Security leaders discuss risks and offer advice on seasonal scams

A new report from Fortinet’s FortiGuard Labs reveals the state of the e-commerce threat landscape. As the holidays approach, threats to online shoppers grow as malicious actors leverage Man-in-the-Middle (MITM) phishing kits, Remote Code Execution (RCE) exploits and website cloning services to steal sensitive data. The report demonstrates how malicious actors are deploying generative AI tools in order to craft phishing lures for individuals as well as businesses. Threats discussed in the report include:

Phishing emails, replicating legitimate retailers or financial institutions
Season-themed domain registrations, replicating trusted brands
Compromised e-commerce website databases
Stolen gift cards and credit card data

Below, security experts share insights on seasonal scams as well as advice for defending against them.

Why seasonal scams are so effective

Mr. Mika Aalto, Co-Founder and CEO at Hoxhunt:

Seasonal scams continue to exist because they’re successful for hackers. Cybersecurity leaders should take steps to bulk up defenses during the holidays, when there is heightened email activity and emotions that social engineers can manipulate. Many employees use the same devices for work as they do for personal use, so opening a malicious link in a seemingly personal message could have catastrophic consequences for the organization.

The holidays contain more travel and gift-buying activity along with heightened emotions, so there are a lot more psychological buttons available to hackers during this season of giving. Package delivery-themed phishing campaigns are common, and we see a lot of those Amazon spoofed sites lead to credential harvesters. Travel-themed phishing campaigns might notify a victim that their flight has been canceled, so in a panic, someone might click something they otherwise wouldn’t and download malware that could compromise your system.

This is a good time to send targeted phishing simulations along with a general communication full of examples of holiday themed phishing campaigns to bring the topic to the front of people’s minds. Deploy some of the same educational tactics you use during Cybersecurity Awareness Month during the holidays, and wrap the training in messaging of cybersecurity being a gift that you can pass on to your loved ones. Just as the bad guys know how to manipulate emotions, the good guys should be mindful of the season when we send educational materials. People are much more receptive to positive messages than negative.

The role of AI in seasonal scams

Stephen Kowski, Field CTO at SlashNext Email Security+:

AI is being leveraged to automate and scale attacks, generate highly convincing phishing lures, and evade traditional security controls. Machine learning models can analyze vast datasets to identify vulnerabilities and optimize attack strategies in real-time. Advanced natural language AI is also being used to craft hyper-personalized social engineering attacks that are extremely difficult for humans to detect.

AI-powered phishing uses machine learning to create highly personalized and contextually relevant lures that appear legitimate. These attacks can automatically generate customized content, adapt in real-time, and learn from successes and failures to improve effectiveness. Unlike traditional phishing, AI phishing can scale to produce thousands of unique, targeted messages and quickly pivot based on defense

Leaders should invest in AI-powered defenses that can detect subtle anomalies and patterns indicative of AI-driven attacks. Implementing robust email and messaging security with natural language AI capabilities is critical for combating next-gen phishing. Continuous AI-based monitoring and behavioral analysis across all channels is also essential to identify threats in real-time.

How individuals can protect themselves from seasonal scams

Craig Lurey, CTO and Co-Founder at Keeper Security:

Some of the most common security mistakes shoppers make online revolve around the ease of online shopping and streamlining the process. Storing financial information on the store’s website, saving login information to web browsers, reusing passwords for multiple accounts, and shopping while on public Wi-Fi are just a few of the ways online shoppers are exposing themselves to cybercriminals. Another major mistake shoppers make is using a debit card instead of a credit card, the latter of which offers more protections and less risk in the event of your information being stolen.

Protecting your information online, especially while shopping with sensitive financial information, starts with good password hygiene. Having multiple online shopping accounts means you should have a strong and unique password for each and every one. They should be stored in a password manager to provide easy access while creating another layer of security to protect against bad actors. Password managers will also allow you to securely store credit card information so you don’t have to type it in every time you make a purchase. Setting up multi-factor authentication (MFA) on your accounts provides a critical second layer of security in the event that your password is compromised. Authenticator apps, SMS codes, and security devices are a few of the options available for MFA.

Also, be aware of phishing scams from cybercriminals posing as legitimate businesses. If a message looks suspicious or contains a deal that seems too good to be true, avoid clicking any links or responding. The key is to ensure that the URL of the destination website matches the authentic website. When a password manager is used, it automatically identifies when a site’s URL doesn't match what’s contained in the user’s vault, which provides a critical extra layer of security.

How organizations can defend against seasonal scams

Krishna Vishnubhotla, Vice President, Threat Intelligence at Zimperium:

During the holidays, we will be flooded with offers and deals. Brands you have never engaged with will hit you with persuasive offers with the hopes of tempting you to make a purchase. However, we must be careful when choosing which ads to click on. Make sure it's a brand you have engaged with, and even then, make sure that you are on their official site before you transact. Since mobile devices have a smaller form factor, this will be extremely difficult. Bad actors will redirect you over and over again in order to confuse you and make you land on a fake website. Unfortunately, there is no way to know where these sites are hosted so that you can make a smart decision based on that information.

As employees may be shopping and making purchases during work hours, using work devices, organizations must protect their employees from phishing links, malicious QR codes, and malicious attachments in these emails across all legacy and mobile endpoints. Bad actors are getting very creative in designing email campaigns that bypass traditional detection mechanisms. Email attachments and links should be scrutinized by enterprises. Adopting a zero-trust security model and using encrypted communication for sensitive exchanges will further guard against malicious emails.

A recent report revealed that 82% of phishing sites now target mobile devices and that 76% of phishing sites targeting enterprises are using HTTPS. We are seeing a dramatic rise in this approach for mobile devices, which is sign of maturing tactics on mobile. Mobile is conducive to misleading the user because we rarely see the URL in the browser or the quick redirects. Moreover, we are conditioned to believe a link is secure if it has a padlock icon next to the URL in our browsers. Especially on mobile devices, users should look beyond the lock icon and carefully verify the website's domain name before entering any sensitive information.

The best way that we can all fight cybercriminals is to combine technological defenses with vigilant practices. Where possible, install anti-phishing tools to enhance security, and ensure your operating system is regularly updated to close vulnerabilities that phishing links may attempt to exploit. Keep yourself updated about the latest trends in phishing. It's our cyber-hygiene on our devices that really gets us into trouble.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.