Most businesses may be winding down as the end of the year approaches, but there is one business in particular that thrives at this time of year. And calling it a ‘business’ is a bit of an overstatement, though the practice can be quite lucrative.
I’m talking about phishing.
It’s a subject that I talk about quite a lot – you may have noticed from the number of phishing articles on our blog. That’s because it’s something that happens so often, and yet no one ever expects it to happen to them.
Why Do People Keep Falling For Phishing Attacks?
Most people like to think that they’re pretty secure when it comes to their email habits. They’ve followed the rules for creating a strong password, they don’t fall for those Nigerian prince scams that were so popular in the ‘90s and are still somehow a thing. When they hear about people falling for phishing attacks, their minds immediately go to those, and they think to themselves, “How dumb can you be?!”
But the fact is that phishing attacks aren’t as obvious as you may think. Most often, they look completely legit. Attackers spend a good deal of time perfecting their messaging so that they can fool as many people as possible. And most of the time, phishing mails come from what seems like a reliable source. They could pose as a potential client attaching a purchase order. A phishing mail could come across as a colleague asking you to look over a document, or click on a link.
This is what makes phishing attacks so much more dangerous than spam. Attackers often use social engineering to specifically target their victims, making it far more likely that the person who receives their mail will open the attachment, click on the link, or respond, allowing them to install malware on devices, gain access to login credentials, or gain and abuse a victim’s trust.
Why Are Phishing Attacks So Prominent During The Festive Season?
What is it about December that makes phishing attackers come out in full force? Well, there are a couple of reasons behind it.
The wind-down towards year-end for businesses often sees an influx of emails coming in. Let’s say your company is closing shop on the 15th of December, as is the case for plenty of South African businesses. When you announce this to your client base, you’ll often get people putting in last-minute orders, wanting to ensure that they get what they need before you close for the year. When you’re having to go through hundreds of emails on a daily basis, it’s a lot easier for a phishing mail to slip through the cracks, leading to you clicking on a link that you would otherwise have realised was suspicious.
And it’s not just your business that is sending out year-end closure notifications. Each of your suppliers, your customers and your prospects may be sending out their year-end specials and closing dates as well, which offers phishing attackers a target-rich environment. All that they need to do is pose as a potential supplier, offering special deals that seem too good to miss out on, and suddenly they have tons of people clicking on their mails and installing their malware. Just think of how many Black Friday and Cyber Monday emails you received from seemingly legitimate businesses, and you’ll see what I mean.
What Does Festive Season Phishing Look Like?
As I mentioned earlier, phishing attacks don’t necessarily look suspicious, which is why they are so dangerous. But even looking through my own mailbox, I can see some similar patterns to the mails that I get at this time of year. Here are some of the subject lines that caught my eye as potentially being suspicious:
I’m not saying that these are phishing mails – some of them are from legitimate businesses that have contacted me. But these are examples of the kinds of subjects that you should be wary of, and may want to double check the legitimacy of before clicking on the links or attachments within them.
- A Family in need for Christmas
- Special Sale For Christmas!! Hurry up.
- End of Year Lottery
- Boost Your Take-Home Salary
- Festive deals you don’t want to miss
And you may be looking at these subjects, and wondering what exactly it is about them that puts me on edge.
First of all, urgency is a tactic that plenty of phishing attackers take advantage of. They want to offer a special that is too good to pass up on, making it more likely that you’ll click that attachment or link without thinking it through. Of course, this is a general marketing tactic as well – urgency sells, which is why Black Friday is such a popular phenomenon. But whenever you see a subject line that tell you to “hurry up” or says that you “don’t want to miss” an opportunity, you should immediately check the sender.
Another tactic that attackers often use is the lure of money. This is why subject lines that offer an “end of year lottery” or a way to “boost your salary” should be double checked.
