SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
The most wonderful time of the year - for cybercriminals
Fri, 26th Nov 2021
FYI, this story is more than a year old

With the peak Christmas season is upon us, it is also the busiest time of the year for online shopping.

For cybercriminals, it is also the season to scam millions of dollars from unsuspecting people and companies.

Mike Jones, product manager at Agari by HelpSystems, says cybercriminals are banking on people being in a rush and distracted during this hectic season, and therefore more likely to fall victim to a scam, which allows them to cash in.

"People need to be extra vigilant and watch out for email scams such as phishing," says Jones.

"These emails can make it past most security controls, because they appear to be coming from a trusted source; someone you know, a brand you trust or even someone from your company's HR team or president," he says.

"Here is a common scenario. You get an email from the sporting supply company you have purchased from several times in the past. But look carefully, is it really coming from that well-known brand? Before you click on that link with that great savings offer, look carefully."

Jones advises shoppers to check the body of the email and the sender information to look for misspellings.

"Is the email from Amazoni, not Amazon? Hover over any links to see if the URL is correct. Clicking on that offer link may be all it takes to grant a grinch access to personal or business data," he says.

"If an email receiver does click on the link, it could be an imposter website created by a scammer imitating a trusted brands website domain. If a site doesn't use two-factor authentication (sending a code via email or text before supplying personal or payment information), anyone can be misled to update or confirm username, password, credit card, etc."

Jones says it is not just individuals who are at risk. Businesses often suffer insurmountable losses in brand trust, credibility, and email deliverability, as well as millions of dollars of revenue from both fraudulent and legitimate purchases.

"If people fall prey to someone who has impersonated a brand, that business suffers, because every real email they send may now not be trusted. Plus, loyal or new customers might not feel safe coming to the legitimate website to make a purchase," he says.

"In email spoofing attacks, the sender display and domain names can look like they come from legitimate brands. To prevent this, businesses can implement DMARC authentication so that when an email is received, the server checks to ensure the sender is authorised to send emails on that brands behalf. To get around this, attackers will also spoof using lookalike domains."

Jones says employees need to think carefully before responding to emails.

"Would the CFO really want you to send them gift cards? Of course not, but would a trusted supplier change their bank account details? Perhaps. Suspicious emails should be reported to your security operations team immediately so they can be verified and if found to be a scam, other employees can be warned," he says.

Jones says security awareness training and processes will help stay one step ahead of modern-day grinches, as will email security solutions that use data science to inspect every incoming email message for authenticity. Based upon machine learning of typical behaviours and known senders, messages that cant be trusted don't make it to employee inboxes and ones that do are removed.

"Having safety measures in place will keep everyone in good cheer and save businesses and personal gift budgets from falling victim to a big "Bah! Humbug!" this Christmas."