As online shopping increases, so do phishing attacks
Since it was first named in 2005, Cyber Monday, or the Monday after the Thanksgiving holiday weekend, has become the busiest – and for retailers, the most profitable – online shopping day of the year. For perspective, in 2020, consumers spent $10.8 billion on Cyber Monday. Some retailers eager to profit during the holiday season extend online deals into the following week, and so Cyber Monday morphs into Cyber Week.
Cyber Monday and other online holiday shopping events offer consumers great opportunities to purchase gifts from the comfort of their couches instead of lining up outside stores and dealing with traffic, crowds, and other nuisances. Unfortunately, criminals also view increased online shopping during the holiday season as full of opportunities. Their goal is to conduct phishing attacks to steal passwords and personal and credit card information and to compromise devices.
In 2019, Zscaler, a cloud-based information security company, performed an analysis of phishing attacks that occurred during the first 14 days of October and compared them to the first 13 days of November. The results were staggering. Zscaler discovered that the number of phishing attacks rose by nearly 400%.
Bad actors and criminal groups tailored their ploys to take advantage of vulnerable consumers through phony package delivery emails, forged special offers from major online retailers, text messages offering fake giveaways and sign-ups, and site skimmers. Three of the more common ploys included fake Amazon gift cards, fake Amazon login portals, and Trojan malware downloaded via malicious sites or email attachments.
Some ploys redirected users to fictitious sign-in portals, and others prompted them to enter credit card information. Even worse, some phishing attacks attempted to trick users into surreptitiously installing malware that would then attempt to establish persistence and call out to a command-and-control server.
Clearly, bad actors and criminal groups are organized and motivated to take advantage of consumers during the holiday season. Often, the so-called deals promoted in phishing attacks are forwarded to friends and family, thus accelerating an attack’s potential impact. To an information security professional or tech-savvy consumer these ploys are generally nothing more than an annoyance. But to a consumer looking for that hard-to-find gift or toy, these phishing attacks can be disastrous.
No, VPNs don’t protect against phishing attacks
Some consumers install virtual private networks (VPNs) to protect themselves online. However, despite what many advertisements claim, using a VPN for web browsing does not eliminate the risk of criminals stealing users’ personal information.
While VPNs are effective for encrypting traffic in transit and can be useful tools in a broader arsenal of defensive capabilities, they do not magically prevent phishing ploys or make sites or downloads safe. VPNs do not stop malicious programs from executing on users’ systems, and they don’t prevent malware from reaching back out to a command-and-control server. Additionally, VPNs don’t prevent users from navigating to malicious sites, and they don’t foil malicious sites from harvesting users’ credentials.
These 6 measures can help protect against phishing attacks
So, given the anticipated increase in criminal activity during the holidays and the insufficient solution of VPNs, what can consumers do?
To help make their online shopping experiences more secure, consumers should:
- Employ multifactor authentication on as many online accounts as possible. A few extra steps are worth the peace of mind that comes with more secure login credentials.
- Always navigate directly to the actual retail site to shop. Attackers understand that users love the convenience of clicking a link instead of making the effort to go to the legitimate site, so they take advantage of that temptation by offering up bogus links.
- Never respond to unknown text or voicemail messages soliciting information that once given will supposedly result in a fantastic deal.
- Examine forwarded email messages very carefully. Family members or friends who genuinely think they’re being helpful might not realize their forwarded email contains a malicious link.
- Practice extreme caution when dealing with shortened URL links, as they can be obfuscated malicious links.
- Use a password manager to set unique account passwords. While users still must set a robust master password, a password manager allows for the easy rotation of all other passwords.
Raising awareness about phishing attacks pays off
Because of recent work-from-home trends, the lines between personal computers, home networks, and corporate environments have blurred. Not surprisingly, attackers see opportunity here, and they might try to access corporate infrastructure by compromising users’ personal assets. Therefore, organizations should educate and prepare their employees to fend off attacks, even when attackers might be targeting only noncorporate resources.
As we head into this holiday season, some consumers will no doubt be on the receiving end of nasty phishing attack surprises. But by educating ourselves as consumers and employees about how to spot and protect against phishing attacks, we can all have a safer and happier holiday season.