The holiday season is upon us, which means it’s also the busiest time of the year for online shopping. There’s Black Friday, Cyber Monday, and gifts to buy for loved ones. Plus, gifts to buy for yourself when the deals are this good! But beware, for cybercriminals ‘tis also the season to scam millions of dollars from unsuspecting people and companies. They’re banking on people being in a rush and distracted during this hectic season, and therefore more likely to fall victim to a scam, which allows them to cash in. Sounds a lot like the Grinch, doesn’t it?
People need to be extra vigilant and watch out for email scams such as Phishing. These emails can make it past most security controls, because they appear to be coming from a trusted source; someone you know, a brand you trust or even someone from your company’s HR team or president.
Here’s a common scenario. You get an email from the sporting supply company you have purchased from several times in the past. But look carefully, is it really coming from that well-known brand? Before you click on that link with that great savings offer…
Check the body of the email and the sender information to look for misspellings. Is the email from Amazoni, not Amazon? Hover over any links to see if the URL is correct. Clicking on that offer link may be all it takes to grant a grinch access to personal or business data. If an email receiver does click on the link, it could be an imposter website created by a scammer imitating a trusted brand’s website domain. If a site doesn’t use two-factor authentication (sending a code via email or text before supplying personal or payment information), anyone can be misled to update or confirm username, password, credit card, etc. Bam!
It’s not just individuals who are at risk. Businesses often suffer insurmountable losses in brand trust, credibility, email deliverability as well as millions of dollars of revenue from both fraudulent and legitimate purchases. If people fall prey to someone who has impersonated a brand, that business suffers, because every real email they send may now not be trusted. Plus, loyal or new customers might not feel safe coming to the legitimate website to make a purchase.
In email spoofing attacks, the sender display and domain names can look like they come from legitimate brands. To prevent this, businesses can implement DMARC authentication so that when an email is received, the server checks to ensure the sender is authorized to send emails on that brand’s behalf. To get around this, attackers will also spoof using lookalike domains (Amazoni.com).
Employees need to think carefully before responding to emails. Would the CFO really want you to send them gift cards? Of course not, but would a trusted supplier change their bank account details? Perhaps. Suspicious emails should be reported to your security operations team immediately so they can be verified and if found to be a scam, other employees can be warned.
Security awareness training and processes will help stay one step ahead of modern-day grinches. As will email security solutions that use data science to inspect every incoming email message for authenticity. Based upon machine learning of typical behaviors and known senders, messages that can’t be trusted don’t make it to employee inboxes and ones that do are removed.
Having safety measures in place will keep everyone in good cheer and save businesses and personal holiday budgets from falling victim to a big “Bah! Humbug!” this holiday season.