Finally, the end of year is an emotional time for many people, and seeing a mail about a family in need would naturally stir up those emotions, making you want to help. But when you see a mail that stirs up your emotions, particularly if it’s from a sender that you don’t recognise, you should ask yourself a few questions: Why are they contacting you, and where did they get your address.
Beyond the subject line itself, when I looked at a number of these mails, I noticed something exceptionally suspicious – the recipient for the mail wasn’t me. Now, plenty of companies send out their mails to multiple vendors, BCCing each of them in so that their send list is hidden from each of the recipients. But it’s also something that phishing attackers do. Because they are often sending the message to multiple variations of the same address – [email protected], [email protected], [email protected], as some examples – it makes sense for them to hide the recipients, ensuring that no matter which address goes through, the person on the other end thinks that the mail was sent specifically to them.
5 Simple Steps That You Can Take To Protect Yourself (And Your Business) From Festive Season Phishing
I’ve gone through why phishing mails are more successful at this time of year, and what they may look like, but there’s one area that I haven’t addressed quite yet, and it’s important.
How can you stop them?
What can you do to make sure that you don’t fall victim to phishing mails, during the festive season and any other time of the year? Well, because phishing mails can be difficult to spot, and can look legitimate, it’s difficult to give a failproof answer. But there are steps that you can take to protect yourself.
1. Always Check The Subject
While the subject line isn’t always a good indicator, as I showed above, there are a few tactics that phishing attackers use that could make you feel uneasy if you were paying attention. Phrases that stress urgency, that play on your emotions and that sound too good to be true – like boosting your salary – should be taken with a pinch of salt. I’m not saying that all mails that stress urgency are phishing attempts – if that were the case, then marketers would all be criminals. But it should make you wary, and see you taking the further steps below.
2. Always Check The Sender
If a mail sounds too good to be true, if it says that it’s coming from a colleague but something seems a little off, check the sender. And I’m not talking about their name – anyone can change the name on an address to look legitimate. In the attempted social engineering attack that we experienced at the beginning of the year (more details in this blog), the emails said they were coming from Michael. Check the address itself. The mail from ‘Michael’ was a random Gmail address. So, check for spelling errors, random domain names, or other slight anomalies that could indicate that the sender isn’t who they say they are.
3. Always Check The Recipients
As I mentioned above, you should always be a little dubious of mails that don’t list you as the recipient. Once again, it doesn’t guarantee that you are looking at a phishing mail, but it’s another sign that should put you on high alert. Be particularly wary if the mail doesn’t list you as a recipient, but is directed at you specifically. For example, an invoice, quotation or receipt should always be sent to your address. If it isn’t, it’s likely a phishing mail.
4. Always Think Before You Click
If you’ve received a mail with a slightly dodgy sounding subject, if the sender doesn’t seem quite right, or if you’re not listed under the recipients, and the mail you’ve just received is asking you to open a link or download an attachment, don’t. It’s better to be safe than sorry, and all it takes is one click of your mouse for malware to be installed on your machine. That’s why you should…
5. Always Follow Up If You’re Unsure
Pick up the phone and call the colleague who’s just sent you a mail. Phone the client who’s sent through the purchase order and just confirm that everything’s correct. You could even drop them a WhatsApp or a message on Microsoft Teams. The important thing is that if you are unsure whether the mail has actually come from the person it claims to be from, that you check with them before taking any further action. And don’t check by replying to the mail. If the address has been hacked or if it’s a fake address that a phishing attacker has set up, it won’t do you any good. It will only confirm that the address they used is legitimate and in use.
Looking for more tips to prevent phishing attacks? Check out this blog on How To Prevent Phishing in 6 Simple Steps.
How Can Solid Systems Help?
As a Managed IT Services provider, our job is to keep you and your company safe. We do this by implementing world-class security solutions, by helping you with identity and access management, by putting best practices like multi-factor authentication in place for all of your users, and through email security training. Don’t wait until after the festive season is over – get in touch with us today to learn more about our managed IT services and our cybersecurity solutions.