christmas shopping

Don’t Let ‘Christmas Phishing’ Ruin Your Holiday Season

As shoppers try to find deals in time to put presents under the tree, phishing campaigns are making it more difficult for consumers to tell if a website is naughty or nice.

  • By Tyler Reguly
  • Dec 18, 2019

It’s that time of year again. Chestnuts are roasting on an open fire, Jack Frost is nipping at your nose. Rudolph and Frosty are on the TV and Michael Bublé’s Christmas album is on repeat. More importantly than all of that, Santa is making his list and checking it twice. But, did you ever wonder why he’s checking it twice? A magical elf who can make it around the world in a single night is unlikely to need to double check his work like an elementary school math student. Sure, it may be to add rhyme to the song, but something about that theory feels very wrong.

So, what’s left? Could it be children’s wishing? I suspect that the answer is evil Christmas phishing.

I think that Santa realized before any of us that phishing was a real risk. Typos present a serious threat and you need to make sure that everything is as it should be – how else will he know if Jace, Mason, Lily, and Julia are who they say they are. If you think that you are above typos, remember that this year, a town in Canada announced that Satan was attending their annual Christmas parade. It’s all too easy for mistakes to be made and Santa simply wants to ensure that he’s not the one making the mistakes.

l recently learned that someone I play video games with spells their in-game name with an upper-case “I” instead of a lower-case “L.” I bet you didn’t even notice that this paragraph started with a lower-case “L.” Visual inspection can fail even the best of us and that’s only part of beating phishing scams. There are plenty of other things you need to watch for, which is why I think St. Nick had the right idea when he started checking his list twice.

You might be thinking that you know what phishing is and you’re confused as to why we’re talking about typos. One of the ways to increase the effectiveness of phishing campaigns is to utilize a technique known as typosquatting, a form of cybersquatting, where attackers register a domain name that mimics a popular website. Whether this is a mistyped domain name (Amaon instead of Amazon) or a letter substitution (PayPai instead of PayPal), this is an important technique to know about. You might think that the ‘PayPai’ example looks obvious, but what about PayPaI, which is using a capital “I.”

We haven’t even gotten into the heart of phishing yet, the emails. Do you think that it’s easy to recognize a phishing email? Try again. I always laugh because enterprise phishing tests, designed to trick their users are incredibly obvious compared to the advanced techniques used by malicious attackers, yet they still manage to catch people. When the complexity of the mail increases, so does the likelihood of a good haul when the net is cast wide. Thinking you won’t get caught is hubris that you likely won’t be able to afford once you are. Just look at all the people falling for telephone scams on a regular basis and those are often much more obvious than phishing emails.

If you still aren’t convinced, let’s look at this from another angle. If you take a child to the mall around the Christmas season, they think they’re sitting on Santa’s lap. It doesn’t matter that Santa is tucked safely away in the North Pole preparing for Christmas day and they’re meeting one of Santa’s helpers. To that child, at that moment, the wonder and amazement they feel means that Santa is actually in front of them. They’re telling a magical elf exactly what they want for Christmas, pony and all.

The feeling they experience when they see Santa’s cousin, Ralph the Elf, at the mall instead of Santa Claus himself is no different than the feeling you see when you get a coupon that says save 90 percent at Sephora online when you click right now. You want it to be real, so it is and by the time you realize it isn’t, you’ve already paid the price. Still not convinced? Spend an hour browsing Facebook. In the past week, I’ve seen more than a dozen links shared that offer unreal coupons or fake shopping experiences. Even after pointing out they are fake, people still leave them up. We want a good deal, we want to believe that if we share a Facebook post, Bill Gates will give us a million dollars or that if we click this link, Walmart will pay us to shop at their store for one day only.

When you think about a phisher, they aren’t that unlike the elves at the North Pole. They need to manufacture a perfect email, just like when Santa’s elves make a branded product in their workshop. It wasn’t made at the Nintendo factory, but that Switch that Santa leaves is just as good as the ones the factory ships. The emails that these phishers send look just like emails from the actual stores. So, whether you’re a child looking at the tree on Christmas morning, or an adult reading your email over your morning coffee, it’s easy to see just how convincing these knockoffs can be.

