The time of year has once again arrived when post offices are busier than the freeway on a Friday evening. We buy gifts, online and in stores, and we send and expect packages to and from the far corners of the country, continent, and even the world.
Yet behind this frenzy of merriment skulk a series of dangers. Although Christmas is still more than a month away, scammers of this kind have already been active in various areas across the US. For a number of years, security experts have grown to expect a hike in the number of internet scams being spotted around the festive period, from fake deal websites to counterfeit greeting ecards. One example is becoming highly-popular among threat actors and is better positioned to trick even the most security-aware individual: failed delivery phishing scams.
UPS estimates that in the U.S., more than 630 million packages were delivered by shoppers during the holiday period last year, and FedEx predicts 317 million shipments between Black Friday and Christmas Eve. With all this holiday mail, not to mention everyone out and about to prepare for their celebrations, it is not surprising to find a “delivery failed” notice in your inbox. If the message concerns something needed by Christmas, the annoyance at having to re-organize a delivery can make us act rashly and even foolishly.
It is widely-known that the keys to successful social engineering are fear and greed. When presented with compelling stimuli under these categories, criminals can count on a significant number of their potential victims briefly suspending their information security awareness training and clicking the link. As Christmas approaches, certain malware families such as ASProx may have high-volume spikes, taking advantage of shoppers lowering their guard. In December 2014, spammers used ASProx to deliver fear in the form of a Failed Delivery email from big, respected brands like CostCo, BestBuy, and Walmart. Recall that PhishMe’s Gary Warner identified more than 600 hacked websites that were used as intermediaries to prevent detection by causing the spammed links to point to websites that had been “known to be good” until the morning of the attack.
So who should be on the lookout for these scams, and what can be done to protect Christmas shoppers?
Basically everyone, from individual consumers to massive businesses, should be on high alert. Though we should not let scammers turn shoppers into paranoid victims, being able to spot the details that reveal a scam can be the only thing standing between a scammer and your personal or company bank account details. While Christmas scams are thought of as dangerous, if the computer used to access these websites is a company or government computer, these scams can have a wide-ranging and long-term impact. And with nearly , this is a subject to take extremely seriously.
So be vigilant, and have a very merry (and scam-free) holiday season.
Did you know that 97% of phishing emails delivered in 2016 contained ransomware? Learn more by downloading our latest Q3 Malware Review.