‘Tis the Season for Cyber Scams: Raising Awareness of Well-Timed Phishing Attacks
The holiday season is prime time for traveling and shopping. It is also prime time for especially creative phishing schemes.
Phishing schemes are a numbers game. It only takes one to get through and cause serious damage. According to an FBI report, in 2021 there were 847,376 reported complaints with potential losses exceeding $6.9 billion. This year these numbers are expected to grow even higher. Here’s why.
Phishing emails tend to fool us because they are sent within a specific context. That is, these types of cyberattacks are designed to catch us in situations when we are especially likely to believe the content of the email and click on the link provided.
For example, Joe travels only once or twice per year, and this holiday season he’s excited about visiting family members he hasn’t seen for a while. Joe schedules some extra vacation days, books a ticket, and is all ready to go. Then, on his way to the airport, he receives the following email:
Subject: Important Flight Information. Updated Departure Time.
Dear Joe,
Due to severe weather conditions, your flight is delayed.
We apologize for the inconvenience.
Please click here and follow our instructions.
Sincerely,
Customer Care at JetBlue
In a heartbeat, Joe clicks on the link, making this phishing email successful by catching him at a moment when he is vulnerable. Once he clicked on the link, Joe may inadvertently provide sensitive information or allow malware to be installed on his phone.
By contrast, if this phishing email had landed in Joe’s inbox when he was at the office and had no travel plans, he would immediately have suspected that he was the target of a phishing scam.
More than 3 billion phishing emails are sent every day. Moreover, recent massive cyberattacks resulted in the theft of significant data from large telecoms, banks, transportation companies, and government agencies. As a result, phishing attacks have become increasingly personal.
To protect ourselves and help security departments enjoy their holiday season a little more, it would be helpful to pay special attention to three types of schemes this holiday season.
Flight Status Notifications
Airlines send many emails with flight status notifications with messages such as: “It’s time to check in,” “Your flight receipt,” “Gate Change Announcements,” “Flight Delays,” “Flight Status,” “Important Flight Information,” and so on.
We naturally tend to respond quickly to flight status notifications because they often require immediate attention. But this is precisely why need to pause first and pay close attention before clicking on any links.
When receiving a flight status notification email, look for three things:
- Emails sent by an airline typically specify your flight number, date of travel, and/or destination in the subject line.
- A legitimate email from an airline will have your accurate flight information and feature the airline’s logo and colors. This type of email normally arrives no more than 72 hours prior to check-in. If you don’t see any of these details in the subject line or the main text of an email, be on high alert that this is probably a phishing scam.
- Pay special attention to any invitation to check in since these types of emails often contain links.
In any such emails, it is prudent to verify the sender’s address. To do so, just click on or hover over the sender’s name, and the address will be displayed. Make sure that it is from the airline. For example: if you receive a “Time to Check In” email from Delta, the sender should be [email protected].
Note that while the domain is “t.delta.com” rather than “delta.com,” this is the company’s authentic domain. If you’re unsure, you can verify the domain by comparing it with previous valid emails that you have received earlier from your airline.
Refund/Return Phishing Emails
A commonly seen email address is [email protected]. The online retail giant spoiled shoppers with the ease of getting a refund and changed vendors’ behavior worldwide in the process. As a result, more companies are offering generous return policies.
However, when shipping an item back, we tend to be a little too eager to receive the refund and, as a result, too ready to click on any link claiming to update the status of our order. Simply put, the shopping season is when shoppers are most likely to be targeted with refund schemes.
When getting a refund/item return email, check these aspects in particular:
- A refund or return email will contain the description of the exact item that you purchased or the order number, usually in the subject line. The email itself will normally contain a description of the item returned and the amount of the purchase. If you receive a return or refund email that does not contain this information, be on alert that you may be the target of phishing.
- Sometimes, you may not remember whether you ordered a certain item or shipped it back. A refund scheme email may tell you to “click here” for an order of an item that you don’t recognize. If this happens, be careful to double-check that the sender’s name and domain appear in the email and that they are spelled properly.
- A refund scheme may ask you to enter your credit card number to obtain your refund. This is a dead giveaway because legitimate vendors do not ask you to do so.
Holiday Voucher Emails
One of CybeReady’s most successful phishing simulations is taken the form of a voucher for a cup of coffee. This phishing attack is especially effective because it simply asks the recipient to click on the link to obtain the voucher—very straightforward.
Here’s an example:
Subject: Special offer for the opening of our new branch!
It’s no secret that businesses are offering more deals than ever for this time of the year. It’s also very easy for businesses to obtain customers’ email addresses. We know that our information circulates online, so why not get a free cup of coffee?
When getting a voucher email that you do not expect, here are two things to look for:
- Some vouchers may look like they were sent from a known vendor. You might find that “Starbucks” is misspelled as “Starubcks” or variations in the logo that are easy to miss. It is important to double check that the name is correctly spelled.
- If you are unfamiliar with the sender’s name, check their domain online first. Check for their legitimacy before accepting any voucher presents.
In any case, it’s always a good idea to pause before clicking on any links that you receive. That little breath before clicking is always a good idea, especially this holiday season.
Although it may take a minute or two to perform verification for the email prior to clicking on a link, it’s time well spent given the high costs of a possible hack. So, consider making it a habit never to click on a link when you’re in a rush. Just remember to look for the tell-tale signs, and you’ll be disappointing hackers worldwide.
Emma Butin is the Product Marketing Manager for CybeReady. She loves the challenge involved in helping people to form new habits quickly. Butin is proud to be a part of a team dedicated to educating people about cyber-attacks so that we can all face our common enemy together. Butin holds a BBA and a JD and is a lecturer on innovation. Previously, she was the founder of Kryon Systems (acquired by Nintex).
