In one of our previous articles, we emphasized that when an emergency hits society, cybercriminals will do everything in their power to exploit the confusion and the people’s panic. As human beings are mainly driven by emotions first, logic after, it comes as no surprise that attackers will leverage them to successfully deploy their attack schemes and get access to data, systems and even entire infrastructures.
The following information may sound redundant, but it doesn’t mean they are less true: the human factor may as well be the weakest link when it comes to your organization’s cybersecurity defenses. According to Verizon, 82% of breaches involve a human element and approximately 60% of the breaches in the EMEA region include a social engineering component.
‘Tis the most vulnerable time of the year!
And the winter holidays are ALL about the human factor. In this time of giving, sharing, celebration, excitement, and – eventually – rest, we’ve identified 5 situations in which your employees might let their guards down and unknowingly let the door open to a variety of potentially costly cyberattacks.
1. Holiday cheer and workload usually get people distracted
With all the frenzy and otherwise dazzling stimuli specific to the holiday season, it can be difficult to pay proper attention to what dangers might sneak into our inboxes, social platforms’ messages and newsfeeds. Who would think that a Christmas party invite or an E-card would be suspicious or even threatening?
On top of that, one might find it understandably difficult to follow technical guidelines coming from their security teams for this time of the year, when there’s still so much shopping, cleaning and planning to do. Double that with some year-end deadlines and reading PDFs with refreshers on cybersecurity will go to the bottom of the priority list.
Proof: a recent study shows that up to 45% of employees that get distracted at work fail to comply with security rules at their organization.
2. The inevitable spike in online shopping gets tricky
In their 2022 holiday retail survey, Deloitte professionals estimated 63% of holiday purchases to be made online as in the previous two years. Moreover, Adobe predicted a 2.5% growth in online sales for the November 1st – December 31st timeframe.
It usually starts with Black Friday sales and continues with Christmas gifts and New Year purchases. December is, by default, a profitable month for retail sales.
Unfortunately, it can be a profitable month for cyber attackers as well. Taking advantage of the spending fever, cyber criminals may use a series of attack methods that require little technical resources and that are easy to launch:
- fake e-commerce websites;
- fake ads, especially through emails and social networks, using urgent phrasing that urges shoppers to click on ⬇
- malicious links;
- email and social media scams;
- phishing campaigns:
- fake discounts and limited time offers that stop shoppers from thinking twice before clicking;
- payment options limited to bank transfers, gift cards and cryptocurrency;
- smishing campaigns with order delivery scams.
There’s a world of possibilities attackers explore to trick shoppers into unintentionally downloading malicious programs and software that give access to personal and even work devices.
3. “I’ll make you a (FAKE) offer you cannot refuse!”
“Have you planned your Christmas trip yet?”
“Where are you spending your New Year’s?”
“Need a place to party’n crash for the New Year’s?”
Don’t have an answer yet? Some last minute planning might bring trouble along the way. Attackers might set out traps such as bargains, best deals, with a limited time to book a flight / a hotel / a restaurant and direct contact and transfer to personal accounts, so as to rush people into thinking that they will have an unforgettable time at an incredible cost. An incredible cost indeed, unfortunately.
4. Getting swayed into contributing to FAKE charity campaigns
The winter holidays are a time of giving. Some social platforms have made it easier for people to spread generosity and compassion. But scammers can take advantage of these virtues and operate through fake websites or fake charity cases to steal money and divert donations for their own benefit. And who knows what other traps lie behind clicking fake charity links (spoiler alert: we could be talking about stealing credit card or bank account details, spreading malware, computer viruses and on and on)…
5. Holiday breaks mean understaffed security teams…
Which in turn means a great risk of falling victim to a cyber attack.
Everyone needs a break – except for cybercriminals. In fact, according to a recent study, they are even leveraging holidays and weekends for maximum impact. Therefore, less people on your security team won’t only imply increased attention from attackers, but also a more threatening outcome as well. This is why 90% of cybersecurity professionals are concerned about weekend / holiday attacks, the same study says.
A list of gifts we know you don’t want under your Christmas tree
A.k.a. Here are the top cyber threats organizations need to watch out for during the holiday season.
1. Phishing campaigns
In their many shapes and forms, especially spear-phishing and whaling.
What is worrying is that, starting November 27th, there has been a constant increase in the number of Christmas-themed spam. The largest number of suspicious emails was recorded between December 6th and 9th.
Should your employee click that unbelievable Christmas gift offer in their email, download that year-end invoice with an unknown file extension – or access anything else that is suspicious, your organization could be risking millions in damage.
Ransomware is one of the most popular types of cyber attacks, usually launched through phishing campaigns. According to IBM, in 2022:
- ransomware breaches became more prevalent, going up to 11% in frequency this year compared to 7.8% in 2021;
- ransomware attacks accounted for 12% of critical infrastructure breaches.
Moreover, last year statistics show there is a 30% increase in the global average number of ransomware attack attempts throughout the holiday season, from 2018 to 2019 to 2020, compared to the monthly average.
Cyber criminals find it easier to launch this attack during the holidays given the already strained networks and high traffic volume some businesses might encounter by default during this time of the year. While DDoS is not the worst that can happen, this attack can definitely cause a serious interruption in an organization’s day to day activity. The average cost of DDoS can go up to $40,000 an hour, so it is definitely a threat you should look out for.
4. SQL injections
In 2022, 1162 vulnerabilities with the type “SQL injections” were published on CVE Details. These are easy-to-launch attacks – which is why, in 2021, injection attacks were among the the third most serious web application security risk – and are known to be very effective in times of high activity, such as Christmas time.
5. Stolen credentials
In 2021, it was estimated that the holiday season would register up to eight million credential stuffing attacks on consumers every day.
2022 activity in as far as breached passwords are concerned shows that the trend moved towards a so-called MFA fatigue. This made room for infostealer malware attacks to escalate, with threat actors successfully completing high-profile breaches due to a mix of stolen credentials and social engineering tactics. Such malicious activity is expected to rise during the winter holidays.
the Grinch hackers steal your Christmas! Here’s what you can do
In order to properly enjoy your holiday season, knowing your organization’s security measures are top notch, you can make sure you check everything on this list:
- Set up a proper holiday strategy, with an emergency plan and a 24/7 available response team in place;
- To offload your team’s efforts, consider the services of a Security Operations Center provider;
- Make sure you conduct a pre-holiday audit as well, to validate and be aware of the latest changes and updates in your infrastructures, but also to timely patch and fix vulnerabilities;
- Keep your systems up to date – don’t forget to check your firewall, anti-virus etc. – and provide a solution to back up your data;
- Confirm compliance with the highest security standards in your industry;
- Consider temporarily locking down some privileged accounts to avoid privilege escalation attacks;
- Offer a safe and instructive training and educate your employees to:
- pay attention to fake websites;
- avoid clicking on suspicious links and emails;
- avoid connecting their work devices to public wi-fi networks;
- use strong and complex passwords and a password manager;
- be careful what they share and what they click on in social networks;
- use up-to-date anti-virus programs;
- use safe methods for purchasing;
- understand the risks of not following security guidelines in your organization.
Winter holidays bring out the best in people. But as we’ve seen so far, they can bring out the worst as well. The battle against malicious intent is never-ending, so don’t let the efforts you put into improving your cybersecurity posture during the whole year go to waste: always stay vigilant. Now, it’s not just about avoiding reputation or financial losses.
It’s also about peace of mind to enjoy a relaxing break.