As we approach the final weeks of 2018, it’s important to remember that for most people, ‘tis the season for taking time off. That is, unless you’re a cybercriminal. This holiday season online attackers are actively working to exploit consumers as they work, vacation, and shop online. Below are three things you can do to immediately stay safe online this holiday season.
Tip #1: Beware of Gift Card and Tax Email Scams
Gift cards are increasingly popular, especially within companies, as they make for great employee, partner, and client gifts. The problem is, cybercriminals are following the money and targeting employees that are often responsible for purchasing gift cards with email fraud messages. In fact, Proofpoint research found a 4,671% increase in gift card-related business email compromise (BEC) attacks over the course of 2018 compared with the prior year. And the FBI recently issued an alert about the attack spike.
As part of these email attacks, cybercriminals pose as high-level executives using an email address with a spoofed sender name and send malicious emails to employees asking them to purchase gift cards. Because these emails appear to come from an executive with high importance and urgency, employees often purchase them without verifying the transaction request is legitimate. These fraudulent messages then ask consumers to purchase gift cards and are directing them elsewhere, ultimately allowing attackers to use them.
In 2018, the top five email subject lines associated with gift card theft were as follows:
- iTunes gift card
- gift cards
- donation (gift cards)
- amazon gift cards
- gift card
This week the IRS also issued an alert warning consumers of a recent surge in fake emails that claim to be from the IRS or their tax partners and are designed to steal financial and personal information. They are reporting a 60% increase in scam emails this year.
Recommendations: Gift cards make fine presents, but please visit the merchant site directly when deciding to purchase them. Never click on emailed gift card offers and establish a corporate policy that all gift card purchase requests need to be verbally confirmed. That caution also needs to extend to emails with urgent IRS-related subject lines. If you suspect a tax email is fraudulent, forward it to phishing@irs.gov.
Tip #2: Don’t Turn on Out-of-office Replies
A big part of enjoying your time off is having an automated assistant to let people know you’re away, so they don’t think you’re ignoring them. The problem with a detailed out-of-office reply is that bad actors learn you’re away and/or offline. They can then potentially attempt to compromise your account, knowing the exact amount of time they have to impersonate or otherwise spoof your identity before you return to the office. Targets include anyone external-facing in close proximity to sensitive data, or who can influence operations (accounting, HR, executives, etc.)
Once inside your account, there is almost no limit to the amount of damage cybercriminals can do in your name because employees consider you a trusted source. They can send malware, solicit personal information from coworkers (W2s), or even request funds be directed improperly/invoices be paid to fake entities. For example, if you’re the CEO or CFO, an email may be sent to accounts payable purportedly coming from you saying “I’m about to get on a plane…please transfer [dollar amount] to entity X.”
Recommendations:
If it’s not critical, do not activate an out-of-office reply. Instead send an email to all appropriate contacts letting them know you will be offline / out of town. Be sure to include a directive that you must verbally confirm any requests for financial wiring, payments, or sensitive data during your vacation.
If posting an out-of-office reply is critical to your position, customise the external message to be extremely vague for anyone outside of your organisation. For example, “thank you for your email, I will reply in short order.”
Tip #3: Don’t Open Holiday Emails You Aren’t Expecting
“It’s the holidays” is often unofficial code for “I’m letting my guard down until Q1.” But when it comes to cybercrime, extra vigilance is required this time of year. An integral part of staying safe this season is using careful discretion when monitoring your inbox and web searches. Sophisticated cybercriminals will often use your email and search data to send customised email phishing schemes designed to lure consumers to click.
In addition, they might post fake websites with web addresses that are very close to legitimate brand sites to trick consumers. This is called “typosquatting” and might include an extra letter or common misspelling of a brand. Targets of these schemes are virtually all consumers – especially online shoppers.
Recommendations:
Always log-on to shipper sites directly (UPS, FedEx, etc.) to check shipping information. Visit merchant sites directly – never click on merchant links within email messages. In addition, be equally vigilant with both personal and corporate email. Don’t check on personal online shopping information from work – every time you log into your personal account, you open your workplace to phishing scams.
Following the above recommendations will significantly reduce your chances of becoming a victim this holiday season. For more insight on how cybercriminals will likely pursue consumers this holiday season, please visit our threat research team’s detailed blog post: https://www.proofpoint.com/us/threat-insight/post/thanksgiving-christmas-cybercriminals-cash-range-threats-over-holidays