Hackers go phishing for the holidays

It’s that time of year again. Everyone’s busy – at work and at home. That includes cybercriminals, too. In fact, the holiday season is when busy, distracted people tend to be especially vulnerable to phishing attacks. Just one click on a phishing link in a realistic-looking email or package shipment notice from even the savviest small business user opens the door to scammers.

Cybercriminals becoming more sophisticated

Those scammers have honed their skills in recent years, coming up with more sophisticated ways to find businesses via websites, social media, and email address books. With this information, they can make their outreach more targeted, which makes the email appear more legitimate to the recipient.

What’s more, they often take advantage of the data they’ve acquired via breaches at retailers and other companies to create realistic-looking emails that appear to have come from co-workers, friends, vendors, clients or banks. Some even try to pass themselves off as IRS agents. These social engineering tactics further deceive the recipient into believing that the communication is trustworthy.

Small businesses under attack

Small businesses are especially prone to these phishing attacks. Because they have access to fewer cybersecurity resources and operate on tighter budgets than larger organizations, small businesses are frequent targets for scammers. Even if security isn’t in their budget, small businesses will end up paying for it one way or another: the average cyberattack costs a small business $53,987. Of course, that’s far less than the millions of dollars we hear about when medium and large enterprises are the victims, but it’s proportionally substantial.

Phishing for the holidays

It’s estimated that one in every 99 emails contains a phishing attack, which amounts to slightly fewer than five emails per employee in a five-day work week for a small business. What’s more, 30% of phishing emails typically make it past security built into popular cloud email providers like Office 365.

Given those kinds of success rates, it’s no surprise that scammers continue to increase the number of phishing attacks they launch every year. In 2018, 83% of people received phishing attacks worldwide, resulting in decreased productivity, loss of propriety data, reputational damage, and other disruptions and damages.

In recent years, scammers have upped their sophistication, making it even more difficult for unsuspecting victims to recognize a phishing email for what it is – especially when the pace of nearly everything picks up during the holidays. But there are several things you can do to avoid getting reeled into a phishing scam when you get an email (or text) that looks like it’s from someone you know and asks you to click on a link to update an account or your information.

Is it real?

Remember, it’s easy for scammers to spoof logos and create fake mail addresses to make it look like it’s coming from a person or company you know. But you should always double-check the address. It’s easy for a scammer to make small changes, such as replacing an “m” with an “r” and an “n,” which you might not notice at first glance. And beware of any message that’s pressuring you to act immediately to prevent something bad from happening. Remember, too, that the IRS will never send you email.

Is there an attachment or a link?

Be especially cautious if the email is from someone you don’t know and you’re being asked to click on a link, type in your password, account name or number, or provide other sensitive information. The exception is when you’re expecting a link or an attachment from someone you know and trust (for example, your lawyer sending a contract you discussed, a client sending details for an ad you’re developing, or a vendor verifying an order you placed).

Are you familiar with the sender?

If you get an email you weren’t expecting with an attachment or a link, verify that it’s coming from the person you think it is. But instead of clicking on “reply” or copying the email address, call the person or use an email address you already have on file.

Alerts

But what if you or someone in your company inadvertently falls for a phishing scheme? First, contact whoever is in charge of your company’s IT systems and let them know what happened. And since phishing attacks (even during the holidays) often strike more than one person in a company, be sure to talk to your colleagues – to alert them and confirm that no one else has made the same mistake.

Of course, you should also notify any affected parties, including customers and suppliers. Then limit the damage by changing your passwords and disconnecting from your company’s network. Finally, report the incident to the appropriate authorities and report spam to the Federal Trade Commission.

And finally, enjoy the holidays.