Last Christmas, I gave you my heart, my bank codes and my online identity

It’s the most wonderful time of the year, not just for families getting gifts for their loved ones, but also for cybercriminals aiming to take advantage of stressed employees and the global pandemic who may not be as alert to cyberthreats. 

Here are a few ways cybercriminals will want to steal your attention, and your money.

Fake Mis-delivery Notifications

With 75% of users planning to increase their online shopping spend this year, cybercriminals are using the escalated activity to try to attain personal information or get people to click/open email attachments. Many phishing emails often appear to come from well known retailers like Amazon or shipping companies like UPS, DHL and FedEx, that hope to lure you into clicking a link. 

It’s important that if you receive an email that seems suspicious or includes a sense of urgency such as your delivery not arriving in time, always check the sender and do not open any linked attachments. If you’re ever in doubt about a package delivery, you can enter the tracking number directly on the courier’s website without engaging with the fraudulent email.

Gift Card Purchases/CEO Fraud

The holidays are also a time where loved ones send gift cards to each other and this year may see more people opt to send digital versions of them due to contact restrictions. Unfortunately, this can present a great opportunity for cybercriminals to impersonate your CEO, asking you to buy gift cards for their loved ones on their behalf due to company engagements at the end of the year. 

Again, any email which includes a sense of urgency or strange request should always be checked thoroughly before engaging. We always recommend phoning the sender if you’re ever unsure, to check the request directly. It’s always better to be on the cautious side and safe, rather than rush things and potentially be liable for your actions.

Seasonal/Topical Scams

In 2019, the Proofpoint Threat Insight team analyzed a malicious global email campaign which leveraged a number of topical lures into a single email that attempted to deliver the well-known malware Emotet. This campaign used multiple themes such as Swedish environmental activist Greta Thunberg, the holiday season, environmental awareness and activism, to target a larger audience. The emails had a .doc attachment which looked like instructions of how people could join a campaign march.

However if people opened the document, it instead led to the deployment of a banking trojan on the victim’s computer, causing their systems to shut down and become unusable.

All these cyberattacks by cybercriminals could have been thwarted by two main actions from users: 

  • Think before you click 
  • Be sure to double-check any suspicious requests in person

Cybercriminals never stop, and the holiday season often sees an especially high level of malware targeting the good-hearted nature of humans. Make sure you follow our simple steps to stay protected during this season of joy and hope.

PUBLISHED BY

Faisal Misle

22 Dec. 2020

SHARE ARTICLE:

Recent Posts

VIEW ALL
BEC

The threat of Business Email Compromise in US healthcare

Jack Lilley

Executive summary: Business Email Compromise is siphoning billions from U.S. healthcare by exploiting human trust instead of software flaws. Spoofed or hijacked messages authorize fraudulent payments, spark ransomware, and expose patient data—causing crippling financial, operational, and compliance damage. Deploying DMARC, MFA, and rigorous multi-person payment checks is now critical. 3 key takeaways Business Email…

Read more
Email

Cloudflare selects Red Sift as a preferred partner to provide DMARC and…

Rebecca Warren

AI-generated email attacks are rapidly growing in scale and sophistication, demanding stronger defenses from at-risk organizations. Starting today, Red Sift is excited to announce a new strategic partnership with Cloudflare, the leading connectivity cloud company, to deliver its market-leading email security application, Red Sift OnDMARC, to a broader global audience.  Today’s alignment enhances Cloudflare’s…

Read more
Cybersecurity

New Zealand moves to mandate DMARC enforcement

Jack Lilley

Executive summary: New Zealand’s Secure Government Email Framework mandates DMARC at p=reject—plus hard-fail SPF, universal DKIM, enforced MTA-STS, and TLS-RPT—by October 2025. The rules replace SEEMail, curb soaring phishing losses, and will affect every organization that emails the public sector. Key takeaways: The New Zealand Government has recently published the Secure Government Email (SGE) Common…

Read more
BEC

DMARC: The best ROI for your organization

Jack Lilley

Executive summary: Implementing DMARC delivers one of the clearest, fastest returns on investment in email security. By authenticating outgoing mail and blocking spoofed messages, DMARC cuts the direct costs of phishing and Business Email Compromise, safeguards brand reputation, and boosts deliverability—ultimately driving revenue and trimming operational workload. Key takeaways: Email is a critical communication tool for…

Read more