christmas shopping

Don’t Let ‘Christmas Phishing’ Ruin Your Holiday Season

As shoppers try to find deals in time to put presents under the tree, phishing campaigns are making it more difficult for consumers to tell if a website is naughty or nice.

It’s that time of year again. Chestnuts are roasting on an open fire, Jack Frost is nipping at your nose. Rudolph and Frosty are on the TV and Michael Bublé’s Christmas album is on repeat. More importantly than all of that, Santa is making his list and checking it twice. But, did you ever wonder why he’s checking it twice? A magical elf who can make it around the world in a single night is unlikely to need to double check his work like an elementary school math student. Sure, it may be to add rhyme to the song, but something about that theory feels very wrong.

So, what’s left? Could it be children’s wishing? I suspect that the answer is evil Christmas phishing.

I think that Santa realized before any of us that phishing was a real risk. Typos present a serious threat and you need to make sure that everything is as it should be – how else will he know if Jace, Mason, Lily, and Julia are who they say they are. If you think that you are above typos, remember that this year, a town in Canada announced that Satan was attending their annual Christmas parade. It’s all too easy for mistakes to be made and Santa simply wants to ensure that he’s not the one making the mistakes.

l recently learned that someone I play video games with spells their in-game name with an upper-case “I” instead of a lower-case “L.” I bet you didn’t even notice that this paragraph started with a lower-case “L.” Visual inspection can fail even the best of us and that’s only part of beating phishing scams. There are plenty of other things you need to watch for, which is why I think St. Nick had the right idea when he started checking his list twice.

You might be thinking that you know what phishing is and you’re confused as to why we’re talking about typos. One of the ways to increase the effectiveness of phishing campaigns is to utilize a technique known as typosquatting, a form of cybersquatting, where attackers register a domain name that mimics a popular website. Whether this is a mistyped domain name (Amaon instead of Amazon) or a letter substitution (PayPai instead of PayPal), this is an important technique to know about. You might think that the ‘PayPai’ example looks obvious, but what about PayPaI, which is using a capital “I.”

We haven’t even gotten into the heart of phishing yet, the emails. Do you think that it’s easy to recognize a phishing email? Try again. I always laugh because enterprise phishing tests, designed to trick their users are incredibly obvious compared to the advanced techniques used by malicious attackers, yet they still manage to catch people. When the complexity of the mail increases, so does the likelihood of a good haul when the net is cast wide. Thinking you won’t get caught is hubris that you likely won’t be able to afford once you are. Just look at all the people falling for telephone scams on a regular basis and those are often much more obvious than phishing emails.

If you still aren’t convinced, let’s look at this from another angle. If you take a child to the mall around the Christmas season, they think they’re sitting on Santa’s lap. It doesn’t matter that Santa is tucked safely away in the North Pole preparing for Christmas day and they’re meeting one of Santa’s helpers. To that child, at that moment, the wonder and amazement they feel means that Santa is actually in front of them. They’re telling a magical elf exactly what they want for Christmas, pony and all.

The feeling they experience when they see Santa’s cousin, Ralph the Elf, at the mall instead of Santa Claus himself is no different than the feeling you see when you get a coupon that says save 90 percent at Sephora online when you click right now. You want it to be real, so it is and by the time you realize it isn’t, you’ve already paid the price. Still not convinced? Spend an hour browsing Facebook. In the past week, I’ve seen more than a dozen links shared that offer unreal coupons or fake shopping experiences. Even after pointing out they are fake, people still leave them up. We want a good deal, we want to believe that if we share a Facebook post, Bill Gates will give us a million dollars or that if we click this link, Walmart will pay us to shop at their store for one day only.

When you think about a phisher, they aren’t that unlike the elves at the North Pole. They need to manufacture a perfect email, just like when Santa’s elves make a branded product in their workshop. It wasn’t made at the Nintendo factory, but that Switch that Santa leaves is just as good as the ones the factory ships. The emails that these phishers send look just like emails from the actual stores. So, whether you’re a child looking at the tree on Christmas morning, or an adult reading your email over your morning coffee, it’s easy to see just how convincing these knockoffs can be.

