As we enter the festive season, and more and more of us go online to do some last-minute Christmas shopping, cyber-criminals will be working harder than Santa’s elves to deploy their scams and hoaxes.
On top of that, Christmas is also the time many of us receive brand new devices as gifts which need setting up for the first time.
It therefore really does pay to be extra vigilant when it comes to emails, text messages, phone calls and those too-good-to-be-true special offers throughout the Christmas and New Year period.
If you don’t know what ‘phishing’ is, it’s a deceptive tactic where an email is sent to attempt to dupe the recipient into responding to a fraudulent message. This deception may involve clicking on a link, downloading an attachment or calling a helpline number.
Phishing works by convincing the victim that the email is from a reputable source: for example, a government department, a supplier, colleague or a customer. While phishing scams go on all year round, they tend to increase over the festive period when everyone’s guard is down and they have new devices they are not totally familiar with yet.
With the busiest retail season underway (albeit a very strange one), and with many of us shopping online for friends and family and exchanging festive greetings through social media, it’s all too easy to fall for an authentic-looking phishing email.
Cyber-criminals will use the names and logos of all the big brand retailers in their phishing emails to trick you into believing the scam message is legitimate. Often the message will use a sense of urgency to make you act without thinking.
The most common type of phishing scam is one where the cyber-criminal sends an email that imitates a message from a bank, retailer, government agency or service provider. This type of fraud is called ‘deceptive phishing’.
Of course, this type of scam relies on how convincing the phishing email is – and there is evidence that scammers are becoming more advanced at creating genuine-looking emails. So, as a precaution, you should look out for generic salutations and spelling and grammar mistakes in any promotional, marketing or service emails you receive. You should also check links to see if they redirect to an unknown or suspicious website. You can do this by hovering your cursor over the link (do not click it) to reveal the URL’s destination site (which will appear at the bottom left of your screen).
Like the phishing email scam, spear phishing is used by cyber-criminals to steal confidential data or install malware on the victim’s computer. However, unlike a standard phishing email, which tends to be mass-produced and lack any personalisation, the spear-fishing email will include the recipient’s name and other relevant personal information to convince them that the sender is trusted and legitimate.
To achieve this, the hackers will lift personal data on the victim from social media sites and other online sources. This may include who their family and friends are, where they work, what sort of places they regularly visit, what they like to buy, and how and where they prefer to do their shopping. The attackers will then use this data to craft an email that contains highly relevant information and appears to be from a friend or a trusted organisation.
What makes spear-phishing so attractive to criminals is its effectiveness, low cost and versatility. Hackers with limited skills can use spear-phishing to steal credentials and distribute ransomware. Organised crime groups can use it to carry out blackmail and fraud, and nation-state actors can use it to infiltrate and compromise target businesses and institutions.
It’s vital, therefore, that individuals and organisations educate themselves about the tactics that cyber-criminals use. Employees, in particular, should be trained on how to spot phishing emails and vishing scams.
Additionally, people need to be careful about the browsers they use – especially during the Christmas season when ‘spoofed’ websites spring up. Read all URLs from right to left. The last address is the true domain. Secure URLs that don’t employ https are likely to be fraudulent, as are sites that begin with IP addresses.
Finally, don’t publish sensitive or corporate information on social media. If there’s anything you think a hacker could use, then don’t post it and make sure that you’ve set privacy settings to control what others can see.
Another approach that criminals will use to steal your account details and passwords – especially, at this busy time of year – is to call or leave a voicemail and claim that they are from your bank or another organisation that you trust. As with phishing emails, they will adopt an urgent tone of voice – perhaps claiming that your account has been compromised – to spur you into action without giving you time to stop and think. They may try to get you to disclose your personal information over the phone or send you to a fraudulent website where you will be asked to resubmit your personal details.
Vishing fraudsters may use a false caller ID to hide their identity or mimic a caller ID or number that you recognise – for example, your bank or credit card company. If you don’t respond to their initial attempt, they may leave an urgent voicemail, hoping to alarm you into reacting to the hoax call at a later time.
Of course, fraudsters may choose a different emotional response to exploit other than fear or urgency. They may instead try to provoke a sense of curiosity or excitement by telling you about a fantastic free offer, for instance, or informing you that you’ve been randomly selected in a prize draw and a package is waiting for you to claim. All you need to do is confirm your details to redeem your prize. It’s at this point that they will try to persuade you to reveal personal information that they can use to access your credit card or bank account.
If you suspect that a call is a hoax and want to check its authenticity, then you should contact the caller concerned using a different phone line or wait at least ten minutes if you are using the same number. This is because criminals can keep the line open by not hanging up and can intercept your call. You may think you are talking to a legitimate representative at the other end of the phone when, in fact, you are still talking to the vishing fraudster or an accomplice.
Smishing is a variation on phishing where text (SMS) messages are used instead of email to trick the recipient into clicking a malicious link or opening an attachment that contains malware. So, never reply to these types of messages. Instead, ignore them and delete them.
Cyber Insurance provides cover against risks such as hacking and virus attacks, operational errors from technology, data breaches and the increasingly relevant risk of defamation (even on social media) and privacy breaches
Churchill are able to offer expertise and experience in this relatively new field, advising clients on the possible threats to their business.