Impulse Clicks Can Lead to Security Breaches

It’s the most wonderful time of the year for cybercriminals to take advantage of impulse clicks, especially by those anxiously awaiting the delivery of holiday packages.

The two common post-shopping scams are fake shipping delays and unexpected purchase confirmations, according to a recent alert by KnowBe4. Typically, these scams include a sense of urgency designed to catch you off guard in the hopes that you will impulsively click a link for tracking information or download a receipt for an expensive order you did not place. Don’t do it.

Clicking on the link may enable a cybercriminal to infect your phone or computer with malware to capture your passwords or take control of your device. Not only can this be a gateway to identity theft, but it can also have devastating consequences for your company. Nearly half of all security breaches utilize stolen credentials, and 78% of ransomware starts via email.

MFA Bypass Gains Ground in 2023

Additionally, with the prevalence of Multi-factor Authentication (MFA) bypass this year, this method is predicted to be applied to holiday-themed lures. MFA bypass is where the attacker steals account credentials in real-time by intercepting the MFA short code when the victim types it into a fake or compromised account login page.

Because companies send many legitimate order confirmation and shipping notification messages during the holidays, it’s easier for cybercriminals to fool consumers with similar messaging that drives them to fake login pages or lookalike websites that will intercept and capture MFA credentials.

Tips to avoid post-shopping scams and, thus, MFA credential theft:

• If you expect a package and receive a related email or text, look for details such as the order number, purchase date, and payment method.
• Don’t click any links in the message. If you receive a notice from a retailer or shipper, use your browser to navigate directly to their official website and look up your order there, or call a known contact number.

Two Other Scams Are Predicted to be Making the Rounds:

• Gift card scams: Would your CEO send you an email requesting you purchase gift cards for a holiday event? This type of business email compromise attack is a popular social engineering campaign in which attackers pretend to be C-level executives orchestrating employee holiday bonuses. This scam is geared at tricking you into buying and then sending gift card numbers and the PINs to unlock them. Always use another channel to reach out to the executive who is supposedly making the gift card request to verify and validate it.

• Charity scams: Because of the success of charity phishing emails every year, attackers continue to set up fake nonprofit companies or create websites that mimic well-known charity organizations. In addition to heartwarming requests for donations toward meals or shelter, bad actors are also likely to use newsworthy topics as lures. The best way to avoid impostors is to contact and work directly with legitimate charities and established aid programs, and never click on donation links in an unsolicited message.

Recognize and Report Phishing

Learn more about staying cybersafe in this article on our blog, How to Recognize Phishing Scams.

As always, report suspicious emails to your IT department or follow your organization’s procedures for suspicious emails. IT workforce members can review your device(s) settings or assist you with software updates.

For more information on phishing and other privacy and security issues, contact our experts at PrivaPlan today at info@privaplan.com or 877-218-7707.