The Facts About Phishing and the Holiday Season

A s Black Friday comes and goes, and Thanksgiving is right around the corner, even the grinchiest among us can’t ignore that holiday vibe. Christmas songs are playing as we do our grocery shopping, families are planning long-awaited get-togethers, and your employees are (hopefully) whistling while they work!

Unfortunately, alongside all the cheer and goodwill, it’s a well-known fact that this is the most dangerous time of the year when it comes to cybercrime. In fact, phishing attempts have been shown to rise as much as 400% between ‘business as usual’ October, and the start of the holiday season in November.

This year, the threat is higher than ever, with a recent report estimating 8 million attacks every single day during the 2021 holiday season, an increase of more than 60% on the usual numbers.

Why do phishing scams ramp up this time of year?

There are a number of reasons why the holidays add risk for today’s businesses. First, attackers prey on employees’ emotions, which are regularly heightened during this time of year. Whether your employees are extra busy or stressed finishing off projects before year’s end, or whether they are excited and distracted by holiday plans – attackers want to leverage this change in mood, which makes it more likely that they will click on a malicious link or make a poor judgment call.

Attackers are also looking for shared experiences, which can make phishing emails seem personal and contextual. It’s all about timing. Just as the FCC warned about phishing scams that used COVID-19 and the vaccine rollout to frighten people into clicking or responding to a scam, the holiday season is another perfect opportunity. Attackers can promise Black Friday deals which are definitely too good to be true, they can encourage employees to sign into a fake portal to log vacation days in the “new system”, or even assume the role of HR or other department leads to sharing photos or Christmas party information that is a disguise for malicious intent.

Black Friday and Cyber Monday weekend is a particularly vulnerable time for employees. They will have the strong emotions of excitement around getting great deals, fear of missing out on a time-sensitive opportunity, and also the practical risk factors that come with using new online retail websites or delivery couriers that they may not be familiar with. 

What makes 2021 even more dangerous than previous years?

This year, COVID-19 and the rise in remote work have led to a distributed working reality for many companies. This adds a number of elements to the risk landscape. Employees are likely to have colleagues that they have never met before, making an email from an unknown sender who claims to be internal much more believable, and making it harder for employees to question the tone or language of the sender. The same is true with Black Friday, where employees will be less likely to visit in-person stores, relying on browsing to new retailers online and trusting their correspondence. 

In addition, with remote working – many employees are working from their home computers, which leads to bad practices. In fact, 56% of senior IT leaders in the UK and the US believe that employees have picked up bad security habits when working from home, and maybe even worse – almost 2 out of 5 of employees agree. Studies have shown that when test phishing scams are sent to a distributed workforce, those managers working in the office often ignore the scam, while employees working from home are more likely to click. Of course, home computers are regularly logging into the corporate network, making them an extension of the business environment, and therefore just a lateral move away from the same data and sensitive information. 

Prepare your employees this holiday season

The recent REvil attack that compromised over 1,000 US businesses took place on July 4th, timed perfectly for US Independence Day. This should be a warning and a wake-up signal for all digital businesses as we enter the holiday period. Unfortunately, while 89% of businesses are specifically concerned about a holiday-season cyberattack, 36% say they have no specific plan in place to prevent one.

This year, the threats are greater than ever before, due to heightened emotions and a distributed workforce. It’s, therefore, more important than ever that you empower your employees and show them that you want to help them to keep the business secure.

At CybeReady, we work with digital businesses to offer Security Awareness Training that provides immediate feedback to your employees, and continually tests 100% of your staff, no matter where they are based. We provide the metrics that you need as a business to feel confident that your security posture is improving, and that employees are learning to protect themselves and the business from the rising threat of phishing scams. Now that sounds like a Happy New Year!

Interested in getting insight into your employee risk levels as you enter 2022? Schedule a demo of our autonomous training platform, here.