AI-driven phishing campaigns, fake e-commerce sites and other holiday scams victimize businesses as well as consumers.
For all the joy and goodwill surrounding the holidays, it has unfortunately also become the high season for cybercrime. Because consumers do a big chunk of their holiday shopping online, cybercriminals boost their online attacks and scams during the holidays.
AI is making holiday cyber scams worse by enabling fraudsters to create more personalized attacks at scale. Experts report a significant increase in AI-driven fraud attempts during the holiday season.
Cybercriminals connect phishing campaigns to particular dates — Black Friday, Cyber Monday, and the days just before and after Christmas. They use emails, texts (smishing) and calls (vishing) disguised as major retailers, banks or shipping companies to trick users into clicking malicious links or attachments. AI is used to make these messages hyper-personalized and convincing.
Spoofed websites pop up frequently this time of year. Attackers use social engineering to lure users to these sites and dupe them into entering sensitive information. Social media sites also become littered with links to what sound like great deals. However, clicking on a malware-infected link — so-called “malvertising” — could launch malicious code designed to steal financial data.
Bringing the Risks to Work
There’s a tendency to think of these crimes as primarily affecting individuals and retail businesses. While those are the most obvious targets, organizations of all shapes and sizes must understand their vulnerabilities as well.
Various studies show that about half of employees shop online while at work, many connecting to the company network using their personal smartphones and tablets. Online shopping at work tends to be more prevalent among younger employees, with some surveys indicating that more than 70 percent of millennials admit to it. Some employers block shopping sites or monitor usage, but many allow some level of online shopping at work.
Shopping online at work not only contributes to lost productivity — it poses significant security risks. One study found that malware attacks more than double during the holiday season. A successful malware attack can result in data breaches or unauthorized access to the company network. Online shopping can also bypass security protocols, making it harder for the IT department to detect and respond to threats.
The Social Engineering Threat
Studies show that phishing attacks surge by almost 50 percent during December. If an employee falls for a phishing scam, it can lead to significant financial losses and operational disruption. Attackers can steal funds through fraudulent wire transfers or unauthorized transactions. Malware from phishing attacks can lock up systems, halt workflows and prevent employees from doing their jobs.
Recovering from an attack, especially if systems are hit with ransomware, can be expensive in terms of IT costs, lost productivity, downtime and customer churn. A history of security incidents can lead to higher insurance costs for the company.
These risks are prevalent any time of the year, but spike during the holiday season with the increase in online fraud. Attacks are more frequent and users are often distracted during the holidays. IT departments may operate with skeleton crews, which means that fewer people are monitoring for and responding to threats.
Seasonal temp workers represent a huge potential weakness to business systems. Their lack of training makes them much more vulnerable to social engineering attacks.
Putting Security Awareness Training in Practice
While everyone needs to be vigilant about their online shopping habits, businesses should take extra steps to make sure employees understand how to protect themselves, their devices and the organization’s assets from cybercriminals during the holidays. Offering security awareness training or encouraging employees to review their training materials can help reduce the risk.
Security training should emphasize the skills needed to prevent social engineering attacks. Employees should be reminded not to click on suspicious links, particularly if they are sent by someone unknown to the user. They should also be reminded not to enter sensitive information into unfamiliar sites, and to be wary of deals that sound too good to be true.
All devices should be kept up to date and patched to reduce the risk that scammers will exploit known vulnerabilities. Employees should be required to use strong passwords and multifactor authentication to make it harder for attackers to gain access to the company network.
Security is, of course, a year-round concern that requires everyone in the organization to follow best practices. During the holidays, however, it’s important to be especially vigilant in order to prevent a security breach.
