“The most wonderful time of the year” is wonderful for us AND cyber criminals. During the holidays, our lives are often filled with much more excitement and activity than the rest of the year. Cyber criminals are great observers of human behavior, and they see opportunity in these changes in routine.
This blog will cover eight areas to practice more caution this time of the year. While these considerations are important throughout the entire year, we’ll discuss why they are especially important during the holiday season. To keep your business safe, ask these eight questions and discuss with your team.
1. Do you share year-end bonus or recognition announcements on LinkedIn?
In general, you should never post details of financial awards on LinkedIn or any other social media.
Focus your social media posts on achievements rather than gifts given. For example, you could post that your team visited a children’s charity, but don’t mention the $500 Amazon gift card you donated.
Social media serves as a contact list with built-in search capabilities that makes life easy for phishing scammers. If a hacker notices a post about a company giving its employees gift cards for the holidays, for instance, they will know all employees of that company may be especially susceptible to phishing techniques. Malware actors are especially good at phishing by using “payment card issues” as their lure.
2. Are your marketing data collection activities different during the holidays?
Review the customer information you seek to collect and consider whether all the data points are necessary. For companies in states with personal privacy regulations, be certain the data collected aligns with your company’s privacy policy.
Evaluate your strategy. Business contact information such as name, title, phone number, email address, and business mailing address are considered acceptable. Information you collect for your CRM such as hobbies, family, travel, and business activities are generally acceptable, but you should use a system that encrypts the data. Avoid children’s names, full birthdates, home addresses, and other data considered confidential. Data regarding medical issues, credit card and financial records, race and culture, political activities, and gender data (except preferred pronouns) should not be collected unless they are integral to your business processes and properly protected. Storing contacts’ birthdates could cause serious calamity if your system is hacked.
Data that has no value for generating revenue should be bypassed. In today’s business and social environment, data we store could be a liability if lost to the hands of a hacker. Limit what you collect.
Related: Security Awareness Training Has Gone Mainstream
3. Do you recognize the organizations that request donations?
The holidays are a great time to emphasize charitable giving, but be wary of donation and philanthropic requests – especially those that arrive via email or social media. Does the sender provide a legitimate website and verifiable information like physical address or registration credentials?
World and local events that inspire humanitarian aid are regularly leveraged by fraudsters. Social media like GoFundMe help many worthy causes, but the ease of creating sites or mimicking real sites of aid organizations can lead to financial loss or credential theft.
A few minutes of investigation is worth the time. Use Google and ask around to find out if others have contributed to the organization. Reddit and Yelp may have reviews as well. If the charity is fraudulent, a search may return no results, or a search could show complaints about the fictitious name.
Many states have registries for charitable organizations. Contact your state’s Attorney General office to report suspected fraud or to obtain reliable information.
4. Are you looking out for phishing?
In 2022, social engineering led to 82% of data breaches, according to the Verizon Data Breach Investigations Report. Phishing accounts for 68% of social engineering techniques, making it #1 for cybercrime. The holidays will amplify the number fictitious package delivery notifications, “2nd attempt”, and “you’re a winner!” messages in your Inbox. Media coverage and awareness of the phenomenon have not reduced the problem. Phishing continues to grow year over year. Here are some specific tactics to look out for:
- Electronic greeting cards: E-cards are efficient and easy to send, and they’re quickly replacing paper cards. If you receive a holiday e-card, you can appreciate the warm wishes from your customers and supply partners, but do not click on any links. The more enticing a link appears, the more important it is not to click; an e-card that includes an offer for a free gift or Amazon card should be treated with extreme caution.
- Online orders: Keep track of your online orders. Most vendors make order and delivery statuses easy to find, so you can track deliveries and know what will be showing up at your office and when. The challenge is the volume of messages sent via email and SMS. Unfortunately, vendors like Amazon don’t allow control of shipping and delivery notifications. The best practice is to not reply or click on a delivery notification sent to email or SMS. If there is a concern, go back to the vendor website and review the order.
- Prize and gift notifications: As for the “You’re a Winner” and “Prize is Waiting for You” email and SMS messages, you should ask the simple question of “Did I expect a message from that company or organization?” This tactic is so prevalent it’s safest to assume any such message is a scam – especially during the gift giving season.
