KT Connections Blog

The Holiday Season is also Spear-Phishing Season


For a hacker, there’s no such thing as a holiday break. As a matter of fact, some attack vectors are seen more commonly during this time of year. One of these attack vectors, spear phishing, becomes a particular favorite for many hackers. In order to stay safe, you need to be more careful on social media, webmail, and ecommerce sites.

The Inherent Risks of Shopping Online

Online shopping, much like regular shopping, can put your data at risk. Just like someone might swipe a purse out of a cart in the moment that you’ve turned away, hackers can use a variety of tools to make off with your personal data as you shop online. Alternatively, online shopping can also give hackers the opportunity to infiltrate your systems, often via spear-phishing attempts.

How Spear-Phishing Works

Spear-phishing is popular among cybercriminals as a means of beginning a larger attack, as it often provides the hacker with the means to access their target. Newscenter1 reported on the phenomenon as it related to stolen taxpayer data in July of 2017, but the chain of events is essentially the same.

In their article, Newscenter1 accurately describe a spear phishing attack, starting from the point when an attacker sends a targeted email to a particular recipient after the hacker has done some digging. The recipient is urged by the message, which appears to be from a trusted source or authority figure, to click through an included link. However, clicking the link only allows the hacker to continue their attack, having gained access to your systems.

While some of these attempts are almost comically transparent, many are not. This is why you need to protect yourself and your business from the efforts of these clever cybercriminals. This may be most true during the holiday season.

Phishing by the Numbers

Phishing attacks have historically been the vector of choice for cybercriminals to use during the holiday season. In 2015, phishing attacks were considerably more common on social media, increasing by 80%, webmail applications, increasing by 59%, and increasing by 41% on ecommerce websites.

At the same time, cloud storage and hosting saw 27% fewer phishing attacks, and the financial industry--usually a prime target for attacks--saw a reduction in their frequency as well.

It also doesn’t help that businesses can often make it easier for these cybercriminals to put these kinds of attacks together.

Bypassing the Human Security Measures

Unfortunately, spear-phishing attacks leverage one of the weakest elements of your security in order to work: the human element. Cybercriminals leverage human nature to give their schemes the best chance of working, technology aiding them in this deception. For one example, let’s look at a feature that will be used heavily this holiday season and determine how a hacker could use an Out-of-Office email alert to create a trap.

Let’s say you plan to be out of the office for a time, and you set up an Out-of-Office alert. Sharing too much information could lead to a data breach in a few simple steps. First, if you name your manager specifically in your Out-of-Office message, you’ve just given the cybercriminal the next person to contact. Thing is, they’ll contact them posing as you.

Combining the other information that is often found in an Out-of-Office responder, like travel dates, with other information that can be found online, a cybercriminal could reach out to your manager posing as you and deliver an infected attachment. Of course, your manager will probably open this attachment--it is from you, after all--and the cybercriminal has successfully infected the business network. Cybercriminals have also figured out methods to make their messages more convincing--including the time of year. Leaning on the assumption that people will forgive misspellings and grammar issues due to the shared stress of the season, hackers can create an email message that appears legitimate.

There are other ways that a hacker can make their message more effective, too. Including a picture of the person who supposedly sent the message has proved effective for many cybercriminals, as has marking the message as high priority or rush. A particularly devious method many cybercriminals use is to send the message to an executive who is out of the office, who will glance at it briefly before delegating it to an employee. This employee then finds themselves opening a phishing message sent to them by their boss.

Staying Safe

There are many means of avoiding phishing attempts, but they all boil down to remaining vigilant as you check your email. If you ever question if an email was sent from who it was supposedly sent by, verify that that person sent the message by phone. You should also not access links found in the email from the email--instead, copy and paste them into your browser so you can look at them closely and check for any spelling errors in the URL. There should also be HTTPS at the beginning of the URL, as this tells you that the website is secure (and therefore less likely to infect you). Finally, keep an eye on your credit card statements and if there are any unexpected charges, make sure you report them.

Remember, if it’s too good to be true, it probably is. A holiday miracle isn’t going to appear in your inbox. If anything, it’ll be the opposite. For more help with keeping your information secure, reach out to us at 605-341-3873.