We know that keeping your users safe from retail, flight and travel scams during the holiday season is a high priority. So, we’ve organized a special gift for you to help your users learn how to spot and avoid fraud—and keep their holidays merry and bright. It’s the complimentary Proofpoint Security Awareness Holiday Kit for 2021!
As pandemic restrictions have eased in the latter half of 2021, more people are making travel plans and shopping online for all the relatives they’ll get to see in person this year. And scammers aim to take advantage of this busy season—and people’s distraction—to disguise socially engineered attacks as legitimate travel and shipping communications.
Online shoppers are key targets for holiday-themed phishing emails
Many people visit online stores to shop for holiday deals and receive shipping and retail offers via email, text and social media. Many holiday shoppers are working remotely this year and accessing websites outside the corporate network using company devices. So, of course, many attackers will use corporate retail communications to mask their holiday-themed phishing emails.
It’s critical that users know how to distinguish legitimate emails and offers from fraudulent campaigns designed to steal their credit card information or other sensitive data. A helpful way to educate users on how to identify these scams is to show them what phishing emails look like. Below are some examples of common phishing scams related to shipping and purchases from retailers.
Brands like Apple with a large, global audience are prime candidates for impersonation by malicious actors. As Figure 1 shows, attackers will insert malicious links disguised as tracking numbers into emails that convincingly mimic legitimate correspondence from retailers.
Figure 1. Attackers often use shipping status to lure their victims into clicking on malicious links that direct them to a phishing site
Electronics are common purchases during the holiday season. And with users anxiously awaiting the arrival of their presents in time for the holidays, they might not think twice about clicking on the tracking numbers in an email from a well-known retailer. This is an example of attackers using fear to motivate consumers to click on links before they can identify whether the email they received is from a reputable source.
Also, fraudulent business subscription emails featuring festive pictures and engaging messaging can evoke positive emotions. (See Figure 2.) This approach lowers users’ guard and entices them to click on malicious links with the promise of free gifts. But once they do, that link may take them to a webpage that downloads malware on their system or directs them to a phishing site. By the time they try to exit the malicious page, they’ve already been compromised.
Figure 2. The promise of free items entices users to click on malicious phishing links
Fake travel and flight notifications
Cyber criminals also benefit from the flurry of travel plans many consumers make during the holidays. After people book lodging, for example, they expect to receive a reservation confirmation by email. And because they may have paid or committed to pay a large sum of money to secure their lodging, they want to ensure that everything is right with their transaction. So, they often fall for scams that urge them to confirm their bookings.
Figure 3 shows an urgent action item designed to motivate users to click on a link and provide their credit card details or other personal information. Attackers will copy logos and images from the original website to make the message appear legitimate. Because people receive many emails like this during the holiday rush, they might not spend enough (or any) time hovering their mouse over the link to determine if the message is a potential scam.
Figure 3. Sample hotel booking confirmation phishing email, which uses urgent words like “immediately” and “carefully” to convince people to click on a malicious link
Attackers are persistent and crafty. They will often insert multiple links disguised as different action items to ensure users click on at least one. Figure 4 is an example of a flight confirmation where attackers even went to the trouble of providing legitimate flight information. They also use phrases like “take control,” “encourage you to review” and “easy” to pique people’s curiosity and prompt them to click on a phishing link and provide their personal information.
Figure 4. Scammers will insert several links in the email body to increase the odds of people clicking
Threat research from Proofpoint shows that about 7% of all users fell for this sample attack. That’s not an insignificant percentage when you consider that these communications are sent to users around the globe.
Raise cyber-threat awareness with the Proofpoint Holiday Security Awareness Kit
Cybersecurity best practices and user knowledge are critical to maintaining a strong security posture. To help organizations raise awareness of fraudulent cyber activity during the holiday season, Proofpoint has curated a selection of resources to help your users stop the scammers during this very busy shopping and travel season.
The Proofpoint Holiday Security Awareness Kit provides written, visual and video content that can be emailed, displayed, posted or presented throughout the season. In the kit, you’ll find descriptions on how to use the materials, along with a suggested communication plan and schedule.
Figure 5 provides an overview of the guidance and tips we provide in our kit to help you successfully execute a holiday awareness campaign with a suggested communication plan and schedule.
Figure 5. Proofpoint Holiday Security Awareness Kit materials include flyers, short videos and PDFs that reinforce learning principles and strengthen user knowledge on common phishing tactics and scams
The best way to help users stay safe during this festive but fraud-filled season is to provide them with bite-sized security awareness training and posters to help them learn common tactics attackers use to steal their information. In our complimentary kit, we provide a sample four-week rollout of activities to help your users stay protected:
- Week 1: Launch the program with a “Holiday Shopping Hazards” PDF
- Week 2: Make it relevant with the “Holiday Retail Phishing” training video and infographic
- Week 3: Connect security awareness training to holiday bookings with a flight confirmation flyer and video
- Week 4: Reinforce learning with a travel-related cyber scams flyer and training video
To learn more about the Proofpoint Security Awareness Training solution, download our solution brief.
Subscribe to the Proofpoint Blog