How to protect against phishing attacks during the holidays

Peter Cockshott and Michael Salihoglu
| 11/24/2021
How to protect against phishing attacks during the holidays

To keep hackers from getting holiday deals on personal information, consumers can take proactive measures to protect against phishing attacks.

The holidays have arrived – and so have a slew of online holiday deals on products from stocking stuffers to sports cars. While many fabulous deals might make consumers happy, some of those deals are definitely too good to be true. To protect against phishing attacks during the holiday season, consumers can take proactive measures and thwart the ploys of bad actors.

Hackers don’t take holiday breaks

Many consumers and security professionals plan to use the holiday season as a time to get away from work and relax with family and friends, but bad actors and criminal groups are gearing up to go to work.

The Cybersecurity and Infrastructure Security Agency (CISA) noted in an August 2021 alert that cyberthreat actors appeared to be targeting holidays and long weekends to mount cyberattacks in order to catch organizations off guard. The CISA alert referenced large cyberattacks that occurred over the Mother’s Day, Memorial Day, and Fourth of July weekends, and it encouraged organizations to evaluate their security postures and implement best practices in advance of upcoming holidays and long weekends.

Like organizations, as consumers enter the online holiday shopping season, they should be aware that bad actors are ready and waiting to take advantage of increased online activity. And like organizations, consumers should take steps to protect against phishing attacks.

Sign up to receive the latest cybersecurity insights on identifying threats, managing risk, and strengthening your organization’s security posture.

As online shopping increases, so do phishing attacks

Since it was first named in 2005, Cyber Monday, or the Monday after the Thanksgiving holiday weekend, has become the busiest – and for retailers, the most profitable – online shopping day of the year. For perspective, in 2020, consumers spent $10.8 billion on Cyber Monday. Some retailers eager to profit during the holiday season extend online deals into the following week, and so Cyber Monday morphs into Cyber Week.

Cyber Monday and other online holiday shopping events offer consumers great opportunities to purchase gifts from the comfort of their couches instead of lining up outside stores and dealing with traffic, crowds, and other nuisances. Unfortunately, criminals also view increased online shopping during the holiday season as full of opportunities. Their goal is to conduct phishing attacks to steal passwords and personal and credit card information and to compromise devices.

In 2019, Zscaler, a cloud-based information security company, performed an analysis of phishing attacks that occurred during the first 14 days of October and compared them to the first 13 days of November. The results were staggering. Zscaler discovered that the number of phishing attacks rose by nearly 400%.

Bad actors and criminal groups tailored their ploys to take advantage of vulnerable consumers through phony package delivery emails, forged special offers from major online retailers, text messages offering fake giveaways and sign-ups, and site skimmers. Three of the more common ploys included fake Amazon gift cards, fake Amazon login portals, and Trojan malware downloaded via malicious sites or email attachments.

Some ploys redirected users to fictitious sign-in portals, and others prompted them to enter credit card information. Even worse, some phishing attacks attempted to trick users into surreptitiously installing malware that would then attempt to establish persistence and call out to a command-and-control server.

Clearly, bad actors and criminal groups are organized and motivated to take advantage of consumers during the holiday season. Often, the so-called deals promoted in phishing attacks are forwarded to friends and family, thus accelerating an attack’s potential impact. To an information security professional or tech-savvy consumer these ploys are generally nothing more than an annoyance. But to a consumer looking for that hard-to-find gift or toy, these phishing attacks can be disastrous.

No, VPNs don’t protect against phishing attacks

Some consumers install virtual private networks (VPNs) to protect themselves online. However, despite what many advertisements claim, using a VPN for web browsing does not eliminate the risk of criminals stealing users’ personal information.

While VPNs are effective for encrypting traffic in transit and can be useful tools in a broader arsenal of defensive capabilities, they do not magically prevent phishing ploys or make sites or downloads safe. VPNs do not stop malicious programs from executing on users’ systems, and they don’t prevent malware from reaching back out to a command-and-control server. Additionally, VPNs don’t prevent users from navigating to malicious sites, and they don’t foil malicious sites from harvesting users’ credentials.

These 6 measures can help protect against phishing attacks

So, given the anticipated increase in criminal activity during the holidays and the insufficient solution of VPNs, what can consumers do?

To help make their online shopping experiences more secure, consumers should:

  1. Employ multifactor authentication on as many online accounts as possible. A few extra steps are worth the peace of mind that comes with more secure login credentials.
  2. Always navigate directly to the actual retail site to shop. Attackers understand that users love the convenience of clicking a link instead of making the effort to go to the legitimate site, so they take advantage of that temptation by offering up bogus links.
  3. Never respond to unknown text or voicemail messages soliciting information that once given will supposedly result in a fantastic deal.
  4. Examine forwarded email messages very carefully. Family members or friends who genuinely think they’re being helpful might not realize their forwarded email contains a malicious link.
  5. Practice extreme caution when dealing with shortened URL links, as they can be obfuscated malicious links.
  6. Use a password manager to set unique account passwords. While users still must set a robust master password, a password manager allows for the easy rotation of all other passwords.

Raising awareness about phishing attacks pays off

Because of recent work-from-home trends, the lines between personal computers, home networks, and corporate environments have blurred. Not surprisingly, attackers see opportunity here, and they might try to access corporate infrastructure by compromising users’ personal assets. Therefore, organizations should educate and prepare their employees to fend off attacks, even when attackers might be targeting only noncorporate resources.

As we head into this holiday season, some consumers will no doubt be on the receiving end of nasty phishing attack surprises. But by educating ourselves as consumers and employees about how to spot and protect against phishing attacks, we can all have a safer and happier holiday season.


Is there a topic you’d like to read about?

Let us know.