With the holiday season just around the corner, it appears that online retailers will be the “go to” for shoppers. Black Friday sales, digital advertising, promotional emails and mixed within these emails will be a long-time holiday staple – phishing attacks.
Cyber-attacks, using phishing, spike during the holiday season every year. It is a perfect time for cybercriminals to launch campaigns, preying on multi-tasking, stress, and urgency to get consumers to act quickly. The holiday season presents an ideal opportunity for cybercriminal to get us to fall victim to their scams.
While cybercrime has become more sophisticated over the past few years, popular favorites still are the same: phishing.
Before we look at the diverse types of phishing attacks, and what can happen as a result, let’s quickly understand what phishing really means.
What is Phishing?
Phishing is a form of social engineering where a target is contacted through email messages, by cybercriminals impersonating a legitimate person or organization to ask for victims’ sensitive data (i.e., personally identifiable information (PII), banking and credit card details, passwords, etc.), steal credentials and/or deliver malware.
Some of the most popular phishing scams include an attacker posing as a globally recognized brand, such as Coca Cola, claiming that the victim has won a jackpot or annual draw. The message subsequently asks victims to provide their bank account details to claim the prize. Unsuspecting victims that buy into the story are swindled of their savings, or their data is sold to other cybercriminals.
While most of us are not likely to fall for such obvious scams, phishing attacks have increased in sophistication over the years. Though cybercriminals have been known to target the elderly and other people from other vulnerable demographics, the more sophisticated attacks evade traditional email security defenses and can get even the most advanced security professionals to share their personal data.
4 Types of Phishing Scams You Need to Look Out For in 2020
Like we have mentioned above, cybercriminals are more likely to target victims during the holidays because most of us are catching up with our shopping lists, and some of us may inevitably fall prey to a cleverly disguised phishing attack. Phishing attacks cost an average of $3.9 million for a business according to IBM’s 2019 Cost of a Data Breach Report. For individuals, the cost of stolen data could be devastating. Here are the four most common types of phishing scams you must look for during this holiday season:
1. Fraudulent Shipping Notifications
Thanks to the pandemic, most of us will choose to shop online this year. According to an Accenture report, 61% of consumers plan to minimize in-store shopping to reduce health risks to retail workers. Which means it will be online shopping galore for most of us. Cybercriminals are more likely to reach into your inbox with a phishing email disguised as a shipment notification. These notifications may use a malicious attachment or include external links to pages designed to trick victims into logging onto an impersonated site to capture their credentials and PII.
Malicious Attachments: These attachments, disguised as a receipt or other details, are malware that downloads onto your mobile device, laptop, or desktop. Depending on the type of malware, it could capture your keystrokes, install ransomware or even exfiltrate all the data from your endpoint.
Malicious Links: These external sites often look like legitimate ecommerce web pages (Amazon, Zappos, Apple Store, etc.) asking victims to confirm details. Unbeknownst to the victim, every piece of data confirmed (i.e., login credentials, payment card details, physical address, etc.).
How to avoid the scam: Do not open any attachments from suspicious looking email ids. Ecommerce sites will feature a standard format – [email protected] or [email protected] Malicious emails, most often will feature a generic email domain such as [email protected] or [email protected].
Do not click links leading to external pages. Trusted ecommerce sites will provide all your shipping details in the email body.
2. Charity Frauds
Charity frauds involve deceiving victims into thinking they are making donations to charities. Attackers often pose as a charity organization asking donors for contributions to charities that do not exist. This year, scammers are likely to use the Coronavirus pandemic to trick victims into donating to fictitious charities.
In fact, the US Federal Trade Commission (FTC) warned people as early as February 2020 that, “Scammers are taking advantage of fears surrounding the coronavirus. They’re setting up websites to sell bogus products and using fake emails, texts and social media posts as a ruse to take your money and get your personal information.”
Here is one example of what a charity fraud email could look like:
How to avoid the scam: Legal charities are registered, and you should be able to cross-check the organization’s credentials to a public database to confirm that they are genuine. Also, avoid any arrangement with strangers who ask for upfront payment this way.
3. Gift Card/Coupon Scam
The best thing about gift cards and coupons is that they are as close to cash as possible. Scammers also know this, which is why gift card scams or coupon phishing is one of the most popular tactics used by cybercriminals.
With online shopping emerging as the dominant trend for the 2020 holiday season, scammers are likely to use the gift card or coupon route to steal your money. Attackers typically connect with victims over email and create a sense of urgency by offering an unbelievable deal on a popular product. The catch is that they will ask for payment using gift cards.
How to avoid the scam: Be skeptical of any coupons offering great deals and discounts on certain items. Scammers take potential victims to impersonated pages where they are asked to enter PII such as credit card details and addresses. This type of information can be used immediately by cybercriminals to make multiple transactions. Avoid giving any details through a URL to someone you do not know or trust.
4. Travel Phishing Scams
Most of us have been cooped up indoors for most of the year. A nice and safe vacation seems like a promising idea. You go ahead and book your holiday online. However, you receive a cancellation notification stating that due to the pandemic, all booking stand cancelled unless notified otherwise. The email or message asks you to fill out a form to claim your refund. Seems like a standard procedure. It is only when you scrutinize the email address and the external form link that you realize that something is off. The eternal website link uses an https:// site instead of an https:// site. Or that the email domain is Gmail, AOL, or Yahoo.
Alternatively, you may also be offered free air tickets from a seemingly official airline if you forward or share a link on your social media accounts. For year like 2020, free airlines tickets sound too good to be true. And it is. These links lead to a phishing website where fraudsters can access your personal information.
How to avoid this scam: Check for suspicious email sender email addresses that may have sent you such communication. Do not enter any information on a third-party app or website. No airline or travel company will ask to resign into your social profiles or email accounts using a username password combination.
While these four categories of phishing attacks are the most common ones in the current climate, this is certainly not an exhaustive list. Please beware of any communication that requires you to disclose your personal information without giving you enough information needed to verify the institution’s or person’s legitimacy. Always double check sources making unusual requests to collect your personal information.
At GreatHorn, we are dedicated to helping organizations keep their networks and employees safe online. Our User Education tool helps email users identify attacks in the moment of risk. By analyzing email, domain names, and hundreds of other factors, you can keep your employees safe from email attacks.