Ring In Cybersecurity for the Holiday Shopping Season

The holiday shopping season keeps creeping in earlier every year, long before Thanksgiving or even Halloween. One in four shoppers say they now start holiday shopping by mid-September.[1] Nearly all browse for holiday gifts online, and 53% will do most of their buying online this year.[2]

Scammers know this, and they’re also ready for the season. The Better Business Bureau has already started warning shoppers this year against holiday cyberscams such as phony websites and phishing emails.[3] And on November 15, you can join Mimecast and its partner CrowdStrike for a webinar on the season’s most common cybersecurity threats. (Register here.)

Holiday Phishing and Spoofing Spike 

Businesses must fight holiday cybercrime on two fronts:

• Brand spoofing that could harm their customers and damage their brand.
• Email phishing, targeting employees who shop online during work hours to infect their employers’ networks.

Even before the holidays, retailers were expressing concern about the rise in cybercrime, as pandemic-related increases in online shopping and remote work have opened new opportunities for scammers. Fifty-five percent of organizations in the retail and related sectors say the increase in the volume of email attacks is their biggest concern, according to Mimecast’s State of Email Security 2022 (SOES) report. Forty percent admit a lack of preparation for handling a spoof of their website or email domain name.

Now, with more retailers offering deals ahead of Black Friday and Cyber Monday — for instance, during Amazon’s Prime Day on October 11 — web traffic can easily be weaponized by bad guys. Merchants still feel unprepared: Almost 59% say cybersecurity has been a growing concern over the last five years, but less than half believe their security team is as involved in cybersecurity as it should be, according to the National Retail Federation (NRF).[4] Over one-third of retailers have experienced lost productivity and business disruptions because of a lack of cybersecurity preparedness, according to the SOES report. 

Holiday Risks: From Phishing to Ransomware 

The increased volumes of online shopping and promotional emails during the holiday season provide a perfect cover for phishing emails and other malicious attacks. The threats include: 

• Phishing attacks: Fake delivery notifications, scam charity solicitations, and counterfeit holiday coupons and discounts are all used to lure users into clicking on links or downloading files and apps that, in turn, infect networks with malware or provide cybercriminals with network access. Nearly all companies (96%) polled by Mimecast have experienced email phishing attacks in the last year, and the volume this year is not expected to drop. “Smishing,” a variant using texts, is also on the rise, according to the Federal Trade Commission.[5]
• Brand spoofing: In this case, scammers use lookalike web addresses to lure people and take their money or infect their devices with malware. The fraudsters create a fake website with a URL that closely resembles that of a legitimate business, sometimes using lookalike characters such as the number “0” instead of the letter “o” or the same URL with a different domain, such as “.net” instead of “.com.” This practice, also known as “URL phishing,” is a double-edged sword: Not only does it harm the customer being phished, but also the reputation of the organization being spoofed.
• Ransomware: The FBI and Cybersecurity and Infrastructure Security Agency (CISA) have warned that holidays are prime time for ransomware attacks. When offices are closed for several days, with limited IT and security staff, conditions provide “a head start for malicious actors conducting network exploitation and follow-on propagation of ransomware,” according to CISA.[6] By the time the attack is detected, the cybercriminals will have extracted the data they will hold for ransom and defenders will be playing catch-up, CISA warned.
• Account takeover: The NRF has noted that with more businesses keeping credit cards on file for faster checkout, account takeover is now one of the biggest problems for digital businesses.[7] Thanks to phishing and data breaches, bad guys are able to collect millions of credentials, and since users repeat the same user names and passwords, it’s easy for scammers to take over online accounts and monetize them at will.

Protecting Against Holiday Phishing and Spoofing Attacks

Cybersecurity technology, security awareness, and password hygiene are three essential defenses against cyberattacks. Eight out of 10 organizations know they face some form of risk from employees browsing and shopping online, and 40% believe employees’ lack of security savvy is one of their top security challenges amid increasingly sophisticated attacks, according to the SOES report. In fact, 93% of companies in the SOES found they had been subject to email-based attacks because of careless or negligent employees.

Email security gateways and other technology tools help fight off holiday cyberattacks:

• Multifactor authentication: Phishing and similar attacks are often the leading edge of larger exploits, so keeping attackers from gaining a foothold in mailboxes is an effective defense. Adding another layer of security to log into email can be useful. According to How to Reduce the Risk of Phishing and Ransomware, a Mimecast-commissioned report from Osterman Research, multifactor authentication is one of the most effective cybersecurity measures. “Reliance on only a username and password for accessing an email account is an invitation for compromise,” the report concluded.
• Filters: Automation can scan and block emails containing dodgy links and attachments. Three out of four organizations are currently using threat intelligence feeds and blocklists to keep email phishing messages out of their systems, according to Osterman Research.
• Artificial intelligence: AI tools can check email traffic in real time. AI helps security teams detect and block phishing emails or phony website links by spotting unusual email traffic patterns, quarantining suspect messages until they have been vetted, or deleting them entirely before they can reach network users.
• Brand protection: Mimecast's AI-based Brand Exploit Protect actively hunts and quickly takes down impersonated websites.

The Bottom Line 

The increase in email and e-commerce volume during the holiday season gives cybercriminals cover for email phishing, brand spoofing, and other attacks. As the holiday shopping season continues to creep in earlier every year, security pros need to muster their defenses earlier, too. A number of technology tools can ramp up the effectiveness of protections to keep cyber Grinches from ruining the holidays. To learn more, please register for Mimecast’s November 15 webinar on holiday season cybersecurity.

[1] “Roku and Harris Poll 2022 Survey Reveal Holiday Shoppers Expect to Increase Spending on Gifts and Shop Earlier,” Roku

[2] Holiday Shopping Predictions Report, LTK 

[3] “BBB Tip: Shop Safely on Cyber Monday,” Better Business Bureau 

[4] National Retail Security Survey 2022, National Retail Federation 

[5] “Don’t click on the random text. It’s a scam.” Federal Trade Commission 

[6] “Ransomware Awareness for Holidays and Weekends,” CISA alert

[7] “How retailers are staying ahead of the increase in fraud,” National Retail Federation