‘Tis the season for cyberscams. As the holiday season nears, adversaries will try to take advantage of people’s generosity and holiday spirit. That’s why it’s critical to be alert.
While it’s still early to detect and analyze seasonal trends, we anticipate to see several new and emerging techniques in attackers’ creativity and lures, along with tried-and-true tactics from previous holiday seasons.
From generative AI that helps telephone-oriented attack delivery (TOAD) to multifactor authentication (MFA) bypass that leans on shipping alerts, here’s a look at five holiday scam predictions. These are the tricks and trends that you might see evolve in this year’s winter threat landscape.
1: Generative AI will make threat detection trickier
What’s blown up since last holiday season? A little thing called generative AI. This emerging technology might change the game of crafting emails that include those too-good-to-be-true offers. Phony shipping emails are always favorites for attackers, and they always become more frequent during the holidays. Nobody wants a problem with merchandise they’ve ordered or packages they’ve shipped.
Last year, many holiday season shipping phishing attempts featured standard red flags, like grammatical errors and non-native language structure. These are easily detectable at a quick glance. But this year, we expect to see many attackers using generative AI to write their emails and texts, potentially reducing easy detection.
So go a level deeper when you’re trying to determine whether a holiday season shipping email is a scam. Take a closer look these emails and ask these questions:
- Is the message generic or personalized?
- Are you being asked for unnecessary sensitive information?
- Does the sender display name match the email address? (This is a safety checklist item that people learn in security awareness training.)
- Are you being asked to pay a fee to receive a package? (Note: In this case, it’s best to refuse the delivery until you can confirm the shipment is legitimate.)
2: TOAD scams might get an AI boost
TOAD has become part of the threat toolkit, as attackers push victims to take unsafe actions over the phone. Writing with generative AI could increase the believability of TOAD attacks that use a holiday playbook.
Need to stop an expensive gift purchase on your credit card or accept a heavily discounted travel offer? Then, contact this (fake) call center! If an AI-generated email successfully imitates a legitimate company, it’s more likely that the victim will dial the phone number they’re directed to.
Generative AI could also provide opportunities to expand holiday scams globally. For instance, every Christmas and New Year, we see English-language vacation scams that target a Western audience. But there is also a huge volume of travel and celebration for Lunar New Year in China, South Korea, Vietnam and Hong Kong. If attackers previously lacked cultural knowledge or language skills to target these populations, they might now use freely available AI tools to quickly research what experiences might feel meaningful and create holiday lures that are localized and enticing.
Luckily, generative AI is unlikely to improve interaction with the fraudulent call center. If you call the TOAD number, red flags should still be detectable. For instance, be wary if the “operator” is:
- Clearly following a script.
- Pressuring you to take an action.
- Speaking in a regional accent that your security awareness training has taught you is where call center fraud often originates.
3: MFA bypass could surface more often
MFA bypass surged in popularity last year, and we continue to see an increase in the number of lures that use this technique. The attacker steals account credentials in real time by intercepting the MFA short code when the victim types it into an account login page that is fake or compromised.
Since MFA bypass is an ongoing threat trend, we expect to see the techniques applied this year to holiday-themed lures. Companies send many order confirmation and shipping notification messages during the holidays. As the recipient, you have a strong desire to log in to your UPS, FedEx or DHL account more often when you’re waiting for—and worried about—holiday packages arriving on time.
Attackers are likely to take advantage of this increased traffic and consumer concern. They design holiday-themed phishing emails that blend with real emails, and they pattern their messages after legitimate notifications. This makes it easier to drive consumers to compromised account login pages or lookalike websites that will intercept and capture MFA credentials.
To avoid MFA credential theft, it’s best to avoid engaging with unexpected shopping and shipping messages. Do not click links in unsolicited or unusual emails or text messages. If you want to confirm a purchase or delivery, go directly to a legitimate source by typing the website address or calling a known contact number.
4: Gift card scams will continue to be popular
Gift cards are popular and convenient—even for cybercriminals. That makes gift card holiday scams a perennial threat that ramps up around holiday giving time. This type of business email compromise (BEC) attack is a social engineering campaign in which attackers pretend to be a C-level executive who wants help orchestrating a holiday bonus for employees.
This holiday scam often begins in the workplace with a short text or email that tests how receptive you are to the idea. Subsequent messages will ask you to purchase high-value gift cards using company funds or to pay upfront with the promise of reimbursement. The goal? To trick you into sending gift card numbers and the PINs to unlock them.
These gift card scams often feel believable because they tap into the trust of personal and professional relationships. They also play on the victim’s emotions, such as feeling proud to be contacted by a business leader or to be part of something positive that can make others happy.
This holiday season, it’s important to stay alert for warning signs like emotional appeals. And make sure to reach out to the executive supposedly making the request through another channel to verify and validate it.
5: Charity scams always donate to themselves
Cyberattacks are often designed to take advantage of people’s emotions, and charity donation holiday scams are a prime example of that. Attackers will set up fake nonprofit companies or create websites that mimic well-known charity organizations. And attackers keep using charity phishing emails year after year because they continue to be successful.
This holiday season, we expect to see attackers use familiar, heartwarming requests for donations toward the “gift of a meal” or helping people who need shelter during the winter. Bad actors are also likely to put a global spin on their campaigns, using newsworthy topics as lures. So, don’t be surprised to see charity scams that take advantage of ongoing humanitarian situations, natural disasters and conflict zones.
Your caution about charity scams during the holidays should extend beyond email and texts, as attackers will use all available channels at their disposal. You could see similar tactics used in phone calls, social media, printed materials and misleading ads.
The best way to avoid impostors is to work directly with legitimate charities and established aid programs. For instance, contact an organization by typing a trusted web address into your browser instead of clicking on donation links in an unsolicited message.
Get started now with our complimentary kit
As the holidays get closer, we will see if these holiday scam techniques and trends emerge, to what extent attackers use them, and what their impact is.
Meanwhile, how can you make sure that the messages and media your users engage with are on the nice list? And how can you help them steer clear of those on the naughty list?
The best way to help your employees stay safe is to provide them with security awareness training. The complimentary 2023 Happy Holiday Season Kit from Proofpoint can help. We provide four weeks of suggested content to support your security awareness efforts around the December holidays and into the new year. Here’s what the kit covers:
- Week 1: Learn the basics of shopping safely.
- Week 2: Understand phishing messages that tap into travel scenarios.
- Week 3: Identify cyberscams that ask for a helping hand.
- Week 4: Wrap up the campaign with an ad-libs word game.
Download our 2023 Happy Holiday Season Kit here.