Email Threats to Watch Out for During the Holidays

While the holiday season is generally viewed as a time of celebration and goodwill, to threat actors, it represents an opportunity to exploit season-specific circumstances that can help make their attacks more successful.

It’s not that cybercriminals wait until the holidays to launch brand-new attacks with novel strategies. Rather, threat actors leverage the holiday context and inject seasonal themes into their usual attacks with the goal of giving the messages just enough legitimacy to trick employees who are laser-focused on clearing out their inboxes.

To help reduce your risk this holiday season, here are a few email threats to watch out for.

Gift card business email compromise (BEC) attacks are common throughout the year, but during the holidays, we see a noticeable increase in the frequency of these campaigns. Why? Because threat actors recognize that an executive emailing an employee a request to purchase gift cards makes much more sense in November or December than it does in July.

That additional context can often be enough, but most attackers (like the one in the example below) will also include some mention of the holidays or Christmas to add the tiniest bit more relevancy.

Threat actors also take advantage of patterns of behavior and situations that are generally more prevalent as the end of the year approaches.

For example, it’s not uncommon for accounts receivable departments to come across unpaid invoices as they’re closing the books for the year. Accordingly, it’s not uncommon for an employee to receive an urgent request from a vendor requesting immediate payment for an outstanding invoice. This is why it’s especially important during the holidays to watch out for invoice and payment fraud.

Similarly, charity drives and donations tend to ramp up during the holidays. Again, threat actors exploit this fact and send emails like the one below.

As with the gift card scams, this attack is something we’d expect to see at other times during the year. However, it takes no time at all for an attacker to add “Christmas” throughout the message, and, once more, that can be enough to convince a target that the offer is legitimate.

Although an employee is less likely to use their professional email address for personal matters, it certainly isn’t outside the realm of possibilities. For example, if an employee wants to keep a Christmas present a surprise from their spouse who also has access to their personal email account, they may complete the purchase using their work email address.

So while there’s a greater chance of an employee being targeted by gift card scams and other BEC attacks, your workforce should still be aware of other tactics threat actors may use.

One common holiday-themed phishing tactic is to send fake shipping notifications or e-cards with a link to track the package or view the e-card. These messages often appear to come from a real company, such as a major retailer or delivery service, and may use legitimate-looking email addresses and web addresses to make their messages seem more authentic.

However, clicking on the link leads to a phishing website that is designed to steal personal information. The website may also look authentic, with the company's logo and branding, and will ask the employee to enter their login details or other sensitive information. Once the target has entered this information, the attackers can use it to access the employee’s accounts and steal sensitive data.

Phishing attacks can be difficult to detect, as the attackers often use sophisticated tactics to make their messages and websites appear legitimate. They may also use social engineering techniques to trick the user into believing the message is genuine, such as by using the target’s name, referencing a recent purchase, or mentioning a mutual acquaintance.

An important step you can take to protect against holiday-themed email threats is to educate your employees about the tactics used by attackers. By understanding how BEC and phishing attacks work and what to look for, employees can be better prepared to spot a fake email or website and avoid falling victim to a scam.

Remind employees to be cautious when opening emails and clicking on links, especially if they appear to be from a company or person the employee doesn't know. They should always verify the sender's identity before responding to an email or providing any personal information. And if they receive an email from a company or individual that they're not expecting, they should contact the sender directly using a known email address or phone number to verify the authenticity of the message.

Most importantly, reduce how often employees have to determine the legitimacy of an email in the first place by blocking these messages before an employee can engage with them. An email security solution that uses behavioral AI can detect and remediate attacks before they ever reach an employee’s inbox.

During the holidays, employees tend to be busier, more distracted, and inundated with email, which means they may not be paying as much attention to each message as they normally would. Threat actors know this and will do their best to capitalize on it.

However, by being aware of the tactics used by attackers and taking appropriate precautions, you can help protect your workforce and your organization from falling victim to these scams and enjoy a safe and happy holiday season.

See how Abnormal can protect your organization from email threats throughout the year. Request a demo.