Holiday Phishing Scams Reading Time: 4 minutes

Every year as we approach the holiday season, millions prepare to celebrate a popular Italian annual tradition: the Feast of Seven Fishes. But while most individuals look to this tradition, and the surrounding holidays, as a time for joy and celebration, others see it as an opportunity. 

Holiday seasons mark the time when cybercrime will be at the highest rate it’s been all year, as attackers take full advantage of the increase in online spending and overall network traffic. Each year, it’s critical to be aware of the most relevant security issues plaguing businesses and consumers and how you can take steps to keep yourself protected.

So as you get ready for your own holiday celebrations, here are seven “phishes” you’ll definitely want to avoid this year.

1. Spear Phishing

Email scams and social engineering attacks have evolved considerably over the years. Spear phishing is a product of this evolution and refers to a highly targeted messaging campaign against a specific business or individual in an effort to gain sensitive information. By knowing intimate details about the intended target, such as names, addresses, contacts, and interests, attackers can pose as credible sources and begin to source the information they need. This information can be in the form of usernames and passwords, social security numbers, banking information, and other sensitive materials.

2. Whaling

Whaling is another step up from spear phishing campaigns and is intended for larger, high-profile targets. These targets can include c-suite, commonly made up of CEOs, CFOs, and other top-level executives. Similar to spear phishing schemes, whaling campaigns are highly personalized and relevant for the intended target. Often, messages used in these campaigns are designed to require quick responses to distract the victim from identifying red flags in the email body or subject line while they respond with sensitive business information or open malicious files attached to the email body. These messages are usually designed to look like they are a high priority, such as in the case of potential legal action or harm to the brand if they go unanswered.

3. Domain Spoofing

Domain spoofing is a common form of phishing where attackers create a fraudulent copy of a well-known website in an effort to get the victim share their login credentials or other sensitive data. After receiving an apparently legitimate email from a company they already do business with, many people automatically let their guard down and are less skeptical about the contents or source of the mail. The mail is usually centered around a request for the user to update their profile or login to their account. Of course, the links in the mail lead to the fraud website mentioned above, so by logging in, users are unwittingly giving their username and password to the hackers. Attackers now even go so far as creating complete duplicate websites with similar domain names as major organizations for an even higher likelihood that they will gain the information they are seeking from their victims.

4. Evil Twin

Evil twin is a method of phishing attack used to eavesdrop on wireless communications. Attackers will set up a fake wireless access point as a way of inviting users to connect to their system. While the source victims are prompted to enter sensitive information like their names, email addresses, usernames, and passwords in order to gain Wi-FI access, the attackers are able to compile a quickly growing list of compromised credentials. Attackers can create fake Wi-Fi hotspots fairly easily, by configuring the wireless cards on their laptop or server to act as a hosted access point.

5. Smishing

Smishing has become a scaling issue since the invention of smartphones and the popularity of phishing schemes. Smishing refers to any type of phishing technique that relies solely on the use of SMS messaging systems. Smishing has become an increasingly popular tactic for attackers because victims are more likely to trust the sources when compared to email. Attackers leverage this trust by posing as one of your contacts, many times, family members, in order to extract sensitive information. Another reason why these tactics are so successful is that it’s very difficult for older mobile devices to detect this form of fraud, making the success rate much higher than other forms of attacks. 

6. Scripting

Similar to domain spoofing, scripting is another form of attack that involves the use of malicious websites and social engineering to achieve the goals of the attacker. Hackers design web pages to look and feel like a normal page from a website, but behind the scenes, there are malicious scripts ready to run on the source machine that’s using the web browser. Once the user navigates to these pages, scripts will run automatically in the background, oftentimes completely undetected, and can use be used for a number of malicious purposes. Scripting can be used to inject dangerous malware into systems, upload spyware for logging keystrokes and recording passwords, or encrypting systems and destroying sensitive data.

7. Man-in-the-Middle Attacks

Man-in-the-Middle (MITM) attacks are another form of eavesdropping technique where attackers act as the silent middle person between the interactions of two individuals. MITM attacks can play out in multiple scenarios, but how they are typically executed the same way. Attackers will first start with a spear phishing campaign designed to manipulate a user into logging in to a fake or corrupted network. Once this is done, hackers are able to silently observe online interactions between victims and their banking institutions or other accounts where sensitive data is exchanged, all while going utterly undetected by either party.

Phishing has become a popular social engineering technique that takes many shapes and forms. Still, ultimately, the goal of any phishing campaign or tactic is the same – gather as much sensitive information about you or your business with malicious intent. But simply knowing about these seven common phishing techniques isn’t enough to keep yourself protected now and in the future.

Cybersecurity should be a primary focus for all customers and enterprises as they approach the holiday season, and investing in leading security solutions and services is one of the most effective ways to stay protected against these common phishing tactics.

To learn more about how Comodo’s endpoint detection and response security solutions can work for you, contact us today to schedule a free demonstration.