Article December 16, 2020

Beware of these holiday hacks

It would seem that cybercriminals don’t respect the sanctity of holidays and, in fact, Christmas makes them positively creative! Here, we explore a few antics hackers employ to take advantage of our good cheer this time of year.

While the rest of us are happily shopping online and settling accounts before the New Year, it seems there are sneaky grinches in our midst. The festive period has created a range of cyber risks over the years, with hackers taking advantage of the increase in e-commerce, charity activity, and time spent online.

Below, we explore a few holiday hacks we’ve seen emerge – and no, unfortunately “hacks” doesn’t refer to a better, faster way to cook your Christmas turkey – along with a few quick tips on how to stay safe online.

  1. Online shopping

    Unless you’re really organized, it’s highly likely that you are using a variety of online shops to complete your Christmas shopping. And chances are, you’re using the same username and password combination to purchase goods across multiple sites. The problem with this is that when one set of credentials is leaked, it gives cybercriminals the keys to a whole range of websites, many with stored payment information and more. Even worse, if these credentials are related to a business account, they could be used to breach company systems.

    Tip: If you can, use unique passwords across e-commerce sites – try using sentences instead of words. You can also use password managers, like LastPass.

  2. Settling accounts

    At year end, it can be nice for businesses to tie up loose ends, but be aware of any invoices coming your way. Not only can attachments from unknown sources contain malicious code that can lead to the encryption of computer systems, but even invoices you are expecting can sometimes be fraudulent. For example, it’s not uncommon for our team to see cases of invoice fraud this time of year – where hackers have breached suppliers’ systems, doctored up invoices with new bank account details, and sent them to expecting recipients who inevitably end up paying into fraudulent accounts. We've noticed similar-style scams from the collection of schools fees, which often takes place around this time. 

    Tip: Don’t open any attachments or click on links in emails from people or businesses you aren’t expecting to hear from. And if you’re paying into an account that is new to you – for example, it’s a new supplier or they’ve recently changed their account details – always call the owner of that account on a separate, trusted line, to make sure the details are legitimate and correct.

  3. Gift card scams

    One thing our in-house Cyber Incident Response Team has noticed is a clever kind of CEO fraud that revolves around gift cards. This happens when a seemingly legitimate email comes from someone senior within a business where he or she asks an employee to buy gift cards as client gifts. That same executive then emails again to request the unique code on the back of the gift cards, under the guise of expediting the gift giving. Of course, the employee eventually discovers that the original requests weren’t legitimate and that the email had either been hacked or spoofed. This is a particularly effective attack method with so many people working remotely where it’s not as easy to quickly ask someone to verify something.

    Tip: If someone asks you, by email, to buy something, even someone within your business, follow-up with a phone call.

  4. Bargain hunting

    With so many gifts to buy, we all want to get a deal at Christmas. There’s no shame in hunting around for the best price, but beware of flashy ads and unfamiliar websites. Cybercriminals operate a multitude of fake websites, and putting your payment card details into the wrong website will not only lead to the theft of those valuable numbers, but you also won’t receive what you paid for. What’s more, ads on unsecure websites can be riddled with malware, which can lead to even bigger problems particularly if those websites are accessed on company systems.

    Tip: If the deal seems too good to be true, it probably is. Make sure to buy items from reputable retailers with secure websites (https), and ones that operate out of your own territory where possible.

So as we all start to wind down for the holidays, make sure to be just a little more vigilant when it comes to time spent online or on email. We want all of you to have a wonderful, incident-free, festive period! 

To read more information about threats our Cyber Incident Response team is noticing in real-time, see our cyber advisories