Watch out for phishing scams this Christmas

Christmastime in the workplace is often a time of monumental boredom, as you put off starting any new projects before the end of the year and start counting down the days until your holiday begins.

With all this time to kill, it’s easy to see how you might be more likely than usual to let curiosity get the better of you.

No longer overrun with work and only responding to emails days later – at which point you’ve already discovered that the email from your colleague that you skimmed but didn’t have time to open is bogus – you might now instead idly click the attached link as it’s something to keep you busy.

And once you’ve taken the scammer’s bait, you expose your organisation to a world of trouble. Some phishing scams contain links to websites that replicate a real site with the intention of nabbing your login details, whereas others contain attachments loaded with malware.

Either way, falling victim could cause you and your organisation a massive headache. With access to your username and password, criminals can break into your account and steal sensitive information.

See also:

They might also try to leverage their attack by imitating you in an email a colleague, requesting information.

As such, HR departments are a prime target for cyber criminals. Accessing employees’ payroll information gives them the option of redirecting payslips to an account the criminal hacker controls or using the information to conduct tax fraud.

Crooks have even more options if they use malware. The malicious code can do any number of nefarious things, including capturing computers’ keyboard activity to steal usernames and passwords, tracking browser habits or enslaving its CPU to form a botnet.

Your biggest concern

Organisations should arguably be most worried ransomware. This method often begins with malware sent in phishing emails, and reached the mainstream with 2017’s WannaCry outbreak.

In that attack, and hundreds since, organisations’ computers were locked down, with a message instructing victims to make a payment to restore access to their systems.

Dozens of organisations each month disclose ransomware attacks to authorities and the public, and many more fall victim but don’t make it public knowledge.

The rise in ransomware can be attributed to poor organisational planning. There are steps you can take to mitigate attacks and avoid the possibility of having to pay the blackmailers, but too few organisations have those measures in place.

As such, when organisations come under attack, many feel compelled to pay up to restore their systems. This quick fix might seem like the best option at the time, but it doesn’t solve everything – and it might compound the situation.

For example, giving criminal hackers tens of thousands of pounds encourages them to launch further attacks and fuel the cyber crime industry.

The US government faced this problem earlier this year, when a spate of attacks against cities. Eventually, the US Conference of Mayors voted unanimously to stop paying ransom demands.

Lack of education

Another reason ransomware – and email-based threats in general – have been allowed to flourish is a lack of staff awareness surrounding the threats.

Employees are an organisation’s primary line of defence when it comes to scams. If they can detect a suspicious email, organisations don’t have to rely so heavily on technology and policies to mitigate the damage.

You can take the first step in protecting your organisation by enrolling your employees on our Phishing Staff Awareness e-learning course.

This 45-minute course gives staff a comprehensive overview of everything they need to stay safe.

Find out more