Don’t get phished this holiday season

Phishing

Holiday season is coming closer and I would like to take this opportunity to discuss phishing since the amount of phishing attacks increases a lot during holiday season. According to Zscaler the amount of phishing attacks increased with 400% from October to November this year as Black Friday and Cyber Monday came closer.

Phishing, which is a type of social engineering, is based upon exploiting people’s feelings. During shopping-holidays like Black Friday and Cyber Monday but also during Christmas people are more vulnerable. Phishing campaigns are designed based on the holiday. During shopping holidays, it is very common with emails or texts that contains:

  • Fake Amazon Gift Cards.
  • Fake login portals to Paypal and other payment sites.
  • Scams related to other shopping or shipmen companies like Postnord or DHL.

During other holidays like Christmas and Easter it’s more common with greetings with bad URLs included. It can for example be a Merry Christmas email with a link to malicious site. It is also common with emails where the sender wishes you a merry Christmas and tells you that they have donated money to charity and that you can click on the link to read more. When people get these kinds of emails and like what they read they have already lowered the guard and it’s much more likely they will click on a unknown malicious link.

It’s crucial to always be vigilant and know how to distinguish phishing emails from legitimate ones, especially since 94% of all malware are delivered via email according to Verizon. I came across a poster from LogRythm a few years ago with a top ten list for how to spot and handle a phishing email and it’s still viable.

10 Things to Watch - Logrhytm

I recommend you to think about these tips when you get an email and make sure to always keep the guard up when it comes to emails. If you want to read more about this topic you can also read my earlier blog post where I discussed link manipulation, Virustotal and that Google released a great quiz where you can test your ability to identify phishing email.

If you have any questions or want to know more, don’t hesitate to send me and email at: rickard.carlsson@xenit.se or comment below.

Disclaimer: All information on this blog is offered "as is" with no warranty. It is strongly recommended that you verify all information and validate all scripts in isolated test environments before using them in production environments.