The Christmas holidays are fast approaching, and individuals and businesses alike are winding down and preparing for a relaxing end to the year. However, one group of people are beginning to pick up the pace, eager to work throughout the holidays and exploit what they have to offer. Cybercriminals across the globe are gearing up for the skyrocketing online sales that come hand-in-hand with Christmas, as well as security laxity from businesses during this time. Essentially, the Christmas period is a “feast for threat actors”, according to security experts.
In 2017, online spending grew by 18.7% with Australians spending around $21.3 billion buying goods online, according to Australia Post. Security firm RiskIQ found that this represented an estimated 15% increase since 2016. Online spending outstripped traditional retail by 16.2% in 2017, a figure that will certainly have grown by the end of 2018. Indeed, Australia Post predicted that by 2020, one in ten items will be bought online.
Corresponding with these spikes in online shopping is the threat from online hackers. For example, risk experts ThreatMetrix predicted in 2016 that 50 million online attacks would occur globally during the Black Friday and Cyber Monday shopping week alone. In November 2016, the company had detected 130 million attempted attacks over the last 90 days, which strongly indicated that the final quarter of the year – being the lead up to the Christmas holidays – would see more online attacks than ever before.
The Ponemon Institute’s study in 2013 showed that cyber-attacks on Black Friday and Cyber Monday could generate losses of up to $500,000 an hour for retail venues. Factoring in losses to reputation and brand damage, this figure rose to $3.4 million per hour of disruption. Adding to these harrowing statistics, the report also found that while 64% of organisations saw spikes in attacks during the Christmas period, only 23% of the attacks were detected and remedied. Unfortunately, many organisations did not take cyber security seriously, with nearly 70% failing to take additional precautions in anticipation of increased attacks during the Christmas Holidays.
These cyberattacks are growing exponentially, and they will impact everyone at every time of the year and become increasingly costly for individuals and businesses alike. Indeed, in a February 2018 report, McAfee estimated that the global cost of cybercrime could be as much as $600 billion.
What You Should Look For
During the holiday period, specially designed and themed attacks proliferate, utilising traditional Christmas practices and patterns to target unsuspecting victims.
For example, cybercriminals may recreate legitimate websites, making them virtually indistinguishable from the real site, and successfully fooling people into fraudulent sales. Victims have little to no redress in these situations, and brands suffer significant damage to their reputation. To avoid this, customers are encouraged to constantly check URLs and look for SSL certificates, which come up as a padlock in the address bar.
Phishing emails are also popular during the Christmas period, luring people in with flashy symbols, big deals and trusted brand names. As a rule of thumb, avoid clicking on any links in an email and when in doubt, contact the alleged source of the email to check its legitimacy.
Christmas e-cards can be used as well, with the flashy holiday greetings from alleged friends, family and co-workers being used to trick individuals into clicking on links that will then download malicious software capable of stealing the data stored on the computer.
The FBI recently released a warning about a rise in Business Email Compromise (BEC) complaints after an increasing number of victims have received email requests from ‘management’ to purchase gift cards for corporate gift-giving or holiday functions. Security firm Proofpoint found that these gift-card related scams more than doubled in the third quarter of 2018, representing a worrying correlation with the Christmas period. Many of these gift-cards referred to iTunes and Amazon, utilising legitimate companies and managerial authority to trick staff.
Point-of-sale attacks involve hackers placing malware on sale terminals, which allows them to scrape credit card data and use this for fraudulent transactions. With the Christmas holidays encompassing some of the busiest shopping days of the year, such attacks become extremely lucrative for cybercriminals. These individuals are likely preparing for the holiday season, as MagikPOS malware activity began to spike in November already.
This year, a scam message has been circulating on WhatsApp throughout November, providing fake links to vouchers for retailers and supermarkets and encouraging the link to be passed on to others. The message from Chief Scientist at McAfee, Raj Samani, is clear, “if an advert for a deal looks too good to be true, it probably is”. Samani also encouraged people to think before they click and to “check out the site directly rather than clicking on any links”.
These are just a few examples of the multitude of sophisticated and targeted cyber-attacks that will exploit the Christmas period. To avoid them, individuals must be vigilant and thorough, keeping on top of the warnings and new methods being utilised.
Business Security During Christmas
Even before the Christmas Period, business risk increases. Staff become distracted by deadlines, celebrations and preparations, or drop their guard as the work winds down. This leaves room for mistakes or carelessness, like clicking on a dodgy link or leaving a computer unlocked. To counter this, businesses must ensure their staff are more vigilant towards the end of the year. Education and awareness are also key to preventing phishing emails or rogue websites providing a backdoor into your business for hackers. Even regular check-ups of the premises and IT systems during the break could make all the difference. Essentially, businesses inevitably let their guard down during the Christmas holidays, and this increased risk must be factored into the security plan.
Cybersecurity should have no holiday season, according to Lieberman Software Corporation’s President, Philip Lieberman. Lieberman explained that “credentials and security patches must be actively managed all the time” and the traditional ‘IT lockdown’ that occurs for many businesses during the Christmas period is often the “absolute worst security strategy”. This ‘lockdown’ is where a business’s IT systems freeze during a period, prohibiting changes to avoid any negative impact on critical work. It is easy to see how this could result in prolonged and undetected security vulnerabilities in a business, which in turn can be easily exploited by hackers.
The Christmas holidays demonstrate a clear spike in cybercriminal activity aimed at individuals and businesses. While security becomes particularly real and important for many during this period, the truth is that cybersecurity is a year-round responsibility. It requires a constant analysis of a businesses risk profile and the new methods being used to target customers. Cybersecurity calls for discipline and prioritisation 365 days of the year. Acknowledging and actioning this will enable individuals and businesses to know they have done the most to protect themselves against current and emerging cyber threats.