Con artists have their hooks out for Christmas, analyst warns

In its “phishmas” festive warning, cybersecurity company Avanan is warning shoppers to remain extra vigilant, as online fraudsters spoof legitimate suppliers to steal their credentials. Perhaps more alarmingly, it has also seen an uptick in payday fraud – where company employees are impersonated online and their wages stolen.

Citing one recent scam in November that mimicked luxury accessory brand Louis Vuitton and mounted a whopping 15,000 cyberattacks, Avanan said attempts this month to steal personal data or even money using fake emails would reach a “crescendo.”

“It's that most wonderful time of the year – phishmas, when hackers get out their naughty-and-nice list and check it twice. These attacks tend to take advantage of shipping and package notifications, as you can imagine, but they go beyond that,” said Avanan, pointing to an alarming rise in paycheck fraud in the run-up to Christmas.

In the latter, a scammer approaches the HR department of a company using a spoofed email address, posing as an employee asking for their direct deposit details to be changed. Unwittingly, the HR worker complies, leading to the real employee finding their next paycheck undelivered – paid instead into an account controlled by the con artist.

“Though this happens all the time, the fact that we're seeing an influx around the holiday is an interesting trend,” said Avanan. “This scam has double-cruelty to it. Not only does it steal money, but it steals it around the holidays, when people need it most. Talk about the ultimate Grinch.”

Crude as such tricks might seem, that simplicity itself can be a strength, Avanan warns – because digital defense systems programmed to spot malware will be more easily fooled by emails with no links embedded in them.

“These scams are not super sophisticated,” said Avanan. “What makes them tricky, however, is the lack of malicious link or attachment. Security scanners often look for those items, since if it's malicious, it's an easy block.”

It added: “When it's just text, it becomes a bit harder. It's not entirely out of the ordinary for an employee to change their bank account information.”

Other festive tricks favored by crooks include the “failed delivery notice” scam, where the victim is duped into thinking a gift they have tried to send has been returned to a depot – in this case they are redirected to a disguised credential harvesting page to ‘rearrange’ delivery, allowing their vital personal data to be captured by cybercriminals and used to facilitate other devious ploys.

“There are few things more frustrating than getting a notification that a package couldn't be delivered,” said Avanan. “It requires far too much work to get it back on track. But when you have a package that needs to be delivered, you'll do what it takes. That's what this phishing scam aims to take advantage of.”

To avoid falling victim to a cyber-scam, Avanan urges email users always to check any linked website’s URL, the sender’s email address, and the message itself for grammar, content, and tone.

“This phishmas, be on the lookout for a tremendous amount of attacks,” it said. “Hackers want to be the Grinch and steal your holiday cheer. But if you look at an email properly, you can stay safe.”

---