Happy Holidays! You’ve Been Hacked!

Businesses of every shape and size must be particularly vigilant during the holiday season. Scammers and cybercriminals rely on increasingly sophisticated methods to dupe employees and gain control of enterprise networks. They constantly probe for weaknesses and take advantage of gaps in security.

“The more sophisticated bad actors target companies during the holiday season,” stated Anthony Dagostino, global head of cyber risk at business consulting firm Willis Towers Watson. “They know that traffic increases, particularly in consumer-facing sectors, and the use of temporary and contingent workers grows. In addition, many employees, including senior management, take time off.”

What can be done? Here are five critical areas to focus on, along with recommendations for keeping the bad guys in check during this holiday season:

Keep an eye open for social engineering fraud. Although phishing, spear-phishing, and whaling attacks are a persistent and ongoing threat year-round, the holidays present a special kind of risk. “Cyber thieves often pick a day and time when companies are closing out accounts or shutting down for the holidays to request a transaction,” explained Alan W. Silberberg, CEO of cybersecurity consulting firm Digijaks. “They’ve done their homework on LinkedIn and they know something about the requester as well as the right language to use. They make it look like the CEO or CFO is requesting an important wire transfer and the employee feels pressured to get it right.”

How to beat the bad guys: Train employees how to spot suspicious messages and phone calls. Use multi-factor authentication and secondary approvals for all large transactions. “It’s a few extra seconds that can save millions,” Silberberg points out.

Beware of unsecured networks. Many people–from the C-suite to sales staff–spend more time out of the office during the holiday season. They access e-mail, files, and reports from an airport, mall, or coffee house, or they might attend company-sanctioned parties and events at a hotel or restaurant. Not surprisingly, there’s a surge in the use of unsecured Wi-Fi networks. “Depending on the network,” Silberberg says, “thieves using sniffers might be able to intercept data, steal passwords, or launch attacks.” And depending on a company’s security protections, they may have direct entry into the network.

How to beat the bad guys: Require the use of secured networks and use virtual private networking (VPN). Deploy multifactor authentication and other robust authentication controls.

Look out for transactional scams. It’s not unusual for cyber crooks to pose as business partners, vendors, and other seemingly legitimate entities, while presenting authentic-looking digital documents, including fake return merchandise authorizations (RMA) for actual goods and products. In fact, many are so good at disguising forms or submitting fake digital data that even experienced representatives can be duped. Add in hurried and sometimes overwhelmed employees, particularly during the holiday return crush, and your business has all the ingredients for unverified returns and fraudulent payouts. “Temporary or contingent staff that are not as knowledgeable or aware about policies and threats drive up the risk factor even higher,” Dagostino says.

How to beat the bad guys: Provide education and training, enact essential controls, and make sure that all companies and payments are verified prior to releasing funds.

Pay attention to fake fraud alerts and friendly holiday greetings. Another type of social-engineering scam centers on authentic-looking FBI, law enforcement, or antivirus vendor alerts. It’s especially common during the holiday crush. It typically works like this: the sender targets employees with an e-mail that delivers a convincing warning about an actual threat. The e-mail contains a link that promises more information or an urgent download. However, a click of the link loads malware or ransomware onto the computer. Suddenly, cyber crooks have wormed their way into the enterprise network or shut it down. The technique is simple but it’s also effective, Silberberg says. Likewise, e-cards and other holiday greetings–including those that may appear to originate from the company or CEO—can contain links to Trojans and other malware.

How to beat the bad guys: Always hover over links to detect the actual address. Go directly to the sender’s website rather than clicking through on the link.

Don’t leave employees entirely to their own devices. A major risk associated with today’s smartphones, tablets, and laptops is that employees rely on them for both personal and business use. Even those that have separate devices may transfer files and data back and forth between them. It’s a big problem all year–yet the risks rise during the holidays, when employees tend to use these devices to shop and place personal orders. Increasingly, crooks are creating fake apps that capture data or commandeer the microphone or camera and use it for spying and other nefarious purposes. This means that cyber crooks might view sensitive documents or sit in on a meeting virtually, without anyone realizing it. As a result, they may be privy to trade secrets and intellectual property.

How to beat the bad guys: Ensure that mobile device management (MDM) software is in place, endpoint protections exist, and your company has established clearly defined roles, privileges, and access controls. Also, make sure that employees receive training about how to manage devices and data. Finally, ensure that all systems and devices have received the latest patches and security updates.

Finally, Silberberg said that one of the greatest holiday risks revolves around an often overlooked and incredibly low-tech aspect to cybersecurity: people blabbing on airplane flights, at airports, and at company parties, which are often held in public places. During the holidays, when people tend to consume more alcohol, the risks are magnified.

“You can’t focus on only one area or rely too heavily on one system or technology,” concluded Silberberg. “You really have to think about security broadly and be particularly aware during the holidays.”