It’s the most wonderful time of the year … for cyber scammers and hackers hoping to take advantage of companies when their guard is down for the holidays.
Every year, there’s a surge in phishing attacks and social engineering scams throughout the festive holiday period.
“It’s almost become a bit of a holiday tradition for bad actors,” said Nick Economidis (pictured), vice president, eRisk, Crum & Forster, who added that fraudsters take their chances when offices are short-staffed, people are away on vacation, and attention is drawn to more pleasant festivities.
“The holidays give bad actors a whole new set of schemes; they have new reasons to send phishing emails and new ways to entice people to click on malicious links or download malware-filled files,” Economidis told Insurance Business. “I saw a phishing email the other day, which said: ‘We’ve got a holiday gift for you. We just need your address so we can send it through. Follow this link to give us your details.’ And if an employee clicks on that link, the bad actors are going to try to plant some malware in their system.”
Phishing emails often go hand in hand with social engineering scams because fraudsters use phishing tactics to source their victims’ credentials. Any email that seems out of the ordinary – asking you to log on to a website out of the blue, or to insert personal information and a password to receive something – should be flagged as potentially fraudulent.
“Corporate entities should be practicing the same cyber risk management throughout the holidays as they do at any other time,” said Economidis. “For example, they should be running an end-point detection and response tool, and they should require multi-factor authentication (MFA) for all remote access. It’s all basic blocking and tackling.
“The thing that can really help prevent these schemes from being successful is greater user awareness. While companies have their skeleton staff deployed for the holidays, it’s important to remind everybody that these types of phishing scams and social engineering scams are going to happen. That reminder can have a huge impact. So, now’s a great time for insurance brokers to send a holiday message to their clients to remind them to be vigilant.”
For those companies who do fall victim to a social engineering scam, it’s important for them to act quickly because “time is of the essence,” especially if the scam results in funds transfer fraud, Economidis stressed. Most major cyber insurers offer crisis management support and claims services 24/7 and 365 days a year, and Economidis encouraged companies to use those services if they get hit over the holidays.
“I know we’re going to get a phone call on Christmas Eve, and then we always get another one on the day after Christmas. That Boxing Day call is always particularly tragic because they’ve clearly been stressed about the incident over the holiday. They were just waiting for 8am on December 26 to call us and try to get some help,” said Economidis. “Sometimes people forget that we’ve got somebody available to help 24/7, 365 days a year. They could have called us and had a much more relaxing holiday.
“The other thing they should do, if they’re victims of funds transfer fraud via social engineering, is contact the FBI as soon as possible. The FBI has become very good at clawing funds back, and they have some great tools in place, but time is of the essence. If a person decides to go home for the Christmas break and forget about a problem until the morning of December 26, then it may be too late to successfully retrieve their funds.”