It’s the time of year where we (hopefully) spend a little more time away from work and more time with friends and family to relax and celebrate. It’s to be expected that many of us are a bit more relaxed during the holiday season. Perhaps off-guard. This is exactly where the bad guys want us. They’re counting on it. It’s why they are more active this time of year.
The holidays have always been a time for the greedy to strike. Years ago, their primary vectors of attack were telemarketing scams used to promote fake charities. Of course, criminals still do these types of scams, but they have also kept up with the technological trends of the times. Today you are just as likely — if not more — to be hit with a phishing email, instant message or scam on social media.
But Rob, this is a corporate security blog — why are you writing about consumer security? Well, here’s the thing: the scam and phishing-related activity doesn’t just place consumers at risk. After all, your corporate employees are consumers — and think about how the separation between people as consumers and workers has been erased. The days of employees having personal devices and work devices are long gone. Many organizations are BYOD now, either by policy or the reality on the ground.
The reality is your employees are using work devices to click on emails, shop and research the holiday gifts they hope to share. As staff use these devices for both work and shopping — and accessing data files as well as connecting to the network — there is an increased risk that clicking on the wrong file or link could expose your organization to malware, data theft, ransomware attacks and more.
Here are just some of the techniques attackers use to trick employees:
- Emails that look like they come from insiders of the organization or trusted partners
- Bogus websites that promise deep discounts, but are really designed to siphon personal data and credit card numbers
- Mass phishing scams that impersonate popular retail brands (that steal usernames and passwords that thieves will try to use elsewhere)
- Spurious order or shipment update emails
- Phony charities
- Social media updates and tweets crafted to trick people to scam websites
- Holiday ecards (isn’t anything sacred?)
The good news is because attackers are using the holidays as a moment of opportunity, you can do the same thing by taking constructive steps to build employee awareness about phishing and online scammers. To protect their safety and yours, now is a perfect time to help them to understand that they are being targeted during the holiday season.
Here are some things to remind employees to do to protect themselves and your organization:
- Avoid public Wi-Fi and always be sure to connect to secure internet.
- Always use best practices when it comes to password management.
- Use unique passwords for each service and never reuse work passwords for home.
- Use a separate email for online shopping.
- Dedicate one credit card or prepaid card for online shopping, and don’t use debit cards (the rules for fraud protection are often different).
- Be vigilant for phishing emails, social media posts and direct messages. Don’t ever click on unfamiliar links; when an offer seems too good to be true, it probably is.
- Look closely at all email communications — watch for minor changes in email address name or domain, the validity of the domain the links refer to, typos in the text of the message and odd grammar.
- Remind them to back up their devices and data; this is the best way to recover from such things as ransomware attacks.
Of course, much of the same advice holds all year around, but it’s worth being extra diligent this time of year. The less time spent cleaning up malware and recovering from attacks, the more time we all have to enjoy the season.
It’s Time to Rethink DLP