The Festive Phishing Season Is Upon Us: Don’t Let Your Company’s Employees Take The Bait [Blog]

The Festive Phishing Season Is Upon Us: Don’t Let Your Company’s Employees Take The Bait [Blog]

Security Product Manager Anthony Custy advises on how to avoid getting caught by phishing scams in peak retail season.

Phishing is once again likely to be a popular pastime for cyberattackers this winter. It is therefore vital that businesses make sure they are protecting their staff from taking the bait.

Black Friday, Cyber Monday, Boxing Day, and the January sales combine to offer the perfect feeding season for those who want to infiltrate business systems each year. Following an 18-month period in which many workers have transitioned to at-home working, and been potentially more vulnerable to cyberattacks, the coming festive months are likely to see those dangers reach new levels.

The line that most attackers are likely to cast out to make a catch, is email phishing and mobile device-based text message phishing (also known as smishing).

A staggering 90% of all cyberattacks begin with a phishing email1, with the aim of stealing either money or data from the victim. Smishing attempts have also risen dramatically, with a seven-fold increase in the first six months of this year2. In the first half of November 2020 alone, researchers witnessed an 80% spike in phishing campaigns2 containing words such as ‘offer’, ‘sale’ and ‘cheap’.

At first glance, the dangers seem obvious. Losing money, information or intellectual property is something that businesses can ill-afford at any time. Beyond those initial impacts, however, also lie a host of reputational risks as employees and customers lose faith in those companies who are unable to keep their data or digital property secure. In fact, disruption at such a busy and pressurised time of the year is something that cannot be left to chance.

To combat this, businesses must ensure that their employees are properly equipped and aware of the dangers that lurk, so they can remain in calm waters.

Avoid being reeled in

Business email accounts are not immune to attackers’ phishing attempts. In fact, as the lines between personal and business use of corporate devices has become increasingly blurred, the attack vector has become even more pronounced.

There could be a level of complacency among workers who wouldn’t expect to be attacked using corporate software. Similarly, the risk-reward payoff for hackers is much greater should they infiltrate a business device, rather than someone’s personal device.

As such, the role of daily cyber hygiene should be paramount for businesses as we enter the festive season. Most attacks don’t occur because of ingenious attacks, but because of user error. It could be as simple as a purposely misspelled brand name that hasn’t been noticed – think ‘Arnazon’ instead of ‘Amazon’. Spoofed domains and subtly tweaked email addresses pass through the net more often than you’d think, so employees need to be careful not to be reeled in.

Additional signs to look out for include grammatical errors or repetitions within the email itself, URLs that seem abridged or cut off, and any emails that seem ‘too good to be true’ or that demand urgency in order to get the ‘best deal’.

While users may be more vigilant about suspicious emails, they are often less wary about text messages on their phones. Smishing is a form of phishing attack where scammers use SMS or text messages as the ruse instead of an email. A smishing message itself could be as innocuous as a notification of an attempted delivery or an offer of a voucher to trick unsuspecting victims into handing over sensitive information or downloading and installing malware onto employees’ smartphones.

The DMARC deficit

The reason why such a basic level of vigilance is required across the workforce is that there are still many gaps to be exploited, despite stated efforts from retailers to improve resilience. Concerningly, it came to light last year that only 11% of UK retailers have currently implemented the recommended and strictest level of Domain-based Message Authentication, Reporting & Conformance (DMARC) protection4.

DMARC is a system that prevents cybercriminals from spoofing a retailer’s identity. This reduces the risk of email fraud and phishing reaching the screens of unwitting customers.

Against this backdrop, businesses must make sure they are not making a rod for their own back by waiting for the retail sector to catch up and by being fully prepared for this year’s phishing season and beyond.

Phishing isn’t just for Christmas

Training, education and guidance should be the first ports of call. Embedding a strong and robust line of defence among the workforce will go a long way to mitigating human error.

Yet, the onus doesn’t solely lie with employees, as properly solidifying your company’s cyber-defences should also be a key focus. This should begin by knowing your own current level of protection. A security health assessment can pinpoint where general company vulnerabilities lie before offering guidance on where to better safeguard moving forward.

By working with a specialist partner like Daisy, you can be a cyber attacker’s nightmare before Christmas. We can offer a holistic portfolio of next-generation firewalls, endpoint security, DDoS protection, SIEM, vulnerability management, cyberbreach recovery services and more.

To find out how Daisy can help you this festive period and beyond, visit https://daisyuk.tech/security/.

Remember, phishing isn’t just for Christmas!

 

1 https://www.retailtechnologyreview.com/articles/94-of-retailers-open-to-phishing-attacks-what-we-can-do-to-close-the-net
2 https://www.computerweekly.com/news/252506611/Smishing-attacks-up-sevenfold-in-six-months/
3 https://www.cybertalk.org/2020/11/17/phishing-scams-surging-ahead-of-2020-mega-retail-events/
4 https://www.infosecurity-magazine.com/blogs/email-attacks-retail-season/