With Black Friday finally here and Cyber Monday on the horizon, excitement is building for the holidays ahead.
Unfortunately, it is also a time when individuals frequently and carelessly relinquish credentials online or inadvertently install malware. It is a time when businesses are wrapping up end-of-year activities, key staff are on vacation, and record numbers of online holiday shoppers are searching for the best deals, looking for last-minute credit or feeling generous when charities come calling.
The cold is setting in, and we’re on the cusp of a cyber-crime wave where fraudsters take advantage of people at their most distracted.
It’s The Season To Be Wary
This year, more than any other on record, phishing in all its incarnations is expected to hit unprepared retailers and individuals hard.
According to F5 Security Operations Center (SOC), fraud incidents for customers in October, November, and December tend to jump over 50% compared to the annual average.
Indicative of the scale of the problem, 75.6% of all websites taken offline by the F5 SOC between January 2014 and the end of 2017 were impacted by phishing.
Meanwhile, data from the Anti-Phishing Working Group (APWG) indicates that global phishing incidents have risen a staggering 5.753% over the past 12 years.
The problem is compounded by the exponential expansion of available attack surfaces. Extensive worldwide analysis by Salesforce suggests that the 2018 holiday season eCommerce revenue will increase 13% on last year, with AI-based product recommendations driving 35% of all revenue. For the first time ever, more purchases will be made with mobile phones (68%) than any other device.
A perfect storm is brewing. Here’s how you can prepare and stay safe:
Take Care Before You Share
It’s easy to let your guard down when you’re self-promoting or updating followers with engagement-stoking details. Even seemingly innocuous information can be weaponized by persistent hackers. Individuals need to be wary, alert and be responsible. Organisations on the other hand must run robust, continually evolving awareness-raising programs to ensure all employees embrace a culture of appropriate social sharing. They should also double check the essential nature of business-related web content on third party properties, such as online directories and partner websites.
Think Before You Click
Treat any link with suspicion, particularly if you’re unsure of its origin. Hover over hyperlinks to view the destination URLs because sneaky spear phishers will often hide their URLs in email body text or via online forms that appear credible.
Sound Phishy? It Probably Is
Spear phishing has been honed to a fine art, including the incorporation of an impressive array of personal and circumstantial details to crank up the realism factor. Question everything and try to establish sender veracity before doing anything. Canny cyber criminals often use high-ranking figures within an organisation to accelerate carefree actions, such as sending sensitive details via email.
Interrogate Email Headers
Attackers frequently send email inquiries to gather IP addresses, determine mail server software, and ascertain emails traffic flow. Do not let this happen. Check all email headers before opening content from unknown sources.
Adapt Or Die
There is no protective silver bullet. Any claims to the contrary are lies. Make sure any endpoint protection tools are behavior-based to help ensure lessons are learned from successful attacks. Ultimately, the onus is on you to stay educated and sensible. Demand awareness-raising and preventative training if your employer doesn’t offer it already.
Secure The Network
In the business world, it is imperative that security teams regularly ensure network systems are optimally configured to withstand threats. It is also critical to note that some applications are not built with a “security by design” mindset, occasionally containing detail about the development team and organisational processes. Securing these is a priority. In addition, all domain and IP registries should be set up with generic role names and identifiers instead of individual names.
Test Your Limits
Businesses should consider periodically hiring a penetration tester to unearth the who, what, where, when and whys of attacker behaviors. Today’s reconnaissance and social engineering tests can, and should, furnish you with invaluable defensive insights.
Over time, we’ve become too comfortable sharing valuable information online and giving hackers a clear window into our lives. Don’t let your personal data be the gift that keeps on giving this holiday season. Stay smart, stay safe, and don’t swallow the bait!