Cybercriminals take advantage of events and occasions that give their targets a sense of urgency. The end-of-year holiday season combines an unbalanced shortage of staff through the month of December with a rush to complete work before the year’s end, and the personal obligations of individual staff. The heightened level of stress and impending deadlines will cause otherwise-vigilant employees to miss attacks and scams this time of the year. Criminals will take advantage of the chaos.
IT staffing during the holidays can be uneven, and it can be difficult to maintain an appropriate level of awareness on security alerts and anomalous log entries. With an organization’s staff out of the office, a compromised workstation may remain under an attacker’s control for a longer period of time without being noticed. Attackers routinely take advantage of holidays and other times of reduced staffing and awareness as cover. If you have engaged a service that provides around-the-clock security monitoring, make sure that your IT staff are equipped to receive and respond to the alerts the service provides, even if they arrive at inconvenient times.
Examples of Common Attack Methods
At the end of the year, in all sectors of business, there is a rush to get invoices paid. Those that provide goods and services are anxious to receive payment before their clients go on a skeleton crew for the holidays. Staff at the clients are eager to clear their plates of obligations. Cybercriminals will forge emails that appear to be from legitimate clients and take advantage of targets’ expectations of invoice-related file attachments. Recently, a man pleaded guilty for a scam where he posed as a construction company account manager in an email to convince a university to change the bank account number for a legitimate contractor, redirecting a two million USD payment.
In recent weeks, I’ve personally received several emails that, on the surface, appear to be tersely-worded requests for payment. In some cases, the attachments have been documents that direct the user to download and execute malicious software (malware), such as ransomware or software that allows the attacker to remotely operate the workstation. In others, the document contains a link to a phishing site that attempts to trick the target into providing an email password.
Several of our clients have received scam emails that purport to be from their boss or a higher-level supervisor. In these emails, the sender claims to need gift cards for services, such as iTunes, to hand out to clients. If the recipient responds, they are directed to purchase the gift cards (to be reimbursed or on an expense card) and provide the numeric codes via email so that it can be sent to the recipient client immediately. This scam is common year-round, but as firms prepare to send out holiday cards and gifts to clients, it will become more common and more successful.
Charities and fundraisers are common in the holiday season, and criminals will take advantage of your generous nature in order to divert funds that would otherwise go to good causes. With “crowdfunding” sites becoming popular, it is very easy for criminals to set up fundraising campaigns that appear to be from legitimate organizations. Treat requests for donation with skepticism and perform some research to establish the credentials of charities that contact you.
Take Time to Determine Validity of Suspicious Emails
If in doubt about the veracity of an email, take a moment to get in touch with the sender through another channel. Determine, with your own records, whether or not you even have a prior relationship or engagement with the sender. Look up their phone number in your records, on their public employee directory, or via their organization’s main office number (for obvious reasons, you can not trust the phone number listed in the email). A small amount of work in verifying a request can keep you from becoming a victim of cybercrime this holiday season.