Popular holiday-themed phishing attacks

The holidays are a busy time for everyone-¦ especially for hackers trying to phish your employees. Phishing is most effective when it exploits human emotions—fear, greed, anxiousness, curiosity, compassion, getting a good deal—and the holidays tend to bring these emotions out more than other times of the year. This gives adversaries a bevy of relevant topics to use to build phishing campaigns.

How can you ensure your employees are prepared for the onslaught of phishing attacks this holiday season? We’ve mentioned before that training your employees needs to be continuous, and if you have provided immersive security awareness training throughout the year, your employees will be more resilient to phishing attacks at all times. We’ve also noted the need to keep that continuous training fresh, and providing holiday themed training is a great way to provide training that is engaging and timely.

Which tactics should you train your employees look out for? We’ve put together a list of the most common holiday-themed phishing attacks:

Holiday e-card: Who doesn’t love to receive a nice holiday greeting? But is that link to an e-card actually from your co-worker, manager, HR department, etc. or is it something sinister? Emails that appear to be holiday e-cards are a simple and effective phishing tactic every holiday season.

Emails offering great discounts are a standard holiday phishing email.

Holiday sales/discounts/deals: Everyone is hungry for a sweet deal during the holiday season, and merchants will be blasting out plenty of legitimate emails advertising their sales. With the National Retail Federation expecting over $600 billion in sales this holiday season, attackers will be sure to take advantage of all the holiday sale noise by sneaking in phishing emails masquerading as merchants offering blowout deals.

Spoofed holiday party invitations are another popular phishing email this time of year.

Holiday party info/registration: The company holiday party is always a much anticipated event, and The Wall Street Journal estimates 9 out of 10 companies will throw some kind of holiday party this year. That means lots of organizations will send out email invitations, so spoofed invitations present another great holiday-themed opportunity for attackers crafting phishing emails.

With lots of packages being sent during the holidays, employees need to be on the lookout for fake package delivery notifications.

Package delivery/update notification: Last December 10, FedEx shipped 19 million packages to set a new record for packages shipped in a single day, and with the US Department of Commerce reporting increases in e-commerce in 2013, we could continue to see packages shipped in record numbers. With so many of us sending packages to friends and family this season, everyone will be on the lookout for package notification emails. An email warning of problems with delivery plays on our emotions and makes for an especially effective holiday phishing email.

Year end: The end of the year provides a number of interesting phishing email topics that can be especially effective by taking an authoritative tone, including:

• PTO balance notification: Employees will be focused on how much vacation time to use over the holidays and how much will carry over to next year, so a message about their PTO balance (especially one threatening some negative consequences) will grab attention at this time of year.
• Unfiled expense reports: Nothing like threatening some financial consequences to get someone to click on a link.
• Urgent year-end deadline/requirements: An open opportunity for attackers to get creative and exploit the employee eager to knock out obligations before heading out for the holidays.

Charity: Online charity fundraiser Network for Good reports that more than 30% of its annual donations come in the month of December, and advises charities to conduct holiday outreach through email to capitalize on the giving holiday spirit. Unfortunately adversaries know this too, and will craft plenty of phishes that tug at our emotions by spoofing common charities.

Travel notifications: AAA estimated that 93.3 million people traveled more than 50 miles from home during the end of December last year, and that means airlines will be sending out plenty of flight change/confirmation emails. We have seen some pretty realistic phishing emails that spoof the types of emails airlines commonly send to passengers, and an email warning of major itinerary changes will certainly grab the attention of an employee eager to get home for the holidays.

After receiving an email like the ones described above, how should employees proceed? First, it’s important for employees to assess the situation in which they are receiving the email. If an employee receives an email for a package delivery, for example, but didn’t provide his/her corporate email address when mailing the package or didn’t mail anything at all, then the email can be ignored. Often, the context in which an email is sent will betray its authenticity. If the email purports to come from within the organization, then confirm its authenticity with the sender. Last, and most importantly, employees should be trained to read underlying URLs to be able to distinguish between malicious and benign URLs.

Has your organization been hit by holiday-themed phishes? What are some of the better ones you’ve seen this year?

Author: Scott Greaux, PhishMe.