Beware of these holiday hacks

Unless you’re really organised, it’s highly likely that you are using a variety of online shops to complete your Christmas shopping. And chances are, you’re using the same username and password combination to purchase goods across multiple sites. The problem with this is that when one set of credentials is leaked, it gives cybercriminals the keys to a whole range of websites, many with stored payment information and more. Even worse, if these credentials are related to a business account, they could be used to breach company systems.

Tip: If you can, use unique passwords across e-commerce sites – try using sentences instead of words. You can also use password managers, like LastPass.

At year end, it can be nice for businesses to tie up loose ends, but be aware of any invoices coming your way. Not only can attachments from unknown sources contain malicious code that can lead to the encryption of computer systems, but even invoices you are expecting can sometimes be fraudulent. For example, it’s not uncommon for our team to see cases of invoice fraud this time of year – where hackers have breached suppliers’ systems, doctored up invoices with new bank account details, and sent them to expecting recipients who inevitably end up paying into fraudulent accounts. We've noticed similar-style scams from the collection of schools fees, which often takes place around this time. 

Tip: Don’t open any attachments or click on links in emails from people or businesses you aren’t expecting to hear from. And if you’re paying into an account that is new to you – for example, it’s a new supplier or they’ve recently changed their account details – always call the owner of that account on a separate, trusted line, to make sure the details are legitimate and correct.

One thing our in-house Cyber Incident Response Team has noticed is a clever kind of CEO fraud that revolves around gift cards. This happens when a seemingly legitimate email comes from someone senior within a business where he or she asks an employee to buy gift cards as client gifts. That same executive then emails again to request the unique code on the back of the gift cards, under the guise of expediting the gift giving. Of course, the employee eventually discovers that the original requests weren’t legitimate and that the email had either been hacked or spoofed. This is a particularly effective attack method with so many people working remotely where it’s not as easy to quickly ask someone to verify something.

Tip: If someone asks you, by email, to buy something, even someone within your business, follow-up with a phone call.

With so many gifts to buy, we all want to get a deal at Christmas. There’s no shame in hunting around for the best price, but beware of flashy ads and unfamiliar websites. Cybercriminals operate a multitude of fake websites, and putting your payment card details into the wrong website will not only lead to the theft of those valuable numbers, but you also won’t receive what you paid for. What’s more, ads on unsecure websites can be riddled with malware, which can lead to even bigger problems particularly if those websites are accessed on company systems.

Tip: If the deal seems too good to be true, it probably is. Make sure to buy items from reputable retailers with secure websites (https), and ones that operate out of your own territory where possible.