The run-up to Christmas can often be a boring time for workers, as they put off starting new projects before the end of the year and start counting down the days until their holiday begins.
And with many employees continuing to work from home, there could be even more distractions. You might be tempted to some online Christmas shopping or nip off to the shops to start stocking up on supplies.
But with these distractions comes the risk of falling for scams. It only takes one lapse in concentration to fall for a phishing email, so you and your organisation need to know what to look out for.
Fraudsters often use Christmas as theme for their attacks, and in this blog we look at three types of messages you should expect to receive.
Bogus order confirmation scam
The first campaign begins with an email replicating Amazon’s automated order confirmation email. It uses the same layout as those emails, with the greeting styled in a larger font and orange text, and accompanied by a graphic containing the order details.
The message contains other information to make it look believable, such as an invoice and invoice number, as well as a button to manage their order.
Meanwhile, the email is signed from the “AMAZ0N TEAM” with a zero instead of the letter O. Armorblox notes that this is a “simple but effective technique used by attackers to slip past any deterministic filters or blocklists that check for brand names being impersonated”.
A closer look at the email, however, reveals that something is amiss. For a start, the recipient should recognise that they didn’t make such a purchase – which in this case is a 77-inch television that costs almost $900 (about €730).
As soon as they see the purchase that they’ve supposedly been charged for, they will likely take action. For some, this means clicking “View of manage order” – although this is a decoy; the button is simply an image file with no URL.
If anyone tries to click and realises this, it should be a huge red flag. However, it’s possible that they won’t think this clearly given the surprising nature of the email, or that they’ll go directly to the phone number provided.
This is the goal for the attackers. When you call the number, someone will answer pretending to be from Amazon. They will ask for the order number, before probing for the person’s name and credit card details.
If the victim is under the impression that they’re talking to an actual Amazon employee, there’s no reason not to provide this information. They will only learn of their error when the attacker starts to make purchases using their details, by which point the damage has already been done.
A delivery has supposedly been made
In the second campaign, the attackers email the victim claiming that Amazon has successfully delivered an item.
As with the first message, it closely replicates the layout of a genuine Amazon email and includes a phone number if you want to request a refund.
The recipient will presumably notice that no such delivery has been made and may assume that either the email relates to an order they’ve made that’s been delivered to the wrong address, or that they’ve been credited with a purchase they didn’t make.
Either way, the recipient will want to address the issue and is therefore likely to call the phone number provided.
Unlike the first scam, though, no one picked up the call – and a few hours later, the number appeared to have been taken down.
However, the researchers noted that we should be concerned about the technique rather than the outcome. The scammers know that the email is getting past email security systems, so it’s just a case of using a new telephone number and recreating the campaign.
Fake adverts in online marketplaces
Shoppers must always be careful when they turn to online marketplaces, such as social media trading pages and auction websites, because they are typically not subject to the same regulations as standard e-commerce sites.
If you’ve visited one of these sites before, you might be aware of the dangers of price gougers, who inflate prices for in-demand items that you can’t find in shops.
However, you should also be wary of the fact that many of the people have no intention of delivering these items once they’ve been purchased.
Because you rarely have to verify yourself in online marketplaces, it can be easy to conduct scams.
The criminal posts an advert on a new account, the sale goes through a third-party system, such as PayPal, and by the time the purchaser becomes suspicious that their package hasn’t arrived, it’s too late: the seller has closed their account and created a new one.
UK Finance says that people looking for game consoles, bicycles and clothing may be most susceptible to this scam – but it’s worth adding that any highly priced item could be used as bait.
Educate your employees on the risk of phishing
Millions of phishing emails are sent every day. Although they aren’t always as well-crafted and carefully planned as this, they still wreak havoc.
Verizon’s 2021 Data Breach Investigations Report found that phishing was the most common form of cyber attack last year, with 43% of breaches involving scam emails.
It’s therefore essential that you protect your organisation and train employees on how to spot and respond to phishing emails.
Our Phishing Staff Awareness Training Programme contains all the guidance your team needs, ensuring that your last line of defence is as strong as possible.
The 45-minute course explains how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.
Our content is updated quarterly to include current examples of successful attacks and the latest trends that criminals use.