The holiday season is upon us, which unfortunately also means that it’s high season for cybercrime. The top threat for small businesses this time of year is phishing.
Security awareness training is a must for small and medium-sized businesses (SMBs). Unfortunately, keeping track of the latest threats and learning how to stay safe can feel like a Herculean task given the breakneck speed at which the cyber threat landscape keeps evolving. Indeed, like the mythical many-headed Hydra that spawned two new heads each time Hercules chopped one off, it seems that for every cyber threat that is mitigated, at least two new ones pop up.
What is phishing?
Phishing is a form of fraud aimed at acquiring sensitive information from an unsuspecting victim by masquerading as a trustworthy entity and contacting the victim using email, Instant Messaging (IM) or SMS (“SmiShing”). Phishing is a social engineering attack, meaning that threat actors attempt to psychologically manipulate victims into giving away valuable information such as personally identifiable information (PII) and credit card details. Phishers rely on technological mimicry, called spoofing, in order to convincingly present themselves as a reputable individual or organization, and to facilitate the covert “retrieval” of information from the victim.
In a typical phishing campaign, a cybercriminal targets a great many email addresses with a message containing a malicious link or attachment. In order to appear as a trusted entity, the attacker uses email spoofing to give recipients the impression that the message was sent by a trusted source, such as a well-known company or government agency.
In addition, the email template resembles that of the impersonated organization and includes official logos. The message aims to invoke a sense of urgency in readers by describing a certain problem that requires prompt action.
For instance, victims are informed that their user account needs to be reset or updated for security reasons. Victims are told that they can solve the issue by entering sensitive information, like login credentials, on the website of the alleged source. A link is provided, which leads to a spoofed website that looks like the real thing – even the URL might closely resemble the official web address. If victims comply, any information they enter on the fake website is harvested by the attacker.
The Risks for SMBs
Phishing is the most popular attack method among threat actors and is frequently considered the top cybersecurity threat to small businesses. According to a recent industry report, 93% of security breaches were the result of cyberattacks involving phishing and similar social engineering methods.
A successful phishing attack on a small firm often marks the start of a more elaborate campaign in which criminals use the information they have acquired from a targeted employee in order to infiltrate the company network, execute a BEC scam and/or commit various other crimes. Phishing messages are also used to deliver malicious software (malware) such as ransomware onto targeted systems.
Just like retail sales and charity donations, phishing attempts spike during the holiday season at the end of the year. According to a recent report, the number of attacks in October, November and December of 2017 was more than 50% higher than the yearly average. This surge in phishing campaigns is bad news for individuals and organizations alike, which is why the United States Computer Emergency Readiness Team (US-CERT) issues a warning about seasonal scams every year.
Compared to bigger companies, SMBs are especially at risk because only 32% of them organize training sessions and simulations to teach their staff how to recognize and avoid phishing scams. Moreover, less than 30% of small firms employ an IT security specialist who can help keep the company safe.
Examples based on actual holiday phishing scams
Phishing scams during the holidays can take on many forms. Some campaigns are similar to attacks seen all year round, while others have a clear holiday theme. The following two fictional scenarios show not only how actual holiday phishing scams work, but also demonstrate the devastating impact that a successful attack can have on a small firm.
Scenario one: Shipping notification scam
In early December, the office manager of a small accounting firm receives an email that appears to be a shipping notification from UPS. The message contains a link with a tracking number and states that the mentioned shipment could not be delivered. The employee is urged to contact UPS through the provided URL to solve the issue. Assuming that the shipment in question is one of the important orders he is currently expecting, the office manager quickly clicks on the link and fills out the company name and address details on the UPS page that opens up. When he is asked to pay for some minor additional charges, he enters the details of the office credit card almost without thinking. The shipments arrive the next day and the office manager soon forgets about the incident.After the new year, when his boss wants to know how the company credit card got maxed out during the holidays, the office manager finally realizes that he has fallen victim to a phishing scam. The UPS email was fake, and so was the website on which he entered the credit card information. By doing so, the office manager did not pay for any shipments, but actually provided cybercriminals with the information they needed to steal tens of thousands of dollars from the small firm.
