christmas shopping

Don’t Let ‘Christmas Phishing’ Ruin Your Holiday Season

As shoppers try to find deals in time to put presents under the tree, phishing campaigns are making it more difficult for consumers to tell if a website is naughty or nice.

It’s that time of year again. Chestnuts are roasting on an open fire, Jack Frost is nipping at your nose. Rudolph and Frosty are on the TV and Michael Bublé’s Christmas album is on repeat. More importantly than all of that, Santa is making his list and checking it twice. But, did you ever wonder why he’s checking it twice? A magical elf who can make it around the world in a single night is unlikely to need to double check his work like an elementary school math student. Sure, it may be to add rhyme to the song, but something about that theory feels very wrong.

So, what’s left? Could it be children’s wishing? I suspect that the answer is evil Christmas phishing.

I think that Santa realized before any of us that phishing was a real risk. Typos present a serious threat and you need to make sure that everything is as it should be – how else will he know if Jace, Mason, Lily, and Julia are who they say they are. If you think that you are above typos, remember that this year, a town in Canada announced that Satan was attending their annual Christmas parade. It’s all too easy for mistakes to be made and Santa simply wants to ensure that he’s not the one making the mistakes.

l recently learned that someone I play video games with spells their in-game name with an upper-case “I” instead of a lower-case “L.” I bet you didn’t even notice that this paragraph started with a lower-case “L.” Visual inspection can fail even the best of us and that’s only part of beating phishing scams. There are plenty of other things you need to watch for, which is why I think St. Nick had the right idea when he started checking his list twice.

You might be thinking that you know what phishing is and you’re confused as to why we’re talking about typos. One of the ways to increase the effectiveness of phishing campaigns is to utilize a technique known as typosquatting, a form of cybersquatting, where attackers register a domain name that mimics a popular website. Whether this is a mistyped domain name (Amaon instead of Amazon) or a letter substitution (PayPai instead of PayPal), this is an important technique to know about. You might think that the ‘PayPai’ example looks obvious, but what about PayPaI, which is using a capital “I.”

We haven’t even gotten into the heart of phishing yet, the emails. Do you think that it’s easy to recognize a phishing email? Try again. I always laugh because enterprise phishing tests, designed to trick their users are incredibly obvious compared to the advanced techniques used by malicious attackers, yet they still manage to catch people. When the complexity of the mail increases, so does the likelihood of a good haul when the net is cast wide. Thinking you won’t get caught is hubris that you likely won’t be able to afford once you are. Just look at all the people falling for telephone scams on a regular basis and those are often much more obvious than phishing emails.

If you still aren’t convinced, let’s look at this from another angle. If you take a child to the mall around the Christmas season, they think they’re sitting on Santa’s lap. It doesn’t matter that Santa is tucked safely away in the North Pole preparing for Christmas day and they’re meeting one of Santa’s helpers. To that child, at that moment, the wonder and amazement they feel means that Santa is actually in front of them. They’re telling a magical elf exactly what they want for Christmas, pony and all.

The feeling they experience when they see Santa’s cousin, Ralph the Elf, at the mall instead of Santa Claus himself is no different than the feeling you see when you get a coupon that says save 90 percent at Sephora online when you click right now. You want it to be real, so it is and by the time you realize it isn’t, you’ve already paid the price. Still not convinced? Spend an hour browsing Facebook. In the past week, I’ve seen more than a dozen links shared that offer unreal coupons or fake shopping experiences. Even after pointing out they are fake, people still leave them up. We want a good deal, we want to believe that if we share a Facebook post, Bill Gates will give us a million dollars or that if we click this link, Walmart will pay us to shop at their store for one day only.

When you think about a phisher, they aren’t that unlike the elves at the North Pole. They need to manufacture a perfect email, just like when Santa’s elves make a branded product in their workshop. It wasn’t made at the Nintendo factory, but that Switch that Santa leaves is just as good as the ones the factory ships. The emails that these phishers send look just like emails from the actual stores. So, whether you’re a child looking at the tree on Christmas morning, or an adult reading your email over your morning coffee, it’s easy to see just how convincing these knockoffs can be.

