‘Tis the season for holiday scams

By: Steve Metzer The Journal Record December 13, 2019

The unexpected email, the ninth one down on a long list in the inbox, immediately catches the eye.

“Your order confirmation,” the subject line reads.

A natural inclination would be to open it, to find out just what “order” the sender is referring to and maybe even to click on any attachment that might be included. After all, nobody wants to be billed for something that might be delivered by mistake.

“Your instinct is to click on it and investigate, but what you really need to do is take a pause and think about it,” said cybersecurity expert Jeremy Price. “You don’t know what’s on the other end of that link.”

Other mystery emails that can cause an immediate jump in the heart rate but that should be considered only with healthy suspicion might refer to some “payment accepted” or “activity on your account” or “package not delivered.”

Price, the practice lead for Tulsa-based Stinnett & Associates Cybersecurity and Data Privacy Consulting & Advisory Services, said such messages that might at first seem legitimate – and especially those requiring “immediate attention” – are very likely to have been sent by scammers. The scammer’s end game, he added, might be to unleash some “malware” or “ransomware” to infect a victim’s computer or other device. When that’s done, bad things can happen. The person’s every key stroke might thereafter be recorded, making things like passwords and account numbers extremely vulnerable. The computer’s camera might be turned on without the owner’s knowledge, leaving the person open to lots of creepy outcomes. Ransomware might even go to work encrypting every file in the computer, effectively locking the owner out, with the idea that they’d have to pay the scammer money to make the files accessible again.

While such scams are woefully common, their numbers spike during the holiday season, Price said. One reason is the increased amount of shopping that people do online at this time of year. Beginning next month, Americans can expect to see an increase in scam messages related to tax season, he said.

It’s estimated that about 60% of email scams are targeted at individual consumers, but many, including so-called “spear phishing” attacks that can be quite sophisticated, are launched against businesses. Price explained that the motivation might be to orchestrate some fraudulent financial transaction or to gain some leverage against the business or its clients or vendors.

Such business “email compromise attacks” can be devastating. Price said nine reported recently by the federal Securities Exchange Commission involving publicly traded companies culminated in financial losses totaling $100 million. The FBI has reported that fully 60% of small businesses that suffer cybersecurity breaches end up out of business within six months. The average cost of a business record compromised is $148, and the average number of records compromised in a breach is 26,000, making for an average cost per successful attack of $3.85 million.

While some businesspeople might consider cybersecurity as something to be worried about only by information technology staffers, it should be of concern to everyone who draws a paycheck. It’s important to have robust and up-to-date computer system protections, but it’s also extremely important to have “process controls” in place, Price said. Any employees of a business with access to sensitive information should know, for example, to immediately raise questions if they receive an emailed request for some action outside the normal routine. He noted that spear phishing attacks might very well include strategies of researching names, titles and other background information of employees, including even things that might be uncovered by snooping through social media, so that when a predatory email is eventually sent it will seem that much more legitimate. As an example, such an email might appear to have been sent by a known company purchase manager asking for an updated list of vendor accounts and billing statements.

“(Scammers) have definitely sharpened their skills tremendously and are using technology better to avoid detection,” Price said.

Some victims of scams have even been directed to Internet sites that appear to be those of well-known businesses but that are actually just clever replications created by criminals. Some have reported calling phone numbers that they thought were legitimate, associated with a known business, only to find out later that the numbers were posted by scammers.

The best policy, Price said, is to never rely on some unknown, unsolicited source for important information. Never click on a “link” to some website sent out of the blue by some unknown individual. Never rely on such an individual to provide a legitimate phone number for a business.

Attacks can originate from anyplace on the planet. The cybersecurity expert said some launched on larger scales may be associated with organized crime or even international terrorism.

“It’s definitely scary,” Price said. “If they can create a sense of urgency in the email they send you, you’re more likely to click on an attachment. (But) people and organizations need to be vigilant and do what they can through technology, people and processes to reduce the risk of that happening.”

Peter Moenickheim, chief risk officer at Gateway First Bank in Jenks, agreed, adding that people should feel well within their rights to call banks or other businesses they deal with to find out about their cybersecurity protocols. He said the holiday season, too, is a good time for people to double-check their own data security. It’s important for computer and phone software to be up to date, he said, and for automatic security updates to be enabled. He said people should plan to reset their passwords at least once a year and take great care to always keep them secure.

Here are some suggested ways to safeguard against five kinds of cybersecurity hacks:

  • Holiday Phishing Attacks
    Is your inbox starting to fill up with online holiday deals, shipping notifications or charity donation requests? If you don’t know who sent them, delete them.
  • Business Email Compromise
    Business email compromise or digital invoice fraud has become a $6 billion industry for cybercriminals. BEC attackers gain access to a company’s email account and “spoof” employees or vendors, often asking for wire transfers or gift card purchases.
  • Ensure IT Systems Are Secure
    With most employees taking vacation during the holidays, it may be harder to identify an enterprise-wide system breach. Make sure your IT staff is on high alert.
  • Two-factor Authentication
    Looking for that perfect gift? So are fraudsters – at your expense. Implement an extra layer of security by sending a one-time passcode to your device.
  • Consider Penetration Testing
    Gift yourself peace of mind this season by uncovering vulnerabilities before hackers infiltrate your network. With cyberattacks becoming the norm, Stinnett recommends regular penetration tests to identify weaknesses, strengthen security controls and keep sensitive data safe.