Scenario two: Holiday E-card scam
A few days before Christmas, the owner of a small webshop finds an email from Hallmark, or at least so it seems, in her inbox. According to the message, she has received a Christmas E-card, which is attached to the email. Thinking that the card might be from a satisfied customer, she excitedly opens the attached file, which seems to be a Microsoft Office document. However, instead of an E-card, a text file opens up containing gibberish. The webshop owner plans to contact Hallmark about the issue, but she never gets around to it during the busy holiday season.A few weeks later, the webshop owner reluctantly accepts that her business will not live to see another holiday season because she fell for an E-card scam. The E-card was actually a malicious XML file that launched a PowerShell script the moment it was opened, resulting in the sophisticated Emotet banking Trojan being downloaded onto her computer. The Emotet malware easily avoided detection by the simple anti-malware solution running on the targeted system, while harvesting the victim’s PII, credit card information and login credentials for various user accounts, including those of online banking systems. The cybercriminals behind the campaign used this information to clear the bank accounts of the webshop owner, leaving her with insufficient funds to keep her business running.
Other notable examples of holiday phishing scams are:
- Phony vouchers: Victims are offered a fake discount or gift coupon for an online store. Redeeming the voucher requires recipients to click on a link and fill out sensitive information on what is of course a spoofed website.
- Bogus donation requests: Victims are asked to donate money to a certain charity in the spirit of Christmas. Those who fall for this scam, end up “donating” their credit card details and PII to cybercriminals.
- Spoofed websites and social media pages: Scammers use spoofed e-commerce websites and social media pages mentioning lucrative deals to get unsuspecting victims to place an order, for which they need to enter credit card details and other sensitive data.
How to stay safe?
In order to protect your business from holiday phishing scams, there are several things you can do and/or tell your IT person or managed service provider about:
Install a reliable anti-malware solution and keep all your software up to date
Proper patch management for your OS and other software is an essential first step toward protecting your system. Ideally you should also invest in a professional security suite. If you are hesitant, at the very least get a free solution from a reputable developer.
Use a secure email gateway
Secure email gateways (SEGs) provide advanced protection against phishing attacks by checking incoming messages for spam, evidence of email spoofing and impersonation attacks.
Organize or promote phishing awareness training and simulations
Phishing awareness training is a great way to educate staff about phishing scams, while phishing simulations allow SMBs to assess the cybersecurity habits of their employees.
Adopt multi-factor authentication (MFA)
Even though the majority of SMBs believe MFA is not suitable for them, it’s actually a great way for small businesses to prevent security breaches related to phishing by making sure that business accounts stay protected, even if login credentials get compromised because an employee falls for a phishing scam.
Apply a stringent vetting process for electronic communication
Never open email attachments or click on images or Internet links in electronic messages from unknown senders. When it comes to messages from (seemingly) familiar sources, make sure to double check the sending address. Keep in mind that a legitimate address doesn’t mean the message is safe, as threat actors may have hacked into the account or spoofed the address. Be especially wary of messages containing language mistakes, odd phraseology, lucrative deals, urgent requests, desperate pleas or threatening language. Generally avoid interacting with attachments, images and links that you are not expecting to receive and always hover over links with your cursor to verify the URL. You can even type it into your browser and open the website manually. Don’t trust URLs starting with HTTP instead of HTTPS.
Scan email attachments for malicious code
If you really need to open an email attachment, have the contents scanned for malicious code by a sophisticated anti-malware solution and/or a web-based anti-malware service such as VirusTotal. Regarding the latter option, make sure to check if you are comfortable with the privacy policy of the solution you are considering.
Never give up sensitive information
Legitimate organizations will never ask for login credentials or credit card information by email, text or IM. If you receive such a request, you are almost certainly dealing with a threat actor.
Finally, share the tips from this report with your colleagues/business partners
Sharing information on phishing prevention with the people you work with, will help to keep your organization safe.