Phishers are also like street magicians, making you see what they want you to see. Season 2 of Magic for Humans with Justin Willman dropped on Netflix recently. He goes to great lengths to create an illusion, to show his audience exactly what they want to see. In one segment called Sleight of Ham, he has a child bite a piece out of a slice of ham and after “shuffling” the ham, tosses the pieces against a car window. The piece with the bite is inside the car stuck to the window. I’m no master illusionist, but I dabble in sleight of hand and it doesn’t matter what the audience sees, it’s what they believe they see. I can take a deck of cards and cut it to the same card a dozen times, I can even make it appear real. That’s what happens with those phishing emails, they appear to be real and just like I’m not Justin Willman, they don’t have to be great, just good enough.

Finally, phishers have to be a little like a psychologist. They need to know what makes people tick. What drives people to click on links. Whether it’s a telephone scammer or a phisher, one of those big motivators is always fear. Around the holidays, however, greed or the desire for a good deal can drive people toward clicking on a malicious email. These days, everyone feels stretched thin and while it is popular to point out that you should never go into debt for Christmas, many people are going to overspend, so they’re also going to look to save. A good deal in your email, might just entice you to click that link and make a purchase.

We live in an era where brick-and-mortar stores are dying, where kids ask a jolly fat man for thousands of dollars in high-end electronics, and where a story of a reindeer with a red nose that perseveres bulling to become a hero is sadly still needed. All of this might explain why we see an email for a good deal just for us and we jump on it without a second thought.

Then again, it might just be a good reminder to visit your local businesses and value kindness this holiday season. Either way, take a page from Kris Kringle’s book and check twice, because there’s no guarantee that an email is naughty or nice.

Featured

  • New Report Reveals Top Trends Transforming Access Controller Technology

    Mercury Security, a provider in access control hardware and open platform solutions, has published its Trends in Access Controllers Report, based on a survey of over 450 security professionals across North America and Europe. The findings highlight the controller’s vital role in a physical access control system (PACS), where the device not only enforces access policies but also connects with readers to verify user credentials—ranging from ID badges to biometrics and mobile identities. With 72% of respondents identifying the controller as a critical or important factor in PACS design, the report underscores how the choice of controller platform has become a strategic decision for today’s security leaders. Read Now

  • Overwhelming Majority of CISOs Anticipate Surge in Cyber Attacks Over the Next Three Years

    An overwhelming 98% of chief information security officers (CISOs) expect a surge in cyber attacks over the next three years as organizations face an increasingly complex and artificial intelligence (AI)-driven digital threat landscape. This is according to new research conducted among 300 CISOs, chief information officers (CIOs), and senior IT professionals by CSC1, the leading provider of enterprise-class domain and domain name system (DNS) security. Read Now

  • ASIS International Introduces New ANSI-Approved Investigations Standard

    • Guard Services
  • Cloud Security Alliance Brings AI-Assisted Auditing to Cloud Computing

    The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today introduced an innovative addition to its suite of Security, Trust, Assurance and Risk (STAR) Registry assessments with the launch of Valid-AI-ted, an AI-powered, automated validation system. The new tool provides an automated quality check of assurance information of STAR Level 1 self-assessments using state-of-the-art LLM technology. Read Now

  • Report: Nearly 1 in 5 Healthcare Leaders Say Cyberattacks Have Impacted Patient Care

    Omega Systems, a provider of managed IT and security services, today released new research that reveals the growing impact of cybersecurity challenges on leading healthcare organizations and patient safety. According to the 2025 Healthcare IT Landscape Report, 19% of healthcare leaders say a cyberattack has already disrupted patient care, and more than half (52%) believe a fatal cyber-related incident is inevitable within the next five years. Read Now

New Products

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis.

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame.