It’s that time of year again when employees’ thoughts turn to their voluminous shopping lists. It is almost inevitable that employees will do some of their holiday shopping at work or while using work devices. They may also use their work email accounts for creating online accounts or corresponding with retailers. Plus, creating a plethora of new accounts or updated passwords means that password reuse and recycling risks will be high. Add in abundant phishing from myriad phishing scams that are targeted at businesses as well as consumers, and you’ll see why this isn’t the most wonderful time of the year for a company’s IT department.

The Better Business Bureau has released its annual “Naughty List” of shopping scams that are likely to ensnare consumers and several of the frauds on their list could also cause trouble for that consumer’s employer.

Alerts About Compromised Accounts  

This popular scheme ranks number four on the BBB list. In this scenario, bad actors claim that an account has been compromised. This scam is an equal opportunity danger to consumers and businesses. In this scenario, bad actors claim that an online account (Amazon, Paypal, and Netflix are popular), or bank account has been compromised. Victims receive an email, call, or text message that explains that there has been suspicious activity on one of their accounts and they must take immediate action. That action typically includes providing their account credentials to the bad guys.

Credential Compromise Through Recycling

In a new global study conducted by Morning Consult for IBM, researchers estimated that people worldwide created an average of 15 new online accounts per person in the last 12 months thanks to the global pandemic impeding shopping and entertainment, and 82% of those surveyed admitted that they had regularly reused the same passwords when creating new work and personal accounts.

Look-Alike Websites 

This is the season for epic fakery. Phishing emails with malicious links enclosed. Will be a common threat in inboxes this year. Brand impersonation is a heavy player in these attacks, with look-alike websites created by bad actors ready to lure employees into downloading malware, handing over credentials, or sharing private information.

Fake Charities 

An estimated 40% of all charitable donations are received during the last few weeks of the year as major holidays are celebrated around the world that inspires generosity. The global pandemic is still impacting in-person fundraising, spurring more online charity events. Fraudulent messages from charities can lure in the unwary, scoring personal information, financial data, and passwords from unwary donors.

Fake Shipping Notifications 

Shipping notifications are a phishing classic. With the pandemic still making it challenging for many people to shop in person, more consumers are making purchases online, creating more opportunities for bad actors. They’re quickly sending out phishing emails with links enclosed that lead to ransomware or malware as well as payment scams that can be a BEC risk.

Brand Impersonation 

Always a classic, this tactic is an element of other schemes as well as a standalone phishing risk. Microsoft is the world’s most impersonated brand for businesses. The Federal Trade Commission reports that one in three people who reported a business impersonator from July 2020 through June 2021 said the scammers claimed to be from Amazon and 6% claimed to be from Apple.

Invoice/ Payment Scams 

The busy holiday season and end-of-year scramble for businesses leave them wide open to the kind of social engineering that powers invoice/ payment scams. Holiday absences are a huge plus for the bad guys because it means that some people will be covering for others and the person filling in may not be familiar with a threat, making it easier for the bad guys to trick them into sending money.

How to Protect Your Business from Trouble?

Step Up Security Awareness Training  

In a UK study on companies running phishing simulations, researchers discovered that 40 – 60% of their employees are likely to open malicious links or attachments. However, after about 6 months of training, the percentage of employees who took the bait dropped 20% to 25% – and after 6 months more training, the percentage of employees who opened phishing messages dropped to only 10% to 18%.

Watch for Compromised Credentials 

Over five billion sets of credentials and stolen bits of personally identifiable information are available on the Dark Web right now, creating extensive credential compromise risk for businesses.

Source: ID Agent