Strengthen business defenses ahead of increased holiday cybercrime

Entering the holiday season, businesses are preparing for their busiest and most profitable time of year with Black Friday and Cyber Monday sales as well as holiday shopping deals and vacation bookings on the horizon. At the same time, cybercriminals are readying their efforts to take advantage of increased online spending and decreased vigilance.

In recent years, holiday periods have seen significant spikes in cybercriminal activity and online fraud.

According to an Anti-Phishing Working Group (APWG) report, this number of phishing attacks was a new record at the time, and the worst quarter for phishing that the company has ever seen.

APWG Secretary General Peter Cassidy commented saying, “The dawn of AI crime is upon us, even before we’ve gotten a grip on conventional phishing. Today, we face robot felons who learn on the job, 24 hours a day, on behalf of their felonious masters.”

During this period there was also a 550% increase in the number of unique tactics, techniques, and procedures used by attackers, increasing from an estimated 2 000 in June to a startling 11 000 at the end of 2022.

Last year, 27.7% of global phishing attacks in the fourth quarter targeted financial institutions. Also high on the hitlist were SaaS and webmail providers, and delivery services. Retailers are also urged to enhance their cybersecurity to protect customers during the busiest shopping season of the year. It seems that no industry is safe from becoming a target of holiday season cybercrime.

There are a few contributing factors including that people are more relaxed and focused on the upcoming break – increasing the likelihood of a phishing attack’s success – as well as the large volume of online payments being made.

Global e-commerce sales during the 2022 holiday season were projected to hit $5.5 trillion and in 2023, the e-commerce market is expected to reach $6.3 trillion in sales.

This holiday period, with its increased digital credit card transactions and decreased awareness, presents the perfect combination of surging online activity and vulnerable targets for cybercriminals.

From phishing to fake hotel booking websites and credential harvesting, cybercrooks use various tactics to defraud unsuspecting shoppers and organizations during the holiday season. Here are a few ways they do this:

1. Supercharged phishing and fake websites
   Cybercriminals can fraudulently use brand names to steal sensitive customer data. A recent article from Bleeping Computer reported that hackers compromised Booking.com using info-stealing malware.

Once they gained access to the online booking platform, they were able to reach out to customers using phishing messages or emails that redirected users to a fake website with the aim of stealing their card information. Since these messages came from within the booking site’s platform, customers had no reason to doubt that they were legitimate.

The emergence of malicious AI has also contributed to increasingly sophisticated and believable spear-phishing emails that imitate trusted senders.
2. Ransomware
   Security Magazine reports that ransomware usage has surged more than 30% over holiday periods in recent years.

A ransomware attack on cloud computing company Rackspace in December 2022 saw thousands of users’ email services interrupted and the records of just as many businesses exposed. It’s believed that the incident involved the exploitation of vulnerabilities in Rackspace’s hosted Microsoft Exchange service. The company stated that the attack could result in lost revenue for its hosted Exchange business as well as additional costs to mitigate its effects.
3. Data Breaches
   In October 2022, Zoetop Business Company, owner of e-commerce giants Shein and ROMWE was fined $1.9 million by the state of New York after it neglected to disclose a data breach that affected 39 million customers.

In the same month, malicious carding marketplace BidenCash released the stolen details of 1.2 million credit cards for free on the Dark Web. Cybersecurity experts believe this was an attempt at advertising the sinister sales platform.

The above examples of holiday season cybercrime highlight several ways that companies and their customers can be affected if combative steps aren’t taken. For businesses, these damages can include:

• Financial loss
• Reputational damage
• Decreased customer trust
• Intellectual property theft
• Legal action

To protect your organization and your customers during the holiday period – and throughout the year – it’s important to be proactive about cybersecurity. Below, we look at ways for your business to do this.

1. Evaluate vulnerability

   Many businesses aren’t aware of cybersecurity vulnerabilities until it’s too late. Taking time to check things like your domain safety score can help you take stock of your risk before acting to mitigate it.
2. Keep customers and employees informed

   Remind employees, customers, and other stakeholders of warning signs to look out for in texts, emails and even phone interactions. Things like urgent calls to action and bad spelling and grammar are some of the warning signs that can expose a phishing attempt.
3. Implement additional security measures

   Stay ahead of sneaky phishers and ensure that your email domains are safe from impersonation with additional security layers like Domain-based Message Authentication, Reporting and Conformance (DMARC). This technology ensures that every email received from your business is the real thing.

Once your domain is DMARC-compliant you can implement BIMI, another authentication standard that allows for the display of your business logo next to emails in inboxes. In addition to its security benefits, BIMI maximizes email impact, improves delivery, and increases brand recognition and trust.
4. Leverage expert assistance

   Recruiting a DMARC expert like Sendmarc ensures that you don’t leave your business and its stakeholders vulnerable to email-based threats these holidays.

With Sendmarc, your organization can quickly and seamlessly implement email authentication standards to combat brand impersonation, email fraud as well as phishing and spoofing attacks.

If you’d like to read more on top cyberthreats and how your company can defend against them, download our Cybersecurity Awareness Guide, or get in touch to find out how we can help secure your business and customer data during the holiday period.