Holiday Shopping Scams Can Damage Business Security

Unwelcome Surprises Await Around Every Corner

---

It’s that time of year again, when employees’ thoughts turn to their voluminous shopping lists. It is almost inevitable that employees will do some of their holiday shopping at work or while using work devices. They may also use their work email accounts for creating online accounts or corresponding with retailers. Plus, creating a plethora of new accounts or updated passwords means that password reuse and recycling risk will be high. Add in abundant phishing from myriad phishing scams that are targeted at businesses as well as consumers, and you’ll see why this isn’t the most wonderful time of the year for a company’s IT department. 

---

---

These Scams Will Be Prominent in the 2021 Holiday Season

---

The Better Business Bureau has released its annual “Naughty List” of shopping scams that are likely to ensnare consumers and several of the frauds on their list could also cause trouble for that consumer’s employer. 

Alerts About Compromised Accounts  

This popular scheme ranks number four on the BBB list. In this scenario, bad actors claim that an account has been compromised. This scam is an equal opportunity danger to consumers and businesses. In this scenario, bad actors claim that an online account (Amazon, Paypal, and Netflix are popular), or bank account has been compromised. Victims receive an email, call, or text message that explains that there has been suspicious activity on one of their accounts and they must take immediate action. That action typically includes providing their account credentials to the bad guys. 

Credential Compromise Through Recycling  

In a new global study conducted by Morning Consult for IBM, researchers estimated that people worldwide created an average of 15 new online accounts per person in the last 12 months thanks to the global pandemic impeding shopping and entertainment and 82% of those surveyed admitted that they had regularly reused the same passwords when creating new work and personal accounts.  

Look-Alike Websites 

Tis the season for epic fakery. Phishing emails with malicious links enclosed. Will be a common threat in inboxes this year. Brand impersonation is a heavy player in these attacks, with look-alike websites created by bad actors ready to lure employees into downloading malware, handing over credentials or sharing private information.  

---

---

Fake Charities 

 An estimated 40% of all charitable donations are received during the last few weeks of the year as major holidays are celebrated around the world that inspire generosity. The global pandemic is still impacting in-person fundraising, spurring more online charity events. Fraudulent messages from charities can lure in the unwary, scoring personal information, financial data and passwords from unwary donors.   

---

Don’t let scamming Grinches keep you from giving to charity! Verify a charity’s at BBB’s give.org on the Canada Revenue Agency website or through the non-profit Charity Navigator.

---

Fake Shipping Notifications 

 Shipping notifications are a phishing classic. With the pandemic still making it challenging for many people to shop in person, more consumers are making purchases online, creating more opportunities for bad actors. They’re quickly sending out phishing emails with links enclosed that lead to ransomware or malware as well as payment scams that can be a BEC risk.  

Brand Impersonation 

Always a classic, this tactic is an element of other schemes as well as a standalone phishing risk. Microsoft is the world’s most impersonated brand for businesses. The Federal Trade Commission reports that one in three people who reported a business impersonator from July 2020 through June 2021 said the scammers claimed to be from Amazon and 6% claimed to be from Apple. 

Invoice/ Payment Scams 

The busy holiday season and end-of-year scramble for businesses leaves them wide open to the kind of social engineering that powers invoice/ payment scams. Holiday absences are a huge plus for the bad guys because it means that some people will be covering for others and the person filling in may not be familiar with a threat, making it easier for the bad guys to trick them into sending money.  

---

---

How to Protect Your Business from Trouble 

---

Step Up Security Awareness Training  

In a UK study on companies running phishing simulations, researchers discovered that 40 – 60% of employees are likely to open malicious links or attachments. However, after about 6 months of training, the percentage of employees who took the bait dropped 20% to 25% – and after 6 months more training, the percentage of employees who opened phishing messages dropped to only 10% to 18%. A solution like BullPhish ID empowers companies to choose either expert-crafted plug-and-play security awareness training campaigns or fully customized lessons to fit their unique industry needs.   

Watch for Compromised Credentials 

Over five billion sets of credentials and stolen bits of personally identifiable information are available on the Dark Web right now, creating extensive credential compromise risk for businesses. Dark Web ID enables you to get a clear picture of your company’s credential compromise threats from dark web sources. Our 24/7/365 always-on monitoring alerts businesses to credentials appearing on the dark web that may have been stolen or phished to mitigate the risk of bad actors using a stolen password to gain access to your systems and data. Automated alerts and reporting means that your team doesn’t need to spend time staring at a dashboard or pulling reports.   

---

---

---

---