The above list of phishing tactics is far from all-inclusive, but these are some of the most common schemes to look out for during the holiday season.
5. Are you paying attention to who delivers and picks up packages at your office?
UPS, FedEx, USPS, and other logistics companies will hire seasonal staff for the holidays. Instead of one delivery or pickup each day, there may be two or more, depending on your volume. Don’t hesitate to ask the new drivers about their routes and whether you will see them daily during the holidays.
Be observant of unrecognized visitors, too. Does your office have a vendor for seasonal decorations or catering? Remind staff to be vigilant by paying attention to who shows up and where they go.
Loading docks and reception desks are two of the most important locations for video surveillance. Now is the time to invest.
6. Are you or your coworkers using unapproved technology?
We all love the latest gadgets, but it's important to remind staff why those gifts should stay home and not be connected to the office network. Automation assistants like Amazon Alexa and Google Home could violate HIPAA regulations if used in your customer support work areas. Digital photo frames are infamous for installing spyware via USB connection. New smartphones are a popular holiday gift – be sure to enforce the use of lock codes, enroll in device management, and make sure MFA applications are installed.
The holidays are also a good time to reinforce your security rules for remote and work from home employees.
If you don’t have a policy prohibiting unapproved devices on the company network, create one today.
Related: The Role of Password Management Software in Protecting Small to Medium Sized Businesses
7. Is your team using GPS tags safely?
GPS tags – like Tile, Apple AirTags, and Samsung SmartTags, among others – are sure to be a big holiday gift item. These handy tools can track your valuable personal items through a smartphone app, including cars, luggage, laptop bags, tools, and even children and pets. There have been some amazing stories of regular people finding stolen vehicles, and sports equipment lost by airlines. GPS tags work on the Global System for Mobile Communications (GSM) network, so they can be used internationally wherever there is cell phone coverage.
But GPS tags can also be abused. A cybercriminal could use a tag to track your movements in real time, to determine when you’re at work or at home. GPS tags aren’t physically dangerous, but if you find one in your vehicle, laptop bag, purse, or other personal item that’s unfamiliar to you, you should report it to the police. For businesses, tags can be used to target company executives and those with access to money. They can also be used to identify weaknesses in physical security or to gather information for blackmail.
Make sure your staff is familiar with GPS tracking technology. Even if someone isn’t using the technology themselves, it’s certain someone around them is, and everyone should understand the safety measures required to keep this intelligence safe.
8. Are your co-workers using artificial intelligence (AI) safely?
Artificial intelligence is the next transformational technology. Like Lotus 1-2-3, Wi-Fi, and social media, AI will change the way we work and live, and all the major tech companies are eager to demonstrate their AI savvy. AI might be able to help you generate holiday gift ideas for that hard-to-please relative, but just like the other technologies listed above, caution must be taken. Cybercriminals will use AI to improve phishing messages and attack strategies.
For example, if you post pictures of your pet online with a Chewy box in the background, AI can recognize the Chewy box and fabricate a tailored message. Similarly, AI tools can generate speech from videos and recordings posted online. Recently, Mayor Eric Adams of New York City used AI to simulate his voice speaking Spanish, Mandarin, and Yiddish in phone calls to residents.
While much-hyped now, the full impact of artificial intelligence remains to be seen, and it’s our responsibility as consumers to stay curious and maintain a healthy skepticism. And technology companies are likely to be more circumspect of their intellectual property in the future, too. We may even see labels that proclaim “no AI, just real people” for some products down the line.
As with any new technology, buyer beware. Keep yourself educated by following websites like Dark Reading and BleepingComputer. Subscribe to updates from CISA.gov for information about vulnerabilities and cybercrime.
Turn these questions into cybersecurity best practices
While it’s useful to ask these questions and consider the recommendations, cybersecurity requires action. It’s critical to take stock of your company’s security policies and procedures and make improvements where necessary – and continue to evaluate those policies and procedures throughout the year.
To learn what solutions small and midsized business should have in place – and to identify where security may fall short – download our cyber hygiene checklist.
Happy holidays from Collabrance!