Phishers are also like street magicians, making you see what they want you to see. Season 2 of Magic for Humans with Justin Willman dropped on Netflix recently. He goes to great lengths to create an illusion, to show his audience exactly what they want to see. In one segment called Sleight of Ham, he has a child bite a piece out of a slice of ham and after “shuffling” the ham, tosses the pieces against a car window. The piece with the bite is inside the car stuck to the window. I’m no master illusionist, but I dabble in sleight of hand and it doesn’t matter what the audience sees, it’s what they believe they see. I can take a deck of cards and cut it to the same card a dozen times, I can even make it appear real. That’s what happens with those phishing emails, they appear to be real and just like I’m not Justin Willman, they don’t have to be great, just good enough.

Finally, phishers have to be a little like a psychologist. They need to know what makes people tick. What drives people to click on links. Whether it’s a telephone scammer or a phisher, one of those big motivators is always fear. Around the holidays, however, greed or the desire for a good deal can drive people toward clicking on a malicious email. These days, everyone feels stretched thin and while it is popular to point out that you should never go into debt for Christmas, many people are going to overspend, so they’re also going to look to save. A good deal in your email, might just entice you to click that link and make a purchase.

We live in an era where brick-and-mortar stores are dying, where kids ask a jolly fat man for thousands of dollars in high-end electronics, and where a story of a reindeer with a red nose that perseveres bulling to become a hero is sadly still needed. All of this might explain why we see an email for a good deal just for us and we jump on it without a second thought.

Then again, it might just be a good reminder to visit your local businesses and value kindness this holiday season. Either way, take a page from Kris Kringle’s book and check twice, because there’s no guarantee that an email is naughty or nice.

Featured

  • Survey: Less Than Half of IT Leaders are Confident in their IoT Security Plans

    Viakoo recently released findings from its 2024 IoT Security Crisis: By the Numbers. The survey uncovers insights from IT and security executives, exposes a dramatic surge in enterprise IoT security risks, and highlights a critical missing piece in the IoT security technology stack. The clarion call is clear: IT leaders urgently need to secure their IoT infrastructure one application at a time in an automated and expeditious fashion. Read Now

  • ASIS International and SIA Release “Complexities in the Global Security Market: 2024 Through 2026”

    ASIS International and the Security Industry Association (SIA) – the leading security associations for the security industry – have released ”Complexities in the Global Security Market: 2024 Through 2026”, a new research report that provides insights into the equipment, technologies, and employment of the global security industry, including regional market breakouts. SIA and ASIS partnered with global analytics and advisory firm Omdia to complete the research. Read Now

  • President Biden Issues Executive Order to Bolster U.S Port Cybersecurity

    On Wednesday, President Biden issued an Executive Order to bolster the security of the nation’s ports, alongside a series of additional actions that will strengthen maritime cybersecurity and more Read Now

  • Report: 15 Percent of All Emails Sent in 2023 Were Malicious

    VIPRE Security Group recently released its report titled “Email Security in 2024: An Expert Look at Email-Based Threats”. The 2024 predictions for email security in this report are based on an analysis of over 7 billion emails processed by VIPRE worldwide during 2023. This equates to almost one email for everyone on the planet. Of those, roughly 1 billion (or 15%) were malicious. Read Now

Featured Cybersecurity

Whitepapers

New Products

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles. 3

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3

  • Hanwha QNO-7012R

    Hanwha QNO-7012R

    The Q Series cameras are equipped with an Open Platform chipset for easy and seamless integration with third-party systems and solutions, and analog video output (CVBS) support for easy camera positioning during installation. A suite of on-board intelligent video analytics covers tampering, directional/virtual line detection, defocus detection, enter/exit, and motion detection. 3