It should come as no surprise that the holiday season inevitably means an increase in scams and financial fraud. Long gone are the years where we only needed to worry about theft as a result of home burglaries and car break-ins. We not only need to worry about leaving store purchases and gifts in plain view in our cars or homes, but our credit card information being transmitted in plain text via payment services, and the ever increasing threat of phishing and ecommerce scams targeting holiday shoppers.
With each passing year, more and more shoppers elect to stay home and make their purchases via the Internet. Consumers are accustomed to, and even expect, the deluge of emails announcing special financing, promotions, and sales. Who wouldn’t want to make their holiday purchases from the comfort of their home and still land an amazing deal on that TV they’ve been eyeing or gift cards for the persnickety people in their life?
But, shoppers need to beware! Scammers know that come October most of us are already planning our shopping lists and plan of attack to get the most bang for our buck. As such, phishing attacks targeting ecommerce, webmail/online services, and social media platforms spike at the end of the year.
As we referenced in our 2016 Phishing Trends & Intelligence Report, an analysis of phishing attacks throughout the year indicates phishing attacks surge during the holiday season. This trend is not new and has been consistently identified in previous years. Interestingly, industries that commonly occupy the top spots for targeted phishing attacks throughout most of the year, such as financial institutions and cloud storage/file hosting services, see a sudden drop in activity during the holiday season.
Domains Hosting Phishing Content Identified by Month in 2015.
During the holiday season in 2015 we saw significant increases in phishing attacks targeting social media websites (+80%), webmail services (+59%), and ecommerce companies (+41%). Conversely, attacks targeting cloud storage/file hosting services, which maintained a fairly static attack rate throughout the year, decreased 27 percent during the holiday season. Similarly, phishing attacks against the financial sector increased steadily throughout the year, culminating in the third quarter, and then abruptly dropped in November and December.
One possible explanation for the shift in targeting is that there may be a limited population of threat actors who spend much of the year targeting a variety of industries and then opportunistically shift their focus to other industries, such as ecommerce, during peak seasons such as the holiday season.
Holiday Season Phishing Industry Trends
With the plethora of techniques deployed by scammers growing increasingly creative and sophisticated, there is no shortage of attack vectors. Some things that holiday shoppers need to be aware of include, but are not limited to, the following:
- Suspicious emails warning that an account has been locked
- Offers or deals that seem too good to be true
- Untrusted sites offering hard-to-find items
- Gift cards sold on auction sites or discount sites, or offered in bulk
- Malicious mobile apps targeting holiday deals or games
As always, do your research. Scammers are counting on you to take the bait. If the deal is too good to be true, it probably is. You only have to make a mistake once and your credit card data, login information, and personally identifiable information is now in the hands of scammers. Phishing season is in full swing, don’t get caught.
If you're concerned that your employees may be susceptible to spear phishing attacks, feel free to request a free assessment from PhishLabs.