‘Tis the Season – Cybersecurity and Holiday Shopping

The holiday season has traditionally brought out cyber criminals looking to take advantage of the influx of online consumer activity, and in a year where online shopping is primed to be at an all-time high due to the affects of coronavirus, threat actors will be out in droves.

A recent survey from creditcards.com reports that 70% of Americans plan to make the majority of their holiday purchasing online, up nearly 20% from 2019. While online shopping has been an option for many years, this year it may be the only option for the majority of consumers. This increase is not a surprise due to a combination of social distancing considerations and many popular retail chains opting to close for the holidays due to the current pandemic. In fact, a number of popular retailers have already pivoted their holiday sales strategy, offering early access to Black Friday and Cyber Monday as early as October.

While the annual reminder to keep your online shopping secure during the holiday season is not new, it is especially important to remind your end users amongst a tumultuous fourth quarter that has included new travel restrictions and modified family plans due to coronavirus, as well as the aggressive push retailers are making to end the year on a positive fiscal note. We know threats come in all shapes and sizes, especially in 2020, so here are some helpful tips to help keep yourself, end users and organizations secure during the holiday shopping season.

Separate Personal Activity and Work Devices

I think most of us can say that we are guilty of shopping online while using company equipment, but with the number of us working remotely, the separation between conducting personal activity and work devices has never been more important. Simple browsing activity such as online shopping or searching for the latest sports article can lead to security issues that can directly impact not only the device, but the security of an entire organization.

Our recent whitepapers, Staying Secure from Home and Securing a Remote Workforce, offer best practices to help organizations keep their data and end users safe in our increasingly remote environment.  We also introduced a Cybersecurity Tips from Home video series that makes a great resource to share with your organization.

Don’t Go Phishing

Despite the alerts and constant reminders about phishing attacks, the simple fact is that they work, which is why it’s no surprise researchers have reported a near 80% surge in email phishing campaigns over the recent weeks ahead of the 2020 holiday shopping season. Targeting online shoppers, the phishing emails focused on terms such as special offer, sale and X% off, in fact the number of special offer phishing campaigns over November 9th and 10th exceeded the entire first week of October.

One of the more popular attacks this holiday season was sent under the guise of popular jewelry store Pandora. Adding legitimacy to the attacks, the solicitation was sent from an email address with an Amazon domain. Other phishing attacks may include fake shipping notifications, travel promotions or customer service focused messages. Despite the fresh coat of paint the holiday shopping season gives phishing attacks, their key elements mostly stay the same.

Learn more about how to spot a phishing attack in our previous article, Six Common Elements of Phishing Scams and How to Spot Them.

Shop on Verified Sites and Apps

During the holiday season many consumers are on the lookout for the absolute best deal possible and they can make the mistake of shopping on unsecured sites that offer huge discounts or advertise online coupon codes. When shopping online be sure you are using verified sites and never enter payment information on sites unless you are 100% confident the site is legitimate and secure. And while many of us are trained to look for the https prefix on addresses as a sign of security, malicious websites are getting more sophisticated at appearing legitimate. This also applies to mobile apps that may promise steep discounts or early access to deals only to lead users to corrupt sites. Remember, if you spot a deal that is too good to be true, it probably is – even in the holiday season.

Update Your Passwords

Even if you securely store your passwords, if a site you visit is part of a breach, chances are your passwords have been compromised. Chances are the popular shopping sites you have an account with have most likely been breached and it is safe to assume that they are being actively targeted. This is why the holiday season is a good time to refresh your passwords and monitor your accounts for unusual activity.

Another option to ensure password security is using password management software, which essentially acts as a master lock for all of your passwords. Password managers not only add a layer of convenience to password security, but many help you create strong passwords with stringent requirements. Many password management software providers, such as LastPass and 1Password, offer options for personal and enterprise security needs.

Avoid COVID-19 Themed Attacks

As COVID-19 numbers continue to surge, many of the initial pandemic themed attacks are resurfacing in an attempt to take advantage of the confusion surrounding new guidelines, PPE and vaccine news. The FBI and Better Business Bureau are trusted sites that can be referenced for the latest alerts and updates on fraudulent activities related to COVID-19. We also encourage you to download and share our Avoiding COVID-19 Scams Infographic to reinforce identifying and avoiding these themed attacks.

Due to the impact of the coronavirus, we know first-hand that this holiday season is unlike any other in recent memory, but if there is one holiday tradition that we can keep going during all of this, it’s keeping ourselves, organizations and data secure online. 

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].

In addition, our Incident Response Team is available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident.