The Holiday of Threats: Cybersecurity Over the Thanksgiving Weekend

Cyber threat actors know that s we approach the holidays our lives get considerably busier, which means less focus on business tasks and communications. They use this lull in focus, planning, and policy reviews to their advantage. Thought leaders in the cybersecurity industry have been warning us of this every year at this time, but some of us just can’t seem to get past the turkey, family time, and the shopping ads showing up in our emails.

Be mindful of phishing emails and smishing texts

Phishing attacks peak during holidays and soars by 52% in December, typically around Thanksgiving, Black Friday, Christmas, and New Year. 

Between deals and sneaking in “one last email” before putting on the Out of Office there is an increase in the number of emails and texts received over the holiday weekend. Alongside your favorite retailers, threat actors are also increasing the volume of their attempts. One of our favorite pieces of advice from our podcast episode “How to Recognize and Report Phishing” is to slow down and avoid taking any action (opening, clicking, forwarding, etc) on emails or texts while you’re distracted. (Yes, that includes while you’re enjoying a slice of pie while watching the Vikings game). The U.S. Navy Seal’s phrase “Slow is smooth, smooth is fast” is a reminder that the best way to move fast in a professional setting is to take your time, slow down, and do the job right.

So, how do you know if it’s a phish or smish? Some of the top ways to easily spot them are:

• The sender’s email address looks almost right but contains extra characters or misspellings
• There are misspellings or bad grammar either in the subject line or anywhere in the body
• They address you with generic terms (“Mr.” or “Ms.” or “Dear Customer”)
• The message is tailored to instill a sense of urgency
• The messages promise a refund, coupons, or other freebies
• The company logo in the email looks low-quality or outdated or isn’t the correct logo

(https://staysafeonline.org/online-safety-privacy-basics/5-ways-spot-phishing-emails/, https://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams)

Over half (56%) of Black Friday spam emails received between October 26 and November 6 2022 were scams. Take a look at a couple of examples of what these may look like.

Be careful of fake sites

Amazon-related phishing sites approach 900 on Amazon Prime Day.

So what is a fake site?

Just remember the old adage about wolves in sheep’s clothing. By looking like something harmless, spoofed websites trick visitors into letting their guard down and disclosing sensitive information. Fake sites are designed to look like the sites they’re mimicking, down to the logo, branding, and content. Login pages and form submissions are popular targets for spoofers since they can yield high-value information. Fake websites are often accompanied by phishing emails. The email contains a link to the site and encourages you to click it, often using urgent or alarmist language like “verify your account credentials immediately!” or “unusual account activity detected!”.

How to spot a fake site:

• Incorrect URL 
  Sometimes this means the web address is “off,” like it’s missing a letter or uses a number substitution for a letter (think: “amaz0n” or “fac3book”). Other times, scammers make up URLs that sound plausible because they use words we commonly associate with that business. An example is “nortonantivirus.com” which is not associated with Symantec or the Norton Anti-Virus program.
  
• Insecure website
  All encrypted websites have two features you should look for: a padlock symbol in the browser window and a URL that starts with “HTTPS”.
  
• Typos and misspelled words
  Just like in the phishing and smishing guide above, misspelled words are a red flag.
  
• Low-resolution images or fake imagery
  Spoof sites often don’t look quite right. They’re not as sleek or polished as the high-end companies they’re trying to mimic. They use low-resolution images that look fuzzy or pixelated. They may use an incorrect or outdated version of a company logo. Sometimes the whole site just feels off, like it’s been built using a low-end template.

Avoid using work emails when signing up for Black Friday deals

You’re getting ready to snag that limited-time deal and your phone auto-fills your business email address. We’ve been there, but here are 5 reasons why you should avoid using your business email for personal:

1. It makes profiling easier
   Before sending a phishing cybercriminals harvest information online, using specialized tools to learn which address someone uses on social networks, online platforms, and more. Using a business address for nonbusiness purposes makes you easier to profile, thereby making you more vulnerable to spear-phishing in the first stage of an attack on the company.
   
2. It facilitates spear-phishing
   Cybercriminals choose the tactics that they think will earn the click. If they learn you’ve used your business email address to register elsewhere, let’s say a retail store online, then they know you’re likely to fall for a phishing email. All they have to do is disguise their message as a legitimate notification from that retailer that you really are registered on.
   
