We're in the thick of online holiday shopping season, but if you're not an e-commerce business, you might not see why that's relevant to your company in terms of internet security.
The fact is, regardless of what your company sells, holiday shopping season provides an ideal opportunity for hackers to scam their way into your employees' (and company's) bank accounts and sensitive data. In the midst of the holiday hustle and celebration, it's crucial to stay vigilant to fraudulent activities that your employees may be susceptible to.
Here are some of the top holiday shopping scams to be on the alert for this season.
1. The CEO gift card scam
Your staff members are likely used to getting requests to make purchases. Sometimes, you might be in a meeting and ask your assistant to book you a flight or purchase gifts for clients. Scam artists take advantage of this type of relationship by hacking or spoofing CEOs' and senior managers' emails, asking employees to make large purchases – for instance, one Vancouver government agency worker was the victim of a scam in which she was asked to purchase $500 in iTunes gift cards on behalf of her boss. She soon discovered that her boss had never made the request and someone had hacked the boss's email.
How to avoid it: This type of scam may come in different forms, but it is often focused on getting a more junior employee to purchase something of value, supposedly on a senior manager's request, and often on short order.
To ensure your staff doesn't fall victim to this scam, remind them to always:
- Verbally confirm the request, either in person or via a phone call.
- Avoid responding to any email they are suspicious of, as the account may have been compromised.
- Ask themselves if they are expecting this type of message; in other words, is it outside the norm of what their boss or manager would ask? Encourage employees to question the authenticity of these types of emails.
2. The fake delivery attempt
A common email phishing scam that's especially easy to fall for around the holidays is the "Where's my package?" scam. In this type of phishing attack, a hacker sends an individual a link to track a package. When the user goes to the page, it can download malicious software, including ransomware. If one of your employees falls for this attack while using a work computer, it could infect your entire network with ransomware or other computer viruses.
How to avoid it: Let your employees know about this type of scam in your next company meeting, so they're aware that it could target them.
Ask your employees to follow these guidelines for interacting with a shipping-related email, whether or not they are expecting a package:
- Don't click on any links in such emails. Instead, navigate to the shipping company's official website and manually copy and paste the tracking number from the email into the shipping company's track package search feature.
- Call the carrier (e.g., FedEx or UPS) directly to verify if an email is authentic and to report any fraudulent activities.
3. The deep discount scam
Starting around Black Friday, scam artists often take advantage of shoppers' desire to score a great deal on their holiday shopping. For instance, they might create a website offering something like 50 percent off regular pricing for a short time. Or they might place a malicious shopping app in the App store that will push malware to your phone or tablet.
A RiskIQ analysis found that more than 5.5 percent of apps that included terms like "Black Friday" or "Cyber Monday" were malicious apps that featured credit card skimmers, malware or ransomware, so the risk is very real to your employees and to your business if the malware makes it to your company devices.
How to avoid it: If something seems too good to be true, it probably is. Make employees aware of the scam and ask them to:
- Avoid downloading any shopping apps to their company smartphones.
- When receiving an email from a company about a holiday deal, navigate to the company's website directly rather than clicking on an email link.
- Inspect email domains carefully: If something is coming from apple.co rather than apple.com, for instance, it's probably not legit.
Other red flags for common scams
Scam artists are creative, and they come up with new tricks all the time. The most important way to keep your company and data secure is to train your team on the basics of cybersecurity awareness. For instance, phishing emails tend to have some or all of these elements in common:
- Unexpected requests
- A tone of urgency or panic
- Spelling or grammar mistakes
- Suspicious, spoofed, or misspelled email addresses or websites
It's also important to ask your employees to use caution when an email asks them to complete any action, such as:
- Fill in a form
- Click on a link to a website
- Open a file or attachment
- Make a financial transaction, such as pay an invoice or make a purchase
- Reply with confidential information
When completing any of these actions, ask employees to verify anything verbally with a co-worker or manager if they've received a request, link or invitation from any co-workers or business contacts that doesn't seem typical or ordinary.
It's easy to get caught up in excitement around the holiday season, but by taking the time to review common scams and cybersecurity best practices with your team, you can stave off scams and keep the season merry and bright for your company.