The holiday season means different things to different people. For many criminals and scammers, it’s another opportunity to steal money from unsuspecting users.
US-CERT recently sent an alert related to holiday phishing scams and malware campaigns.
US-CERT reminds users to remain vigilant when browsing or shopping online this holiday season. Ecards from unknown senders may contain malicious links. Fake advertisements or shipping notifications may deliver infected attachments. Spoofed email messages and fraudulent posts on social networking sites may request support for phony causes.
To avoid seasonal campaigns that could result in security breaches, identity theft, or financial loss, users are encouraged to take the following actions:
- Avoid following unsolicited links or downloading attachments from unknown sources.
- Refer to these security tips to learn more about Shopping Safely Online and Avoiding Social Engineering and Phishing Attacks.
- Read the Federal Trade Commission’s blog on Don’t let scammers take away your holiday cheer.
- Visit the Federal Trade Commission’s Consumer Information page on Charity Scams.
If you believe you are a victim of a holiday phishing scam or malware campaign, consider the following actions:
- File a complaint with the FBI’s Internet Crime Complaint Center (IC3).
- Report the attack to the police and file a report with the Federal Trade Commission.
- Contact your financial institution immediately and close any accounts that may have been compromised. Watch for any suspicious charges to your account.
- Immediately change any passwords you might have revealed and do not use that password in the future. Avoid reusing passwords on multiple sites.
Watch Out for Fraudulent Ecards
Many Ecards are legitimate. However, because they are, criminals and scammers also use them to send malware. Scambusters.org has some good advice on spotting fake ecards. Here are a few telltale signs of a fake ecard that they list on their site.
- Spelling mistakes — e.g. congratulation! Or your name is misspelled.
- Errors in the message — e.g. it says you sent a card, not received one.
- The sender isn’t someone you know.
- The sender has a bogus name (Joe Cool, Agatha Tragonawar, Card Sender, Secret Admirer, etc.).
- A URL that appears odd — e.g. www.http:// rather than http://www.
You Only Need to Make One Mistake
Criminals and scammers send out more than four billion emails with malicious attachments every day. That’s 2.3% of 205 billion emails sent out daily.
Note that this doesn’t count phishing, spear phishing, and whaling emails that have links to driveby download sites.
Of course, everyone doesn’t fall for these scams. However, if you do just once, you may find all of your data locked up until you pay a hefty ransom.
Worse, if an employee in your organization falls for one of these scams, your entire organization may be held hostage.
This is one of the reasons that so many organizations value employees with a security certification such as the Security+. Knowledgeable employees are less likely to fall for the scams.
In contrast, uneducated employees don’t realize how much damage they can do to an entire organization by making a single mistake.
As an example, consider the Hollywood Presbyterian hospital. A single employee clicked a malicious link. The malware installed itself on this employee’s machine and then spread itself throughout the network. Eventually, the malware encrypted a significant amount of data and criminals demanded a ransom to unlock this medical data.
Criminals demanded $3.4 million, but the hospital reportedly paid about $17,000 to gain access to much of their data. From another perspective, employees had to work for more than a week without traditional computer access.
Again, this is because a single employee didn’t understand the dangers of malicious email.