The year’s jolliest season can also be the most dangerous. Cybercriminals don’t take holidays and are known to be more aggressive when people are thinking about Christmas, shopping, and eating.
Here’s Why ‘Tis The Most Vulnerable Time of The Year
In 2023, online holiday sales reached $222.1 billion in the US alone. The boost in sales around the holidays attracts threat actors who want to take advantage of the increase in online transactions. According to SIRP, ransomware attacks surged 30%, and phishing attacks increased 35% during the 2023 holiday season.
The spike in digital transactions and the rush to get things done create the perfect storm for cyberattacks. When people rush to finish the tasks on their long holiday to-do lists, it can be difficult to notice misspelled email addresses or weird characters in URLs. People also feel more generous this time of year, and cybercriminals exploit this willingness to share with fake charity campaigns.
Cybercriminals also know that most offices operate with a skeleton workforce during the holidays, especially around the Christmas break. As a result, IT teams are stretched thin, and experts may be on leave, making it take longer to respond to issues.
The 4 Most Common Holiday Season Cyberattacks
Here are the most common cyber threats that spike during the holiday period.
Holiday Phishing
Emails about fake promotions and those about a “special gift” mimicking popular brands abound during the holidays. These emails are peppered with URLs for pages that will harvest your PII (personally identifiable information).
Threat actors might also confuse you with an order confirmation email for something you did not buy and ask you to click a link to see details about the order. Also, be wary of that email with the year-end invoice attachment that uses an unusual file extension and many other types of holiday-focused mail fraud. It’s attempting to trick you into downloading a malicious file or sending money to a bogus bank account.
Typosquatting
Also known as URL hijacking, this is when cybercriminals register a common misspelling of an already established URL for a legitimate business. It becomes more effective this time of year as people are more distracted and often rush to get their shopping done, so they might misspell the URL or not bother to check the URL of the sites they visit. These bogus sites will steal payment information and other PII.
Christmas Smishing
That text message about a shipping update or those informing you that there was “an issue with your delivery” might be something you’d open right away if you recently ordered online, but it can be from someone who wants to steal your information. Authorities are warning against text scams that ask customers to “update delivery preferences” or schedule a “redelivery of a package” for a delayed delivery because of an incorrect address.
Holiday DDoS and Ransomware Attacks
Distributed denial-of-service (DDoS) is also common around this time of year. High traffic volume puts a strain on networks, and attackers take advantage by flooding the server with even more web traffic, making it unavailable to customers.
Some may be done by a competitor trying to shut down another business and drive more customers to their site. Others are by cybercriminals installing ransomware on servers, essentially taking the operations hostage to force the business to pay. It could cost the business millions and damage customers’ trust.
At other times, hackers have knocked gaming networks like Xbox Live offline on Christmas Day just to mess with people unwrapping shiny new consoles. Unfortunately, when a business is targeted with ransomware, there is little you can do.
How You Can Protect Yourself
The first thing you need to do is slow down and pay attention. Criminals will try to distract you because they know you are juggling multiple things around this time of the year. Check before you open emails, click links, and visit websites. Hovering over email links will help you see the URL at the bottom left of your browser before you click. If the email link doesn’t look right, don’t open the link. Next, check the characters in that URL. A misspelled company name or a weird character added in there might mean this is not the legitimate business site you want to transact with. Check the sender’s email address, too.
Before ordering from an online business, read reviews and check conversations in forums, as some victims will often post about their experience to warn others. Before giving your payment information, ensure the site is safe and legit. Furthermore, receiving order status updates not linked to a specific order or order number indicates a general smishing message sent to numerous people.
Finally, an urgent call to action or threatening language in an email or text urging you to click or call a number immediately creates a sense of urgency designed to make you act before you think. Double-check by calling the company directly.