Phishers are also like street magicians, making you see what they want you to see. Season 2 of Magic for Humans with Justin Willman dropped on Netflix recently. He goes to great lengths to create an illusion, to show his audience exactly what they want to see. In one segment called Sleight of Ham, he has a child bite a piece out of a slice of ham and after “shuffling” the ham, tosses the pieces against a car window. The piece with the bite is inside the car stuck to the window. I’m no master illusionist, but I dabble in sleight of hand and it doesn’t matter what the audience sees, it’s what they believe they see. I can take a deck of cards and cut it to the same card a dozen times, I can even make it appear real. That’s what happens with those phishing emails, they appear to be real and just like I’m not Justin Willman, they don’t have to be great, just good enough.

Finally, phishers have to be a little like a psychologist. They need to know what makes people tick. What drives people to click on links. Whether it’s a telephone scammer or a phisher, one of those big motivators is always fear. Around the holidays, however, greed or the desire for a good deal can drive people toward clicking on a malicious email. These days, everyone feels stretched thin and while it is popular to point out that you should never go into debt for Christmas, many people are going to overspend, so they’re also going to look to save. A good deal in your email, might just entice you to click that link and make a purchase.

We live in an era where brick-and-mortar stores are dying, where kids ask a jolly fat man for thousands of dollars in high-end electronics, and where a story of a reindeer with a red nose that perseveres bulling to become a hero is sadly still needed. All of this might explain why we see an email for a good deal just for us and we jump on it without a second thought.

Then again, it might just be a good reminder to visit your local businesses and value kindness this holiday season. Either way, take a page from Kris Kringle’s book and check twice, because there’s no guarantee that an email is naughty or nice.

Featured

  • Live From ISC West 2023: Day 1

    ISC West 2023 in Las Vegas, Nevada, has officially begun! Make sure to keep an eye on Security Today’s ISCW Live 2023 page, as well as our associated Twitter accounts—@SecurToday and @CampusSecur—for the latest updates from the show floor at the Venetian Expo. Read Now

    • Industry Events
    • ISC West

  • It Happened Again

    Just yesterday (as of this writing), it happened again. A 28-year-old woman shot her way into a Christian elementary school in Nashville, Tenn., on Monday and killed three children and three adults, according to national news. AP News reports that the victims were three 9-year-old children, a top school administrator, a substitute teacher, and a school custodian Read Now

  • Let's Get to Work

    You are standing at the conference center doors just waiting to get into the exhibit hall. I know you are because I’m standing next to you. This week at ISC West has been three years in the making. Last year was encouraging, and here we are waiting for the Big Show. Read Now

    • Industry Events
    • ISC West
  • Using Modern Technology

    Using Modern Technology

    Workplace violence is a serious and growing challenge for many organizations — including those in the healthcare industry. Read Now

Most   Popular

Featured Cybersecurity

New Products

  • Videoloft Cloud Video Surveillance VSaaS Solution

    Videoloft Cloud Video Surveillance VSaaS Solution

    Videoloft focuses on transforming traditional professional surveillance systems into cloud connected solutions via the Videoloft Cloud Adapter. 3

  • Camden Door Controls ‘SER” Surface Boxes and Extension Rings

    Camden Door Controls ‘SER” Surface Boxes and Extension Rings

    Camden Door Controls has introduced new ‘SER” surface boxes and extension rings that provide a complete solution for new construction. In addition, they provide a simple and robust solution when replacing round wired and manual push plate switches with either Camden’s wired or wireless SureWave™ no-touch switches or Kinetic™ no-battery wireless switches. 3

  • Camden Door Controls Application Spec Guide

    Camden Door Controls Application Spec Guide

    Camden Door Controls, an industry-leading provider of innovative, high quality door activation and locking products, has published a new application spec guide for specification writers designing a wireless barrier-free restroom control system. 3