'Tis the Season to be a Victim of Cybercrime!
/The end of the calendar year can be a wonderful time of year for both individuals and companies alike. Employees get some time off to celebrate their favorite holidays (and eat their favorite foods). Companies get to plan for the coming year, figuring budgets and making strategic plans. Some businesses may see this time of year as a spike to their revenues, while others may have a lull that allows for the always-needed catchup time.
The end of the calendar year through tax season is also a time where we in the security community expect a spike in cybercrime. This is true for a number of reasons, including:
Many companies have extended holiday leave, with most employees taking time off.
Holiday staffing is usually a skeleton crew, with the lowest-tenured folks having to pay their dues by working during this time.
Everyone is online shopping… and getting packages delivered constantly.
Shoppers start worrying about getting their presents in time, especially if there are shipping delays.
Open enrollment usually occurs around this time, where employees are evaluating and making changes to their benefits.
Charitable donations increase, as folks have the giving spirit… and tax deductions are available if done before the end of the year.
As the threats to individuals and companies are quite different, below are the top three concerns for each for this holiday season. We’ll discuss each in detail below.
Top 3 Concerns This Holiday Season… For Individuals:
Malvertising.
We’re all looking for deals as we shop for the perfect gifts. Malicious Advertisinginvolves placing malicious ads on websites, including those related to holiday shopping, and sending emails or texts with the intention of getting a victim to click on a malicious link. Clicking on these ads can lead to malware infections, loss of personal information, or loss of money. Malvertising as phishing is very successful this time of year!
How to avoid being a victim of malvertising?
Beware deals that are too good to be true! If you see a deal, go straight to the source and seek the deal on the website of your choosing. Don’t click that link!
Look Alike Charities.
Charitable donations go up around end-of-year, perhaps because we’re feeling generous or perhaps we’re trying to take advantage during the coming tax season. In any case, fake charities pop up around the holidays hoping to trick some benevolent souls into donating to the wrong entity.
How to avoid being a victim of look-alike charities?
Know who you want to patronize ahead of time. Do your research. Go straight to the source when it’s time to make a contribution.
Shipping Scams.
We have Amazon boxes arriving at our house year-round, but it gets kinda silly during the holiday season. Alongside all the holiday shopping are the receipts and shipping notices, delivered via text message as much as email, notifying us of our purchases. Adversaries know a well-crafted phishing attempt from “FedEx” may get a victim to click.
How to avoid being a victim of shipping scams?
Log in to the vendor website to track packages; don’t click on the link!
Top 3 Concerns This Holiday Season… For Employers:
Address security during vacation hours.
Hackers know to attack when everyone on the security team is out on vacation. We see attacks happen on Christmas Eve every year! Keep in mind that dwell time – the time between when a hacker gains access and when a hacker is detected – can last from days to months. So, hackers may gain access to corporate systems during the year and intentionally wait until the holidays to take action that they know will cause their detection.
How to mitigate this risk?
Ensure members of your team are on call or checking in during the holidays. Have a policy to address work performed when an incident occurs during a time when employees are supposed to be off. Outsource components of IT & Security to another organization which is 24/7.
Enforce multi-factor authentication in HR systems.
HR systems may have less oversight than normal corporate systems, as they may utilize personal email addresses instead of corporate onesand be managed outside of the IT Team. This includes benefits systems where tax information may be set and payroll systems where direct deposit instructions may be configured.
How to mitigate this risk?
Ensure multifactor authentication (MFA) is enforced on HR systems.Enforced means it’s turned on… and cannot be turned off by the user. Payroll changes should be actively monitored.
Validate changes to tax or banking information.
What would your HR team do if they received an email (or text message or phone call) from an employee asking to update their direct deposit information? Scammers will attempt account changes via social engineering in the hopes that a pay check or tax return will be deposited into their account and not the actual account owner! With open enrollment occurring, the HR team may be overwhelmed with requests for assistance. Yet another request that comes in during this time may be accommodated without validating the requestor’s identity.
How to mitigate this risk?
Have a mechanism in place to confirm the requestor’s identity. This could be as simple as a callback to the requestor. Be especially careful when changes to access (password, MFA reset, etc) or banking information is being requested.