Stay Alert for Phishing Scams This Holiday Season (2024)

Hackers Don’t Take Holidays

Summer is here! Naturally the summer holiday is when we indulge in relaxation, budget planning, vacations, visiting our family… etc, during those ‘stressful’ engaging times, often we tend to miss the minor cues of the too-good-to-be-true phishing email offers we receive.

Well, it’s an old marketing practice that still works and grabs the attention of their clientele, and this is how hackers exploit that old human flaw in curiosity.

The Holiday Hackers cloak their intent as legitimate businesses such as travel, rent-a-car, credit card or hotels, so they can play on our natural inclination to trust and increase your sense of urgency. To help you protect your holiday cheer this year, we want to let you know about some of the most common phishing tactics that may show up in your inbox this holiday season!

Common Phishing Tactics During the Holidays

Unfortunately, scams are now commonplace in our daily lives and at times, it might be mentally exhausting to be on constant lookout, to make sure you don’t make the wrong decision, click on the phishing email attachment or message posing as trustee agents, online merchants requesting personal information, or automated calls alerting you to outstanding debts. Here are some sample techniques criminals use:

Fake Booking.com complaint

This phishing email impersonates Booking.com and claims that a guest filed a complaint against the property, threatening to block the hotel from the site. The email contains a link labeled “Guest complaint” that, when clicked, sends the user to a malicious website meant to steal login information or install malware.

Fake login page

This phishing email mimics a Booking.com Partner Hub login page, aiming to steal login credentials from unsuspecting users. The email addresses property owners who manage their listings through Booking.com’s Extranet, navigating them to sign in to the Partner Hub and as you can see it looks remarkably authentic, aligning with the Booking.com logo, a professional layout, and links that appear to lead to legitimate resources.

The email prompts users to fill out their username, also known as “Login name” or “Login ID,” and then click on the “Next” button to proceed. This button, however, takes the user to a bogus website that substantially resembles the legitimate Booking.com login page. When the user enters their credentials, the attackers collect these details, granting them access to the user’s accounts.

Booking payment confirmation scams

In this scenario, the threat actor is using urgency of a potential loss of customer and a negative review, with a specifically crafted email requesting to contact the guest, and a link leading to a malicious site that steals your data. It’s like opening a gift and finding a glitter bomb, messy and full of regrets. This method is particularly effective in the hospitality industry, where prompt and courteous customer service is crucial.

Therefore, it’s important for employees in this sector to undergo security awareness training. Such training helps employees recognize phishing attempts, understand the tactics used by cybercriminals, and adopt best practices to safeguard sensitive information, ultimately protecting both the business and its customers from cyber threats.

Why the Holiday Season is Prime Time for Phishing Attacks

It’s the most vulnerable time of the year! The summer season, full of vacations, barbecues, and beach days, also sees employees letting their guard down, potentially opening the door to costly cyberattacks.

Amid all the chaos and sun-soaked distractions, it can be demanding to devote enough attention to the threats lurking in our social media feeds, inboxes, and other channels. Who would have thought that an invite to a pool party or an invitation to a company picnic could be suspicious or even dangerous? Attackers are also looking for shared experiences, which can make phishing emails seem personal and contextual. It’s all about timing.

For example, attackers can promise unbeatable Fourth of July sales, encourage employees to log into a fake portal to sign up for the company’s summer outing, or even assume the role of HR or other department leads to share details about a summer event that disguise malicious intent.

Along with the practical risks associated with using new online booking websites or travel agencies that they may not be familiar with, consumers may also experience high emotions of excitement about vacation plans and anxiety about missing out on last-minute deals.

Tips to Protect Yourself from Holiday Phishing Scams

As a general rule of thumb, you should trust your instincts. If something seems too good to be true, it probably is, as most people will get phished at some point in their lives. So, if you see someone selling products on social media at below-market-value prices, it’s best to move along, as there’s a strong chance that they’re trying to scam you. However, there are multiple actions to take, hopefully leading to online security habits becoming second nature:

• Establish a suitable holiday plan that includes an emergency plan and a staff that is available around-the-clock for response;
• Ensure that you carry out a pre-holiday audit to confirm that you are aware of the most recent upgrades and modifications to your infrastructure and to promptly patch and address any vulnerabilities;
• Maintain your computers up to date, remember to check your firewall, antivirus program, and other software, and have a plan in place for comprehensive backups of your data;
• Verify adherence to the strictest security regulations in your sector;
• To prevent privilege escalation attacks, we suggest temporarily disabling privileged accounts where the users will be away on holiday and thus not working.

And the last one is the single most important step, educating your users about holiday phishing emails through your Security Awareness Training Program so they can:

• watch out for phishing websites;
• not click dubious links or attachments in emails;
• not connect their work equipment to open Wi-Fi networks;
• utilize a password manager and strong, unique passwords;
• use the most recent versions of antivirus software;
• exercise caution when sharing content on social media;
• stick to secure shopping practices and be aware of the consequences of disregarding security policies within your company.

To properly protect your email technology environment, use Hornetsecurity email services such as:

• Advanced Threat Protection
• Email Encryption
• Email Continuity Service

To keep up with the latest articles and practices, visit our Hornetsecurity blog now.

Conclusion

People are at their finest during the holiday months, be it winter or summer. However, from what we’ve seen thus far, they can also be at the highest risk. Meanwhile, threat actors and the adoption of emerging technologies such as generative AI is increasing and phishing messages/copy for fake ads are becoming more refined and believable.

Your staff in your business, as well as in their personal lives, need to be extra vigilant this season, always suspicious when faced with seemingly legitimate ads and messages, conduct research before clicking on links, and always err on the side of caution. It is also a good idea to monitor accounts for unusual activity and to immediately report such instances. Don’t let your work to strengthen your cybersecurity posture throughout the year go to waste, so keep an eye out for malicious intent.

These days, the goal extends beyond preserving one’s finances or reputation.

To enjoy a restful break, peace of mind is equally important.

FAQ

You might also be interested in