Phishing Attacks in the Holiday Season
Before and during the holidays, the Christmas business is booming: Especially in COVID times, many people turn to online shopping in order to have the products and gifts delivered straight to their homes or to their loved ones, rather than to expose themselves to the risk of infection in the walk-in shops. In 2019, Christmas sales in online retail were around 14.7 billion euros, according to the HDE.
This creates optimal conditions for fraudsters: While looking for the best bargains, you can quickly succumb to a cyber attack. These cyber-attacks occur in 97% of all cases through “human” security holes and are not caused by poor technology. 96% of data thefts take place via so-called phishing mails.
The attackers are extremely clever
The phishing attacks currently observed, attempt to gain access to the victims by writing e-mails on behalf of known organizations. This technique is called “spoofing”. The phishing e-mails look very similar to the design of large companies, such as Amazon. That way, they quickly give the user the impression that it is a legitimate email from the provider. Sometimes even a complete “clone” of a website of an online retailer such as Amazon, Ebay or PayPal is created.
But phishing mails also show up in the form of big shipping companies such as DHL and contain alleged links for delivery tracking. Hence, phishing mails are becoming more and more professional and sophisticated. A sender who looks trustworthy at first glance often turns out to be a fake. Many users recognize such emails. But too many of them click on it and land on fake websites or, in the worst case, download malware with infected attachments onto their computers. In this way, criminals can then receive confidential data – or even control the entire PC.
Especially in the holiday season, you may be more likely to lose track of your orders, especially if having ordered different items from different suppliers and if the payment was conducted through different payment methods. A phishing mail is quickly opened and an attachment with malware downloaded or private payment data entered in an input form and voila: the phishing attack is a full success.
Spear Phishing Attack
The most successful type of phishing attack is the so-called spear-phishing attack, which is specifically aimed at individuals or certain companies. In a spear-phishing attack, the prey is sought and targeted precisely as if by the hunter. This phishing method is by far the most successful on the internet as it accounts for 91% of all online attacks. A common method of deceiving target persons with a spear-phishing attack is to disguise a malicious attachment in a file in such a way that it appears as a legitimate company document with a harmless file extension (e.g. wage-statistics-company-X .docx.exe). Criminals find information that applies specifically to you, to make the attack much more believable. The email can even appear to come from someone you know. They obtain information for these types of attacks in many ways, and one of the easiest and most common is finding information in the public domain. This is data found online, published in newspapers or magazines, or appears elsewhere in the media.
More information and examples on how to recognize a phishing attack can be found in our short phishing awareness video.
Phishing attacks: Companies are particularly at risk
Employees are often the gateway to larger companies. The increased work out of the home office makes it easier for cybercriminals to successfully carry out phishing attacks against employees. A current study on COVID times shows that one-quarter of Swiss SMEs have already been victims of a cyber attack, increasingly due to a lack of security in the home office.
It is particularly lucrative for cybercriminals to spy on company data or blackmail companies with ransomware. As a result of phishing mails that are not intercepted, sensitive data is often passed on or malware attachments are downloaded. Fake business e-mails are also increasingly circulating: if an employee assumes that the e-mail has come from an internal company, he is more willing to download an attachment or to enter sensitive data.
How can a company protect itself from phishing attacks?
The ABC in protecting your company from a phishing attack: Train your employees! If your employees know how to spot a phishing attack, you leave cybercriminals with almost no chance. With the generation of user awareness, you and your employees can build a “human firewall” for your company.
With LUCY you can test your employees with phishing simulations in the first step. The more than 800 phishing simulation templates can be adapted to your needs. In this manner, you can determine how often your employees fall for a phishing attack.
In the next step, your employees will be trained in an entertaining way with more than 300 customizable training modules in the LUCY e-learning management system with videos, quizzes, and games.
For the application in the real world, a phishing button plug-in can be integrated, with which employees can report any threats directly with a click of the mouse.
Click here for the free LUCY download.