christmas shopping

Don’t Let ‘Christmas Phishing’ Ruin Your Holiday Season

As shoppers try to find deals in time to put presents under the tree, phishing campaigns are making it more difficult for consumers to tell if a website is naughty or nice.

  • By Tyler Reguly
  • Dec 18, 2019

It’s that time of year again. Chestnuts are roasting on an open fire, Jack Frost is nipping at your nose. Rudolph and Frosty are on the TV and Michael Bublé’s Christmas album is on repeat. More importantly than all of that, Santa is making his list and checking it twice. But, did you ever wonder why he’s checking it twice? A magical elf who can make it around the world in a single night is unlikely to need to double check his work like an elementary school math student. Sure, it may be to add rhyme to the song, but something about that theory feels very wrong.

So, what’s left? Could it be children’s wishing? I suspect that the answer is evil Christmas phishing.

I think that Santa realized before any of us that phishing was a real risk. Typos present a serious threat and you need to make sure that everything is as it should be – how else will he know if Jace, Mason, Lily, and Julia are who they say they are. If you think that you are above typos, remember that this year, a town in Canada announced that Satan was attending their annual Christmas parade. It’s all too easy for mistakes to be made and Santa simply wants to ensure that he’s not the one making the mistakes.

l recently learned that someone I play video games with spells their in-game name with an upper-case “I” instead of a lower-case “L.” I bet you didn’t even notice that this paragraph started with a lower-case “L.” Visual inspection can fail even the best of us and that’s only part of beating phishing scams. There are plenty of other things you need to watch for, which is why I think St. Nick had the right idea when he started checking his list twice.

You might be thinking that you know what phishing is and you’re confused as to why we’re talking about typos. One of the ways to increase the effectiveness of phishing campaigns is to utilize a technique known as typosquatting, a form of cybersquatting, where attackers register a domain name that mimics a popular website. Whether this is a mistyped domain name (Amaon instead of Amazon) or a letter substitution (PayPai instead of PayPal), this is an important technique to know about. You might think that the ‘PayPai’ example looks obvious, but what about PayPaI, which is using a capital “I.”

We haven’t even gotten into the heart of phishing yet, the emails. Do you think that it’s easy to recognize a phishing email? Try again. I always laugh because enterprise phishing tests, designed to trick their users are incredibly obvious compared to the advanced techniques used by malicious attackers, yet they still manage to catch people. When the complexity of the mail increases, so does the likelihood of a good haul when the net is cast wide. Thinking you won’t get caught is hubris that you likely won’t be able to afford once you are. Just look at all the people falling for telephone scams on a regular basis and those are often much more obvious than phishing emails.

If you still aren’t convinced, let’s look at this from another angle. If you take a child to the mall around the Christmas season, they think they’re sitting on Santa’s lap. It doesn’t matter that Santa is tucked safely away in the North Pole preparing for Christmas day and they’re meeting one of Santa’s helpers. To that child, at that moment, the wonder and amazement they feel means that Santa is actually in front of them. They’re telling a magical elf exactly what they want for Christmas, pony and all.

The feeling they experience when they see Santa’s cousin, Ralph the Elf, at the mall instead of Santa Claus himself is no different than the feeling you see when you get a coupon that says save 90 percent at Sephora online when you click right now. You want it to be real, so it is and by the time you realize it isn’t, you’ve already paid the price. Still not convinced? Spend an hour browsing Facebook. In the past week, I’ve seen more than a dozen links shared that offer unreal coupons or fake shopping experiences. Even after pointing out they are fake, people still leave them up. We want a good deal, we want to believe that if we share a Facebook post, Bill Gates will give us a million dollars or that if we click this link, Walmart will pay us to shop at their store for one day only.

When you think about a phisher, they aren’t that unlike the elves at the North Pole. They need to manufacture a perfect email, just like when Santa’s elves make a branded product in their workshop. It wasn’t made at the Nintendo factory, but that Switch that Santa leaves is just as good as the ones the factory ships. The emails that these phishers send look just like emails from the actual stores. So, whether you’re a child looking at the tree on Christmas morning, or an adult reading your email over your morning coffee, it’s easy to see just how convincing these knockoffs can be.

Phishers are also like street magicians, making you see what they want you to see. Season 2 of Magic for Humans with Justin Willman dropped on Netflix recently. He goes to great lengths to create an illusion, to show his audience exactly what they want to see. In one segment called Sleight of Ham, he has a child bite a piece out of a slice of ham and after “shuffling” the ham, tosses the pieces against a car window. The piece with the bite is inside the car stuck to the window. I’m no master illusionist, but I dabble in sleight of hand and it doesn’t matter what the audience sees, it’s what they believe they see. I can take a deck of cards and cut it to the same card a dozen times, I can even make it appear real. That’s what happens with those phishing emails, they appear to be real and just like I’m not Justin Willman, they don’t have to be great, just good enough.

Finally, phishers have to be a little like a psychologist. They need to know what makes people tick. What drives people to click on links. Whether it’s a telephone scammer or a phisher, one of those big motivators is always fear. Around the holidays, however, greed or the desire for a good deal can drive people toward clicking on a malicious email. These days, everyone feels stretched thin and while it is popular to point out that you should never go into debt for Christmas, many people are going to overspend, so they’re also going to look to save. A good deal in your email, might just entice you to click that link and make a purchase.

We live in an era where brick-and-mortar stores are dying, where kids ask a jolly fat man for thousands of dollars in high-end electronics, and where a story of a reindeer with a red nose that perseveres bulling to become a hero is sadly still needed. All of this might explain why we see an email for a good deal just for us and we jump on it without a second thought.

Then again, it might just be a good reminder to visit your local businesses and value kindness this holiday season. Either way, take a page from Kris Kringle’s book and check twice, because there’s no guarantee that an email is naughty or nice.

Featured

  • Maximizing Your Security Budget This Year

    7 Ways You Can Secure a High-Traffic Commercial Security Gate  

    Your commercial security gate is one of your most powerful tools to keep thieves off your property. Without a security gate, your commercial perimeter security plan is all for nothing. Read Now

  • Cloud and Hybrid Adoption on the Rise

    The physical security industry is experiencing a time of great transformation. Cloud connectivity is accelerating, and more organizations are choosing to blend on-premises and cloud-based solutions. This transformation is affecting all aspects of security, including access control. In the Genetec annual State of Physical Security Survey, it was access control that topped the list of new technologies end-users planned to focus on in 2024. Read Now

  • Texas City Replaces Locks on Intelligent Traffic Cabinets With More Secure Option

    The Transportation Services and Mobility department for the city of Grand Prairie, Texas recently completed a substantial project to replace the locks on their Intelligent Traffic Cabinets with a better and more secure choice. Turns out what they needed was only a few miles away with ALCEA’s Traffic Cabinet Locking Solution powered by ABLOY technology. Read Now

  • New Report Says Vulnerability Exploitation Boom Threatens Cybersecurity

    Verizon Business recently released the findings of its 17th-annual Data Breach Investigations Report (DBIR), which analyzed a record-high 30,458 security incidents and 10,626 confirmed breaches in 2023—a two-fold increase over 2022. Read Now

Most   Popular

Featured Cybersecurity

Webinars

New Products

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis. 3

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file. 3

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3