As the holiday season barrels to a conclusion, malicious actors are attempting to take advantage of harried consumers by ramping up the volume of spam and phishing attacks in the form of unsolicited emails and email-based threats — and businesses stand to suffer.
A report from Bitdefender Antispam Lab found the volume of Christmas-themed spam has increased consistently since Nov. 27, with spikes in unsolicited correspondence observed between Dec. 6 and Dec. 9.
Scammers are employing the tried-and-true tactics of bogus surveys, online holiday dating opportunities, adult content offers, and discount shopping for designer goods.
Major corporations, including Netflix and Lowes, have been among the spoof subjects, enticing consumers with exclusive offers and cash giveaways — the catch being they must first enter credit card numbers or banking information, of course.
A recent study found more than a third of Americans have fallen victim to online shopping scams during the holidays, losing $387 on average as a result.
Alina Bizga, security analyst at Bitdefender, explains that threat actors are savvy when it comes to targeting. The holiday season tends to bring a host of socially engineered promotional campaigns aimed at fooling account holders to harvest their credentials and perform other nefarious activities.
"They update their tactics, and lures, and take note of consumer behaviors, timing their social engineering attacks to catch users off guard and steal sensitive personal data and money or compromise their devices and financial accounts," she says.
Ramifications for Legitimate Businesses
Bizga adds that when threat actors mimic a legitimate business to trick consumers into giving out their personal information or money, organizations may also suffer financial losses and reputational damages.
"Scams leveraging popular trade names that are proliferated via large-scale spam campaigns can impact both consumers and employees, and organizations need to have a clear action plan to minimize potential damages in the aftermath of a phishing scam," she says.
This includes identifying fraudulent communications, gathering information on the scope of the attacks, and notifying consumers and law enforcement.
Sam Curry, Cybereason chief security officer, says the annual glut of seasonal spam makes legitimate marketing for businesses much harder.
"When the bad guys try to look like legitimate marketing, legitimate marketing becomes less trusted and tolerated," he says. "If your email queue goes up to 200 junk emails a day, and you get tired of hitting delete 170 times, then you're more likely to hit delete on the buried legitimate marketing content than not."
For retailers, the fight against spam and phishing is twofold: protecting the customer and protecting the organization.
Curry points out now is the time when many retailers go into the black.
"They may make more in a few days than in some months in the rest of the year, which is why they freeze IT and changes and focus on servicing customers at scale," he says.
That means any hiccups now are even more painful as a result.
"In security, we measure risk in terms of likelihood and impact, and during the holiday season, impact goes up dramatically," he says. "That in turn changes the responses and contingencies of businesses, making them more likely to pay a ransom or to take drastic measures to fix issues and problems."
Threat Actors Look for Quick, Easy Wins
Bizga says that although cybercriminals are regularly adapting their tactics, techniques, and procedures (TTPs), the most common attack vectors seen throughout the holiday season include phishing, exploiting vulnerabilities and human error and misconfigurations.
"In addition, supply chain attacks can exploit access of third parties such as suppliers, distributors, or contractors to their ecosystem," she notes. "For example, breaching a small supplier may result in access to their much larger customer or entire customer base."
Michael DeBolt, chief intelligence officer at Intel 471, says cyber threat actors are always looking for quick and easy wins that result in considerable profit with a low degree of risk and effort.
"The end-of-year holiday period presents a unique window of opportunity for threat actors to increase illicit profits due to the surge in online activity as retailers and consumers transact goods and services, log into online accounts, ship and receive products, and more," he says.
Keeping Alert Across the Organization
DeBolt says retail organizations need to be aware of the latest spam and phishing campaigns targeting their customers.
Armed with this information, organizations can employ directed awareness campaigns warning customers of potential threats and how to avoid them.
He notes that security and fraud teams can take mitigating measures by adjusting controls within the environment to defend against account takeover (ATO) attacks.
"The same malware spam campaigns that target consumers can be used to target employees within organizations as well," he adds.
An infected machine belonging to an employee can include login information to remote network accesses or credentials to sensitive data storage, which can lead to theft of company information or as a foothold for a ransomware deployment into the company’s network.
"Perhaps the most important takeaway is that information security needs to be practiced and understood across the entire organization, not just [by] the network defenders," he says.
In the fight against spam and holiday season phishing, retailers need to give their customers proper information and channels through which they can report suspicious correspondence sent in their name.
Bizga says businesses should also establish seasonal awareness campaigns to inform consumers about any ongoing spam/phishing campaigns and notify the applicable domain name registrar to report fraudulent activity.
"Additional remedial efforts should include notifying law enforcement and legal bodies that can assist with legal actions and advise against malicious actors," she says.
The Perils of Losing Customer Trust
Patrick Harr, CEO at SlashNext, explains that bad actors leverage the brand recognition of major retailers and other businesses to lure their victims into a false sense of security.
"When a victim realizes they have been duped, it can cause them to lose trust in the brand, even though they of course had nothing to do with the actual scam," he says. "As we all know, losing consumer trust can lead to significant decreases in revenue," Harr says.
He advises retailers to deploy a strong brand protection service that checks for brand impersonation instances.
Once a scam or impersonation has been identified, a request must be filed, along with evidence to prove that it is illegitimate.
"This can take quite some time, however, so retailers should adopt an automated service that is continuously scanning and reporting these impersonations," Harr says. "It won't stop impersonations altogether, but companies that fight back make themselves less of a target for future impersonations."