Everyone loves a gift, but many appealing-looking emails turn out to be lumps of coal

Like clockwork, the end of the year marks the winding down of the Australian business year and the start of the silly season. Black Friday and Cyber Monday shopping events are encouraging Australians to get their credit cards out, and stores’ end of year sales are on the way. Yet another group is also getting busier – with often devastating results.

The end-of-year shopping and gift-giving season is a boon for cybercriminals that see it as the perfect time to steal personal information that facilitates financial theft. They’re busy crafting techniques to entice users into accidentally installing malware, handing over personal credit card or other confidential details, or even compromising their mobiles with malware that subsequently steals their banking details.

Clicking on malicious email attachments starts a chain of events that can lead to financial loss, theft of personal information, harassment, fraud, and more. The Australian Cybercrime Online Reporting Network (ACORN) received 6,102 reports of online scams or fraud and 2,740 reports of purchase or sale-related fraud during the last quarter alone.

Reported figures are certain to be just a fraction of the total volumes – which are sure to rise as the volume of deceptive phishing emails surges in the pre-holiday rush and post-holiday shopping season. The Australian launch of Amazon.com could exacerbate the situation, providing even stronger interest in online shopping and new fraud vectors for email phishers.

A recent analysis from digital ID verification firm Jumio suggested that financial-services ID fraud grew nearly 58 percent during last year’s Black Friday-Cyber Monday shopping weekend, and this year is expected to be no different.

With their well-established love of online shopping and the convenience of mobile devices – the latest PayPal mCommerce Index found that 72 percent of Australians shop on their mobiles – have exposed themselves as often all-too-willing targets for cybercriminals.

Finding the right lure. In most cases, such incidents start with a simple email. Professing to relate to a package delivery or recent purchase, the mail may incorporate an authentic-looking design and logo and create a sense of urgency by implying that there was some problem with a recent purchase, or that a bill is past due.

Such phishing attacks prey on the fact that customers are expecting packages: emails emulating local postal services have proven to be hugely effective. Notices from banks are another popular phishing lure, as are fake utility bills; there’s nothing so quick to limit your holiday spending, after all, as finding a big bill competing for your shopping dollar.

Another popular lure is the emulation of cloud-storage services for sending large documents. These tricks pose a particular threat during the holiday season when few would be surprised to have family members or colleagues using services like WeTransfer, DropSend, OneDrive, Dropbox, and Google Drive to share photos from family gatherings or work functions.

Scammers may tailor these messages in smaller campaigns, of just a few hundred messages, that are shaped using information obtained through social engineering. This might include the name and email address of a relative or work colleague, information about a recent holiday, or details about a person’s hobbies or community associations. Such information provides a veneer of legitimacy that tricks far too many Australians into clicking on phishing email attachments or URLs within minutes of receiving them.

The result is a security headache for company security administrators: in one recent PhishMe survey, 21 percent of respondents said they received over 1000 suspicious email reports every week – and 65 percent said they had had to deal with a security incident originating with a deceptive email.

You’d better watch out, you’d better not WannaCry. Given these figures, corporate security administrators can be forgiven for dreading the holiday season. Many employees shop online during their lunch hour and may lower their mental defenses in the interest of completing their purchases quickly.

In the worst-case scenario, clicking in the wrong place will install malware and ransomware – potentially corrupting not only their own computers but those on the network at their workplace. This can cause massive problems for the company, as those hit worst by this year’s WannaCry ransomware found out when losses soared into the billions.

Warnings about such incidents may seem overblown to employees who are just trying to get their Christmas shopping done, but that’s exactly what cybercriminals want. By shaping their email confidence games to slip past Australians’ natural defenses, too many cybercriminals will steal financial or personal data to put this year’s best gifts under their own trees.

There are ways to avoid getting taken in – and installing a robust email filtering solution is only the beginning. In the leadup to the holiday shopping season, every corporate IT manager should be reminding employees to be careful what they click on a daily basis – whether at work, on the train, or at home. Key advice includes:

  1. Pay attentionIt’s really that simple. It doesn’t take a technical mastermind to carry-out a hack – a cyber attacker just needs to access basic data, usually available to the public online.
  2. If it seems suspicious, it probably isIf you receive an email that contains tracking information from a postal service, but you aren’t expecting a shipment, stop. Don’t click the tracking URL because it’s really a malicious link disguised as something familiar. The same goes for emails containing attachments – these could contain malicious code.
  3. Everyonetargetbut some have public bullseyeIf you work in human resources, sales or communications, for example, it’s likely your name and contact information are listed on the company’s website. If this is the case, you need to be extra vigilant when it comes to practicing good security
  4. Think before you shareHere’s a wakeup call for you: Cyberattacks are not random. They are well-researched and usually architected using the information you share online. Personal details like where you work, job title, who you’re friends with and what you’re doing, when, are plastered all over social media sites like LinkedIn and Facebook. Hackers research these sites to gather intel on unsuspecting victims – this is called Social Engineering.
  5. Donbe followerIf you receive an email from a bank or financial institution requesting your credentials, don’t click the link – it could be malicious. Even if the email is branded with what look like legitimate logos and fonts, it could be a scam. Instead, type in the actual website address, verify the secure connection using “HTTPS” then provide your details in a legitimate, secure environment.

Keep these tips in mind this holiday season to keep your inbox safe and your data secure.

Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox

You may also like:

Defend Against Malicious Email Attachments and Malware

Think your users would never fall for an…

Think your users would never fall for an email scam? Think a… Read More >

Alison O'Hare

by Alison O'Hare

Technical Director

Posted Nov 14, 2017

Find Your Weakest Link to Protect Against Malware

Malware everywhere. With 40,000 employe…

Malware everywhere. With 40,000 employees in 140 countries … Read More >

Alison O'Hare

by Alison O'Hare

Technical Director

Posted Nov 14, 2017

Yahoo Breach: Don’t let a Good Crisis go to Waste

The Key Takeaway from the Yahoo Breach B…

The Key Takeaway from the Yahoo Breach Breaches are now mate… Read More >

Matthew Gardiner

by Matthew Gardiner

Director of Product Marketing

Posted Oct 06, 2017