The season for giving is also the season for taking. Lurking among the people exchanging gifts and glad tidings are shady characters whose only goal is to pluck opportunity from the well of goodwill filled each year during the holidays. For them, a Merry Christmas involves sending malicious messages via email.
Security researchers say these kinds of messages, while not unusual, flourish around Christmastime as family, friends, and workplace colleagues exchange kind thoughts in the spirit of the season. The main vehicle conveying most of these thoughts has been the e-card, which grows in popularity as we widen our circles of digital friends.
Cyber criminals relish this growth because it improves the likelihood they will reel in a sucker when they go “phishing” in this stream of e-correspondence. Recent reports on data breaches say an estimated one in 10 email users wind up getting hooked by a phishing lure.
“It’s easy for busy, distracted consumers to become victims of these schemes,” said Craig Young, a researcher at Portland, Ore.-based Tripwire, a cyber security provider. “But armed with a few basic security practices, they can drastically reduce their chances of being victimized.”
Among the practices that Young and others advocate:
- Avoiding email from unknown addresses, or email with undisclosed recipients, and not opening the attachments in these emails. That includes e-greeting cards. If possible, confirm who sent the greeting before opening it.
- Watching for bad spelling and poor grammar in email subject lines. Cyber criminals focus on results, not quality, because they send thousands of messages at once hoping for just a few responses. A subject line containing errors is strong proof that opening the email would be an even bigger mistake.
- Running anti-virus software and keeping it up to date. The protections within these programs may be enough to ward off threats in emails that are opened by accident.
Businesses are particularly vulnerable due to multiple users in corporate accounts – and multiple approaches to answering email among those users. That is why employees must be made part of the solution, instead of being left to become part of the problem.
“Enterprises … need to place more reliance on employees to help them defend their organizations,” said Rohyt Belani, CEO and co-founder of PhishMe, a threat management company based in Leesburg, Va. “Consistent training turns employees into informants that can spot attacks before they turn into catastrophes.”