3. It provides criminals with a smoke screen
   Typically, all a cybercriminal needs for an attack to succeed is time. That’s why many services send a note to the account holder if you or anyone else tries to log in from an unknown IP address or attempts to change the password. Of course, to get ahead of the hackers, you need to know about those warnings as soon as possible. To that end, arrange a riot of notifications in your mailbox. If you’ve linked your address to outside resources, when hackers (or their bots) begin trying to brute-force your social network and other personal accounts, your inbox will quickly fill with warnings and alerts.
   
4. More mass phishing and malware in the inbox
   When it comes to securing customers’ data, not all online resources were born equal. Leaked databases are a popular resource with mass spammers, who simply buy lists of addresses to flood with malicious links or phishing messages. This means that the more resources you tie to your business mail account, the more potential threats you’ll see in your inbox.

Now that you’re using a personal email, make sure it’s paired with a strong password

36% of people engage in bad password habits because they believe their accounts are not valuable enough for hackers. (LastPass). Now pair that with the stat from Verizon Data Breach Investigations Report, that compromised passwords are responsible for 81% of hacking-related breaches. Needless to say, a key part of overall information security is securing your passwords.

What consists of a bad password vs a strong password? According to NIST guidelines, a strong password meets the following criteria:

• A strict eight-character minimum length
  Conventional wisdom says that a complex password is more secure. But in reality, password length is a much more important factor because a longer password is harder to decrypt if stolen. We recommend a unique randomly generated password for each site as part of a best practice for password usage.
  
• Not changed periodically
  Many companies ask their users to reset their passwords every few months. However, frequent password changes can actually make security worse. It’s challenging enough to remember one good password a year. And since users often have numerous passwords to remember already, they often resort to changing their passwords in predictable patterns, such as adding a single character to the end of their last password or replacing a letter with a symbol that looks like it (such as ! instead of I).
  
• Doesn’t Include a “Password Hint”
  With the constant dissemination of personal information on social media or through social engineering, the answers to these prompts are easy to find.
  
• There is a to how many times the password can be attempted
  Many attackers will attempt to gain access to an account by logging in over and over again until they figure out the right password (brute-force attack). 
  
• Used with Multi-Factor Authentication (MFA)
  The NIST guidelines now require the use of multi-factor authentication for securing any personal information available online. Multi-factor authentication (MFA), also known as two-factor authentication (2FA), requires that users demonstrate at least two of the following in order to log in:
  • “something you know” (like a password)
  • “something you have” (like a phone)
  • “something you are” (like a fingerprint)

Avoid unprotected wifi while traveling

The same features that make free Wi-Fi hotspots desirable for you make them desirable for hackers – that it requires no authentication to establish a network connection. This creates an amazing opportunity for access to unsecured devices on the same network.

What are the dangers of using public wifi?

• Malware, Viruses, and Worms
• Rogue Networks
• Network Snooping
• Log-in Credential Vulnerability
• System Update Alerts
• Session Hijacking

So how do you stay protected when you need to connect to wifi while away from home?

• Use a VPN
  Encourage employees to use a virtual private network (VPN) when connecting to a free, public WIFI. A VPN establishes a secure, encrypted tunnel from a device to the internet.
  
• Install anti-malware on devices
  Apply anti-malware and Endpoint Detection & Response (EDR) to all employee devices to block unauthorized, malicious access. Further, ensure all employee devices have up-to-date software to leverage any newly released security or bug fixes.
  
• Turn off WIFI auto-connect
  Encourage employees to avoid auto-connecting to WIFI and Bluetooth.
  
• Check website security
  Train employees to check for HTTPS in the website’s URL before entering any confidential information.
  
• Build employee security awareness
  Many employees using public WIFI are likely unaware of the security threat to their business data and devices. So, provide consistent security awareness training to ensure your employees are up to date on the dangers of using public WIFI and well-versed in measures to protect information shared over these networks.
  
• Get a password manager
  As discussed earlier, using strong passwords is crucial. Password managers are a digital tool that can encrypt and securely store all passwords, as well as generate unique passwords for different accounts. This can limit the scale of a cyberattack even if a hacker gets access to one password through an infected public WIFI network.

It might be a holiday weekend, but that doesn’t mean you shouldn’t be vigilant.

Have additional questions or want help implementing tools? We’ve got an in-house team and additional tools to look deeper into your systems, but those are best discussed in person. Think of this as a gentle nudge, get in touch with the team at CIT, and let’s review your security plan. Email us or call today.

Want to learn more? Listen to our podcast while traveling