Hack-y Holidays? Phishing Scams and Malware on the Rise, Says US-CERT

In 2013, Cyber Monday sales hit almost $2.3 billion, an increase of 21 percent over the previous year, according to USA TODAY. It looks as though 2014 will be another banner year, both for post-Black Friday shopping and the holiday season as a whole. However, as reported by the U.S. Computer Emergency Readiness Team (US-CERT), phishing scams and malware are also on the rise. How can consumers and companies avoid having their holidays hacked?

Winter Warnings

According to US-CERT, cybercriminals use a variety of methods to infect computers and steal personal information. These include e-cards from unknown senders that contain malicious links, along with fake advertisements or shipping notifications that come with malware-laden attachments. Misleading social media campaigns are now popular scams, asking holiday shoppers to donate money for “worthy” causes that do nothing more than line the pockets of malicious actors. Fake websites are also viable avenues for holiday hacks. Last year, CSO Online reported that almost 3,000 fraudulent websites were created using “Black Friday” or “Cyber Monday” as identifying terms.

The common denominator here is social engineering. Holiday phishing scams and malware target high-volume search terms and leverage the trust that comes with common seasonal activities such as shipping packages or browsing for deals online. Users are now familiar with this kind of social advertising, having been exposed to it through “recommendations” to buy items from popular retail websites based on past orders. As a result, great deals on electronics or other high-profile goods are often granted a measure of trust, even when they’re unsolicited.

Protecting the Presents

While it’s tempting to think of this problem as purely focused on consumers, businesses are also at risk. According to TrackVia, almost 70 percent of millennial workers admit to using mobile devices in ways that are contrary to corporate policies. These include anything from downloading unapproved apps to surfing the Web for great Cyber Monday deals on company time. If employees are hit with phishing scams, corporate networks can be the ones that pay the price.

So how do organizations and end users protect themselves? US-CERT offers the following advice:

  • Never follow unsolicited links or download anything from an unknown source.
  • Never supply personal information via email, even to a “reputable” vendor.
  • Keep browser software up-to-date.
  • Ensure all transmissions are encrypted.
  • Use credit cards, since laws exist to limit liability for fraudulent transactions. Not all debit cards offer the same type of protection.

In the event of a successful phishing attack or malware infection, users should take these four steps:

  1. Change all passwords that could have been compromised.
  2. Make sure any accounts that might have been compromised are put on hold and monitored.
  3. Contact local police and file a report with the Federal Trade Commission.
  4. File a complaint with the FBI’s Internet Crime Complaint Center.

While the last step may seem too cumbersome if loss amounts are relatively small, it is important nonetheless since more information about holiday cybercrime gives law enforcement agencies a better chance at catching those responsible.

Cyber Monday is just around the corner, but along with great deals comes the specter of phishing attacks and highly infectious malware. To avoid getting scammed, increased awareness is key. Don’t let holiday spirit cloud better judgment and hack the season for everyone.

Douglas Bonderud

Freelance Writer

A freelance writer for three years, Doug Bonderud is a Western Canadian with expertise in the fields of technology and...