activities mentioned in the email will most likely be unknown to the users.
- Top Authority or Executive Committee Staff: Contains a spoofed email address and impersonates authorized entities in an employee's organization. It requests information regarding the organization.
- Trusted Party Scams: The sender acts as the victim's acquaintance. The sender requests that the recipient open a malicious attachment or click an infected URL embedded in the email.
- Real Estate or Wire Transfer Scam: This phishing email resembles those from real estate agents, sometimes regarding a property’s closing date. Such emails contain information to transfer funds.
The Effects of a Holiday Cyber Security Breach
Phishing attacks can lead to substantial financial losses as well as a reputation hit, especially when they go unnoticed or aren't mitigated in the initial stages. Here is a snapshot of the impact cyber breaches have during the holiday season.
Loss of Reputation: A brand name is a sign of trust and any severe breach due to phishing can tarnish this reputation and affect an organization's market capitalization. In 2018, Facebook account lockout emails caused the business millions and also affected its public standing.
Loss of Intellectual Property: Loss of patents, trade secrets, and customer lists can cause financial losses and impacts investment in research and development.
Regulatory Fines: Depending on an organization’s governing bodies, substantial fines could be levied if a breach occurs and client information is lost. As per regulations such as GDPR, fines can be as high as several million dollars.
Loss of Market Value: Cyber breaches can also rattle investor confidence. Reputable financiers may withdraw their investment, which negatively impacts an organization's entire market capitalization.
Account Compromise: A sophisticated tactic known as business email compromise (BEC) can have catastrophic financial consequences. In 2016 alone, 40,000 business email compromise incidents caused $346 million loss according to the FBI.
Data Theft: Many criminal organizations steal personal identifiable information (PII) and/or protected health information (PHI) to sell on the dark web. Losing PII or PHI could result in fines and loss of consumer confidence.
Additional Business Costs: Not all financial ramifications result from a direct hack. In 2020, a cyber criminal sent fake invoices for bulk purchases to Apple clients worldwide. Apple spent $124 million to clean up the backlash.
Final Word: Raise Your Security Awareness Profile
It’s the time of year for phishing email scams, especially as online shopping during a pandemic becomes the primary way consumers shop for holiday gifts. Organizations must build a resilient IT security posture that includes cyber security awareness and strengthening network and cloud protections.