November 26, 2014 By Douglas Bonderud 2 min read

In 2013, Cyber Monday sales hit almost $2.3 billion, an increase of 21 percent over the previous year, according to USA TODAY. It looks as though 2014 will be another banner year, both for post-Black Friday shopping and the holiday season as a whole. However, as reported by the U.S. Computer Emergency Readiness Team (US-CERT), phishing scams and malware are also on the rise. How can consumers and companies avoid having their holidays hacked?

Winter Warnings

According to US-CERT, cybercriminals use a variety of methods to infect computers and steal personal information. These include e-cards from unknown senders that contain malicious links, along with fake advertisements or shipping notifications that come with malware-laden attachments. Misleading social media campaigns are now popular scams, asking holiday shoppers to donate money for “worthy” causes that do nothing more than line the pockets of malicious actors. Fake websites are also viable avenues for holiday hacks. Last year, CSO Online reported that almost 3,000 fraudulent websites were created using “Black Friday” or “Cyber Monday” as identifying terms.

The common denominator here is social engineering. Holiday phishing scams and malware target high-volume search terms and leverage the trust that comes with common seasonal activities such as shipping packages or browsing for deals online. Users are now familiar with this kind of social advertising, having been exposed to it through “recommendations” to buy items from popular retail websites based on past orders. As a result, great deals on electronics or other high-profile goods are often granted a measure of trust, even when they’re unsolicited.

Protecting the Presents

While it’s tempting to think of this problem as purely focused on consumers, businesses are also at risk. According to TrackVia, almost 70 percent of millennial workers admit to using mobile devices in ways that are contrary to corporate policies. These include anything from downloading unapproved apps to surfing the Web for great Cyber Monday deals on company time. If employees are hit with phishing scams, corporate networks can be the ones that pay the price.

So how do organizations and end users protect themselves? US-CERT offers the following advice:

  • Never follow unsolicited links or download anything from an unknown source.
  • Never supply personal information via email, even to a “reputable” vendor.
  • Keep browser software up-to-date.
  • Ensure all transmissions are encrypted.
  • Use credit cards, since laws exist to limit liability for fraudulent transactions. Not all debit cards offer the same type of protection.

In the event of a successful phishing attack or malware infection, users should take these four steps:

  1. Change all passwords that could have been compromised.
  2. Make sure any accounts that might have been compromised are put on hold and monitored.
  3. Contact local police and file a report with the Federal Trade Commission.
  4. File a complaint with the FBI’s Internet Crime Complaint Center.

While the last step may seem too cumbersome if loss amounts are relatively small, it is important nonetheless since more information about holiday cybercrime gives law enforcement agencies a better chance at catching those responsible.

Cyber Monday is just around the corner, but along with great deals comes the specter of phishing attacks and highly infectious malware. To avoid getting scammed, increased awareness is key. Don’t let holiday spirit cloud better judgment and hack the season for everyone.

More from

Change Healthcare discloses $22M ransomware payment

3 min read - UnitedHealth Group CEO Andrew Witty found himself answering questions in front of Congress on May 1 regarding the Change Healthcare ransomware attack that occurred in February. During the hearing, he admitted that his organization paid the attacker's ransomware request. It has been reported that the hacker organization BlackCat, also known as ALPHV, received a payment of $22 million via Bitcoin.Even though they made the ransomware payment, Witty shared that Change Healthcare did not get its data back. This is a…

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

How I got started: AI security researcher

4 min read - For the enterprise, there’s no escape from deploying AI in some form. Careers focused on AI are proliferating, but one you may not be familiar with is AI security researcher. These AI specialists are cybersecurity professionals who focus on the unique vulnerabilities and threats that arise from the use of AI and machine learning (ML) systems. Their responsibilities vary, but key roles include identifying and analyzing potential security flaws in AI models and developing and testing methods malicious actors could…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today