Krebs on Security reports that since November hackers have been using a new spam technique – phishing emails disguised as order confirmations from Target, Costco, Wal-Mart, and other big retailers – to trick users into divulging their logins and passwords.
During the holiday season, spammers and hackers ramp up efforts to take advantage of shoppers. Every year, November and December are two of the biggest months for cyber threats.
What do these new phishing schemes mean for small business information technology? Phishing campaigns are a major threat to small business security, and they're particularly dangerous at bring-your-own-device workplaces. Let's look at how these scams work and what you can do to protect your clients.
How Spam Emails Threaten Your Clients
These new phishing emails look just like a confirmation you would receive from a major retailer. The email has a banner with the company logo and links that appear to go to the company site. The emails use subject lines like "Acknowledgement of Order," "Order Confirmation," and other generic phrases that appear legitimate.
However, the links in these emails route users through sites that will steal their logins and passwords or download malicious software on their computer. This could lead to security breaches of your client's…
- Bank account.
- Payroll information.
- Customer records.
They're the standard phishing threat dressed up in a festive holiday outfit.
Why Hackers Have Gone Phishing
For the most part, hackers are right to think that many users will click on these links without giving them a second thought. Engadget reports that the best phishing campaigns are extremely successful and trick users 45 percent of the time. Not only that, but once hackers have stolen login credentials, 20 percent of accounts are compromised within 30 minutes.
It isn't just individual users who are under attack: phishing attacks have become more common at small businesses. In our article, "Re: Your Recent Spear Phishing Attack," we reported that nearly 1 in 5 small businesses was targeted by an advanced phishing campaign. The percentage of attacks targeting small businesses increased by 66 percent from 2011 to 2013.
How to Neutralize Phishing Attacks This Holiday Season
Phishing schemes are so successful because they attack at the user level. It's impossible to police each of your client's employees, and it's easy to see how an employee waiting for a holiday package to arrive would mistakenly click on this new spam.
So what can you do? Here are three steps you can take to educate clients and prevent a Christmastime lapse in their data security.
- Educate clients about phishing threats. Some IT consultants write brief newsletters to remind clients about new threats like this and best practices to avoid them. Whether it's an email alert, phone call, or other communication, a short message to a client can help prevent these attacks.
- Emphasize caution among clients who have BYOD workplaces. BYOD workplaces have a greater risk of malware or phishing attack. The odds are that an employee's personal device doesn't have the same security software and protections as a company-issued computer. Additionally, an employee's family members could also use their personal devices. All it would take is one click by an employee's child and malware could spread to your client's entire network.
- Enable two-step verification. Phishing attacks provide yet another reason to enable 2FA. For all important business accounts – bank accounts, cloud storage, email – your clients should use two-factor authentication. Even if their passwords are stolen, the second verification step can prevent hackers from being able to access an employee's account.
Given how hectic things are during the holiday season, many clients will be tempted to put their heads down and not pay attention to data security alerts. But there's no doubt hackers increase their attacks during November and December. Remind clients about these holiday cyber threats and make sure they're actually paying attention.
