Monday was predicted to be the biggest online shopping day ever – but the surge of online shopping in the run up to Christmas leaves organisations open to spear phishers tricking users into opening ‘order confirmation’ or ‘order tracking’ emails.
The 3rd of December was the UK’s Mega Monday – predicted to be the biggest online shopping day ever. With this influx of online purchases, employees need to beware of the ‘order confirmation’ emails that might not be everything they seem.
A lot of Monday’s online shopping likely took place from office computers enabling shoppers to snap up bargains without leaving work.
This surge in online shopping means that for the next few weeks employees could be naively opening ‘order confirmation’ or ‘shipping update’ emails without a second glance – often from work devices – leaving the door open for spear phishing attacks.
Spear phishing is an increasingly prevalent way for criminals to attack specific individuals or companies. Disguised as legitimate emails, they are designed to encourage the user to click a link or open an attachment – normally tapping emotions such as fear, greed or curiosity, to get the recipient to react. However, behind the innocent-looking exterior, is a phisher just waiting to break in to the corporate network in order to acquire sensitive information such as usernames, passwords and R&D information etc. In addition, we have seen that phishers take advantage of understaffed IT security teams at this time of year to increase their rate of attack – meaning that when employees are going through their emails, there’s a much greater chance a phish will be waiting for them.
All it takes is for one employee to open an attachment or follow a URL in an email thinking they are going to track their Christmas presents, and the criminals have got their teeth into your company.
The danger in online shopping is also no longer confined to computers. People are more often turning to mobile devices for their online shopping, and with many organizations adopting Bring Your Own Device (BYOD) policies, mobile phishing scams pose a great risk to companies as well, as that text offering a coupon by clicking a link could open the door to the company’s network.
In an ideal world, employees would never use a corporate machine or network to conduct personal shopping. In the real world, however, the best defence is an educated workforce that can properly recognise and react to a phishing scam.