As the holiday season approaches, the season for cyberscams is also dawning. Cybercriminals take advantage of people's generosity during these days. Extra alertness is therefore even more important. Here is a preview of the tricks and trends that may continue to develop in the winter threat landscape.
1: Generative AI makes threat detection more difficult
Last year, many phishing attempts during the holidays showed the standard red flags, such as grammar and language errors. You can often see these at a glance. The expectation for this year is that attackers will use generative AI, the newcomer since the last holidays, when performing malicious activities. Deploying this technology makes detecting fake emails a lot harder, as texts appear a lot more authentic. Cybercriminals use generative AI in developing fake track & trace messages, for example. These kinds of messages are always a favourite of attackers, and are increasingly common during the holiday season. After all, a problem with ordered gifts is something no one wants.
So go one step further when assessing the authenticity of an email. Take a closer look at the messages and ask the following questions:
Is the message generic or personal?
Is it asking for unnecessary sensitive information?
Does the sender name match the e-mail address? (This is part of the security checklist that people learn during security awareness training)
Are you asked to pay a fee to receive a package? If so, refuse the delivery until you can confirm that it is legitimate.
2: TOAD scams may get an AI boost
TOAD, telephone-oriented attack delivery,is part of the threat toolkit, where attackers prompt victims over the phone to take unsafe actions. Again, generative AI enhances the credibility of TOAD attacks that capitalise on holidays. If an AI-generated e-mail successfully impersonates a legitimate company, the victim is more likely to call the phone number to which he is referred.
Generative AI also provides opportunities to expand scams during the holidays globally. For example, every year, during Christmas and New Year, there are scams targeting Western audiences. There is also a lot of travel for Lunar New Year in parts of Asia. Thanks to the availability of free AI tools, attackers can now quickly research which local, seasonal moments they can capitalise on.
Fortunately, generative AI does not improve interactions with the fraudulent call centre. When calling the TOAD number, there are still red flags. Provide extra alertness as the 'operator':
Follows a clear script.
Pressures you to take an action.
Speaks with a regional accent which you learnt during security awareness training is where call centre fraud often originates.
3: MFA bypass pops up more often
Companies send a lot of order and shipping messages during the holidays. And as a recipient, you more often log into your UPS, FedEx or DHL account while waiting expectantly, and with some concern, whether the order will arrive on time. Attackers take advantage of increased traffic and consumer concerns. Multi-Factor Authentication (MFA) bypass has been hugely popular since last year, and we continue to see an increase in its use to direct consumers to compromised account login pages or fake websites. Attackers design phishing messages that resemble real emails. In doing so, they tailor their messages to legitimate notifications. Cybercriminals steal account data in real-time by intercepting the MFA shortcode as soon as the victim types it on a fake or compromised login page. It is an ongoing threat trend. It is therefore expected that this technique will be applied to holiday-themed lures this year.
Avoid contact with unexpected messages about online shopping. Do not click on links in unsolicited or unusual e-mails or text messages. If you do want to confirm a purchase or delivery,go directly to a legitimate source. For example, type in the website address or call a known contact number.
4: Gift card fraud remains popular
Gift cards are popular and convenient - also for cybercriminals. Around December, this regular threat, which takes place via Business Email Compromise (BEC) - where attackers impersonate someone else - increases even more. This type of scam often starts in the workplace, for example via a short text message or e-mail testing how receptive the recipient is. Subsequent messages ask to buy valuable gift cards with company money, or to pay in advance with the promise of a refund. The goal? Prompting the buyer to share gift card numbers and the PINs so that the scammer can unlock them. In doing so, the attacker hooks into trust in personal and professional relationships. This enhances credibility. The cybercriminal also plays on the victim's emotions, such as pride that a business leader contacted them, or was part of something positive that makes others happy.
During these holidays, stay extra alert for warning signs, such as emotional appeals. And contact the executive making the 'request' through another channel, and always verify and validate the request.
5: Fake charities always donate to themselves
Cyber attacks exploit human emotions. Fake charities play cleverly on this. Attackers set up fake non-profit companies, or create websites that mimic well-known charities. And thanks to the successful recipe, cybercriminals continue to do so.
Attackers are expected to continue using familiar, heartwarming requests, such as donating a meal or helping homeless people. Or they will capitalise on global crises. Always stay alert for charity campaigns during the holidays. Attackers use all available channels at their disposal, such as phone calls, social media, printed materials and misleading advertisements. Work directly with official charities. Again, type the website URL directly into the browser and never click on links via unsolicited messages. These tips will help you get through the holidays and end the year safely.