Blog

“Ho, Ho, Ho, Merry Phishing!” – Part 1

posted by: Blog Author date: Dec 14, 2016 category: All, Phishing comments: 0

The holiday season is here again! Millions of people around the world are increasing their spending and scouring the internet for the best deals they can find. As sales increase worldwide, retailers and financial institutions are put at further risk as cyber-criminals are busy sending more phishing attacks than any other time throughout the year.

Research conducted over the last few years indicates that every holiday season, the number of phishing attacks and scams systematically increases, along with the number of stolen or lost records. The explanation for this trend is very simple: consumers increase their online shopping (especially on mobile devices), which means that hackers intensify their attacks. They play the odds that busy and email-overwhelmed victims will take the bait without a second look at the link they’ve just clicked.

Cyber-criminals just love the holiday season: it’s a time when online shopping is very popular, making the probability of the average customer falling for a phishing email higher than any other time of the year. They also target businesses such as payment system providers, popular retailers, online stores, and even banks (although they are targeted at a lower rate).

Many scams, fraudulent websites and apps are floating around on the Internet right now, and sadly it can be pretty easy to get caught in one of the many nets cyber-criminals throw out. No one is immune to cyber-crime, and the fact is, the probability of having your personal email accounts hacked is much higher than your house being burgled.

With this in mind, it’s logical to expect that the 2016 holiday season will set a new record for online sales, as well as the volume of phishing emails, malicious links, social engineering scams and other online fraud.

Here is some advice from our experts on how to stay safe and merry: ” ‘Tis the season to be cyber-aware!”

Which scams should you be on the lookout for?

This is a summarised list of the main holiday-related cyber threats consumers should be aware of:

Malicious emails: unsolicited emails, including phony parcel-tracking or order-delivery emails, fake invoices and receipts, emails about amazing retail deals… all of these could potentially be phishing scams, or possibly contain malware.

One of the main characteristic of the holiday season is the huge volume of emails received by consumers from businesses they have previous visited or purchased from, offering discounts or sales specifically designed for them. For regular online shoppers, it can become difficult to keep track of where they’ve actually placed an order, which explains why unsolicited emails from popular retailers like Apple, Wal-Mart, Ikea, H&M, and Amazon don’t trigger alarm bells or send up red flags. The consequence? Victims click on fake links to check an order or see when the parcel they forgot they ordered, will be delivered. Deceptive shipping notifications, seemingly coming from FedEx, UPS or DHL, are rife around high shopping season.

To illustrate this, one recent example of a bogus order confirmation email received by a large number of people, was the “Thank you for your order!” email supposedly from the popular shop, Ikea. This fake receipt scam, which reportedly cost more than 10 million of dollars in the United States and United Kingdom, was successful for several reasons. Victims may have thought that:

  • their personal details were stolen, and that someone used their credit card to make a purchase on Ikea’s website;
  • a family member or friend made a purchase for them as a gift, and the victim wanted to check it out.

Whatever the scenario, the result is always the same for the victims: by clicking on the attached document, instead of viewing a receipt, they are triggering an attack on their device, which will infect their machine with Trojans, such as the Dridex Trojan, which targets bank account details by connecting through the infected machine to the victim’s online bank log-in page. To make sure no money was taken for this Ikea “order”, the Trojan stole valuable personal information: the victim’s online banking slog-on credentials.

This scam was targeting consumers and businesses alike: small and medium-sized companies were attacked, because employees could easily believe that someone else within the business made such a purchase.  If successful, the attack was more lucrative for the hackers, as companies tend to deal with more money than individuals.

Hackers count on their victims being overwhelmed, and play on their “fear of missing out”.

 

Malicious websites: cyber-criminals create fake payment system websites, or copy the websites of legitimate retailers in order to steal critical personal details. They also craft entire phony online shopping websites, offering very attractive deals or bargains to lure victims into placing orders with them instead of the genuine vendor websites.

Hackers count on their victims not recognising when they are visiting a fake website. The trick is, sometimes phony websites are imitating the buyer’s favourite online shopping site very well.

 

Fake surveys: survey email scams promise victims money or gift cards once they complete the survey, and this often leads gullible consumers to give out personal information (sometimes as valuable as their credit card details!) to access the “prize”. Hackers then use the collected data to craft personalised phishing attacks on their victims.

To illustrate this, a recent scam using fake surveys was “The Multiple-brand WhatsApp Scam”. Using H&M, Walmart, Spar, 7-Eleven, KFC, McDonald’s, and – again – Ikea’s logos, the crooks tricked the users of the messaging platform to download malware onto their smartphones. Instead of receiving the promised gift cards, victims got hacked and had their whole contact list compromised, stretching the list of victims more and more with every hacked device.

Hackers count on their victims falling for a well-designed and crafted scam, using correct English (and other languages), perfectly written, without grammatical errors and also including trusted brand logos and reputations.

 

 

Stay tuned next week for our second article on holiday season phishing! We will focus on how and why mobile users are becoming more and more threatened by cyber-scams. Our experts will also share their do’s and don’ts for staying cyber-safe during the holidays – and all year round.

Comments are closed.