5 Dangerous Holiday Phishing Scams this Festive Season

Scammer sends fake emails graphic | 5 Dangerous Holiday Phishing Scams this festive season.

As if there wasn’t enough phishing to deal with related to the pandemic, inboxes are about to get flooded with a bunch more, themed to the holiday season. During last year’s holiday season, holiday phishing scams and attacks increased 400% in the first week of November alone.

 

It’s easy to fall for holiday scams because people are busy with seasonal activities, one of which is online holiday shopping. People are used to receiving an increased amount of email, including shipping notices, holiday promotion emails, order receipts, and charitable donation requests during this time.


In fact, cybercriminals take advantage of all those types of seasonal emails by spoofing them and inserting their own malicious links and attachments.

 

These holiday phishing scams increase the danger to business networks, because employees often check personal email while at work. They may also be getting these scams sent directly to their work email, purporting to be a business purchase, such as the phishing example below.

What’s the Best Defense Against Holiday Phishing Scams and Attacks?

It’s best to take a layered strategy when defending against phishing attacks. This includes:

 

  • Training employees to be aware of the latest phishing scams they may see
  • Conducting continuous IT security training throughout the year
  • Putting anti-malware and other threat protection in place on your network
  • Using DNS filtering to block dangerous websites
  • Using email spam/phishing filtering to block unwanted email

 

Employee awareness is one of the most important safeguards when it comes to phishing emails, because they are the target of these scams. Providing consistent employee security awareness training has been shown to reduce risk of a cybersecurity incident by 40-50%.

Watch Out for These Holiday Phishing Emails

Fake Order Receipt

Phishing scammers engaged in holiday phishing scams will send fake order receipt emails that look like they’re from well-known retailers. The goal is to have a person react emotionally because, either didn’t place the order and are angry and want to resolve the mistake, or because they’re curious and want to see what they may have ordered.

 

Either way, the order link provided will typically send the user to a fake sign-in form designed to steal login credentials or a malware-laden website.

Spoofed Shipment Tracking

Online holiday purchases mean order tracking notices come in at a higher rate than the rest of the year. Scammers take advantage of this by sending phishing designed to look like it’s from a company such as UPS.

 

The link will take the user to a malicious site that can download ransomware, spyware, or another type of malware.

Charitable Contribution Scam

Charities often take advantage of the giving spirit of the holiday season to increase their outreach efforts. Phishing scammers send out fake donation requests with heartfelt images to try to get someone to not only give them money, but also to give them their credit card details.

 

If employees or companies want to donate, it’s always best to do it through a reputable organisation and by going directly to their site, not through an email link.

Gift Card Phishing Scam

One of the more sophisticated scams is designed to impersonate an employee in a position of power at an organisation, such as a manager or supervisor.

 

Scammers can easily find this information on a corporate website or a social site like LinkedIn.

 

They send an email purporting to be from the manager to a lower-level employee. It will say something like this:

 

“I completely forgot to have you buy gift cards for our top clients, and I have outreach visits to them this afternoon. I’m in meetings all morning and unreachable. I need you to purchase 10 x $100 gift card and email me the numbers so I can have those for my visits. I’ll reimburse you as soon as I’m back.”

 

This scam is designed to take advantage of an employee’s desire to please the person in power. The scam uses the ploy that the sender will be “unreachable” to dissuade the recipient from calling to ask any questions.

 

Once the card numbers are sent, they’re immediately used, and the employee or company is out the money. This scam is also sometimes done by text message.

 

Employees should always contact the person using the contact details they have on file for them if they receive an unusual request like this.

Fake Holiday Sales & Promotions

When you see a rock bottom price on a new iPhone 12 or anther gadget you’ve been wanting to buy, it can be hard to resist checking it out to see if it’s legitimate.

 

Unfortunately, this often leads to people clicking fake holiday sale emails and be taken to sites that do drive-by downloads of malware.

 

It’s important to by hypervigilant during the holiday season and to avoid clicking links in emails whenever possible. If the sale is from a legitimate retailer, going to their website directly should show the same sale and be safer than clicking a link. 

Does Your Brisbane Business Have DNS Filtering In Place?

One way to mitigate the risk of an employee clicking on a phishing link is to use DNS filtering to block malicious sites. Connected Platforms can put this, along with other important phishing protections, in place for you.

 

Would you like to learn more about dangerous holiday season phishing scams this festive season and beyond? Contact our managed IT services Brisbane team for a free consultation today. Call (07) 3062 6932 or book a coffee meeting online.

More blog posts

How to create secure passwords

How to create secure passwords

Weak passwords are one of the biggest security risks to your business.
Why?
Because cyber criminals are getting smarter than ever before. If they manage to crack just one password, they could gain access to your sensitive business data, financial information, or even gain control of your entire system.
Cyber criminals use automated tools to guess passwords, allowing them to try out millions of combinations in seconds. So, if you’re using something like “Password123” or “CompanyName2025”, you’re practically handing them the keys to your business.
A compromised password can lead to big issues, such as:
• Data breaches
• Financial losses
• Identity theft
• Reputation damage
But how do you create strong passwords without driving yourself (and your team) mad?
Think of your password like a secret recipe, where only you should know the ingredients. It should:
• Be at least 14 characters long (the longer, the better)
• Include a mix of uppercase and lowercase letters
• Contain a few numbers and symbols (like @, $, %, or &)
• Not contain any common words or easily guessable information (like birthdays, names, or the word “password”)
Instead of using a single word, you could try a passphrase – a short, random sentence that only you would understand. For example, instead of “Sailing2025”, try something like “Coffee&CloudsAreGreat9!”. This is much harder to crack, yet still easy to remember.
You should also steer clear of these common mistakes:
• Using personal info (your name, birthday, business name, etc.)
• Reusing the same passwords across multiple accounts
• Using simple sequences (“123456” or “abcdef”)
• Storing passwords in an easily accessible place (like a sticky note on your desk)
If remembering unique passwords for every account sounds impossible, there is another option: Password managers. These generate strong passwords, store them securely and autofill them for you.
With a password manager, you only need to remember one strong master password for the manager app itself. The rest are encrypted and stored safely, reducing the risk of data breaches.
Even the strongest password isn’t foolproof, which is why multi-factor authentication (MFA) is also important. MFA requires a second form of verification, like a one-time code sent to your phone or generated from an authentication app.
If you have employees accessing your business systems, it’s a good idea to have a password policy in place to explain your rules and why they’re important. This should include:
• Unique passwords for each system and account
• Regular security training on password best practices
• Business-wide use of MFA for critical systems
• Scanning for compromised passwords regularly
By making password security a priority, you can reduce the chances of a cyber attack creating a nightmare for your business.
And if you need help making your business more secure, get in touch.

Beware these common ‘malvertising’ attacks

Beware these common ‘malvertising’ attacks

Ever clicked an online ad and wondered afterwards if it was a scam?… most of us have – and cyber criminals want us to keep doing it. Here’s what to look out for to stop your business’s data (and profits) falling into the wrong hands…

Call Now Button