What are the main cyber risks and threats this festive season?

The holiday season brings joy, celebration, and time off, but it also signals an increase in targeted and opportunistic cyber threats and risks.

Cyber-attacks increase by 40% during holiday periods.

The festive season is not just a precarious time for individuals and employees but also organisations. Today, we will dive into the reasons behind surges in cyber-attacks during the festive season and outline the specific threats organisations should be vigilant against, whilst also touching on some recent examples of festive/holiday cyber-attacks.

Why are there more cyber-attacks during the holiday season?

1. Lax cyber security behaviours during the holiday season

The holiday season is synonymous with relaxation and a break from routine and work. Unfortunately, this break often extends to cyber security practices as well. Employees become more complacent, overlooking security protocols, and exposing vulnerabilities that attackers can exploit. 1Password reveals that 45% of employees that get distracted at work fail to comply with security rules at their organisation. The atmosphere of relaxation, of winding down for the year, can inadvertently create an environment where vigilance takes a back seat, making it easier for cybercriminals to infiltrate systems. All of the strong and safe security behaviours you have been building need to be refocused and fortified during the festive season, not bypassed.

2. Attacks prey on out of office messages

The prevalence of out-of-office messages and reduced staffing levels during the holidays becomes a prime target for cyber attackers. Knowing that response times may be delayed, threat actors strategically time their attacks to coincide with these periods. Attacks can also use out of office messages to pull valuable information such as shift times and contact numbers.

3. Spike in online shopping attracts cyber threat actors

The festive season sees a considerable uptick in online shopping, with individuals eagerly hunting for the perfect gifts. This surge in online transactions becomes a breeding ground for cyber threat actors. They deploy tactics such as phishing emails and fraudulent websites to capitalise on the increased traffic, hoping to compromise sensitive information, financial details, or infiltrate organisational networks through unsuspecting shoppers. In fact, in 2022, shipping company DHL clocked in as the third-most impersonated brand in phishing emails (Checkpoint).

4. Understaffed security teams

Holiday periods often coincide with staff vacations and company-wide annual leaves, leaving cyber security teams understaffed. This workforce shortage puts additional strain on security operations, making it more challenging for organisations to promptly detect and respond to potential threats. Cyber security defences may be stretched thin, providing attackers with a window of opportunity to exploit vulnerabilities that might otherwise be swiftly addressed. In their 2021 report, Cybereason noted that major ransomware attacks “tend to occur on weekends and holidays when fewer staff are around to detect and respond to them.”

5. Employees are distracted or inebriated

The festive spirit can lead to employees being more easily distracted or, in some cases, inebriated during work hours. It is hard to believe but this Cybereason survey reveals that a staggering 70% of respondents admitted to having been intoxicated when responding to a ransomware incident over the holidays. This altered state of focus can make them more susceptible to falling victim to social engineering attacks, phishing attempts, or engaging in risky online behaviour. Cybercriminals leverage this distraction to increase the success rate of their malicious activities.

6. Networks are strained

The holiday season places an additional burden on organisational networks. Increased online activities, both professional and personal, can strain infrastructure, making it an opportune time for cyber attackers to exploit potential weaknesses. This strain may manifest in various forms, including slower response times, increased latency, and a higher risk of successful attacks such as Distributed Denial of Service (DDoS) attacks.

What cyber-attacks do we see during the holiday season?

1. Phishing emails

91% of all cyber-attacks start with a phishing email sent to an unsuspecting victim. Phishing remains a prevalent threat during the holidays, with cybercriminals leveraging festive themes to craft deceptive emails. Cisco’s Cybersecurity Threat Trends report reveals that phishing attacks historically spike during the holiday period, with a peak increase of 50% in December. The most worrying period of phishing emails is recorded as being between December 6th and 9th. These emails often mimic legitimate communications, enticing individuals to click on malicious links or provide sensitive information, posing a significant risk to organisational security.

2. Fraudulent websites

Cyber attackers create fraudulent websites mimicking popular e-commerce platforms or charity organisations. Unsuspecting users may be lured into making transactions or providing personal information, leading to financial losses, and compromising sensitive data.

3. MFA (Multi Factor Authentication) Fatigue

Multi-Factor Authentication (MFA) fatigue sets in during the holiday rush. With various accounts requiring additional verification steps, users may become less vigilant, creating opportunities for attackers to exploit weakened authentication processes.

4. Ransomware

The holiday season is not exempt from ransomware attacks. Darktrace data reveals a 70% increase globally in the average number of attempted ransomware attacks in November and December compared to the monthly average. Cybercriminals take advantage of potential vulnerabilities to encrypt critical data, demanding ransoms for its release. The impact of such attacks can be catastrophic for organisations, leading to financial losses and reputational damage.

5. DDoS Attacks

Distributed Denial of Service (DDoS) attacks intensify during the festive period, disrupting online operations. Cybercriminals overload networks or services, causing downtime, impacting customer experience, and potentially resulting in financial losses for businesses. According to a Ponemon Institute study, the average downtime because of a DDoS attack sits at 54 minutes … and the average cost of a DDoS attack sits at $22,000 for every minute of downtime … this is a very costly attack to fall for!

6. SQL Injections

Attackers may attempt SQL injections to manipulate databases and gain unauthorised access to sensitive information. Organisations must fortify their systems to prevent these types of attacks, especially when faced with increased online activity.

7. Credential stuffing/Stolen credentials

Compromised login credentials from previous breaches are often recycled during the holidays. In 2021, it was estimated that eight million credential stuffing attacks were run against consumers every single day during holiday season. Cybercriminals use stolen usernames and passwords to gain unauthorised access to accounts, potentially leading to data breaches and unauthorised activities.

8. IoT (Internet of Things) device attacks

As the use of Internet of Things (IoT) devices rises, attackers exploit vulnerabilities in these devices. Holiday-themed gadgets may become targets, posing risks to both personal and organisational security.

9. Identity theft

The holiday season witnesses a surge in identity theft attempts. Cybercriminals aim to steal personal information for financial gain or to facilitate other malicious activities, emphasising the need for robust identity protection measures.

10. E-commerce fraud

Fraudulent transactions and unauthorised access to customer accounts peak during the festive shopping spree. In fact, The Cyber Express reports that by the end of 2023, e-commerce fraud in the retail sector will hit a staggering US$48 billion worldwide. Organisations must implement stringent security measures to safeguard customer data and maintain trust.

11. Social engineering

According to Verizon, 60% of breaches in the EMEA (Europe, Middle East, Africa) region include a social engineering component. Social engineering tactics intensify, with cybercriminals manipulating human psychology to trick individuals into divulging sensitive information. Awareness training becomes crucial in combating these sophisticated attacks.

12. Insider threats

Internal threats escalate during the holiday season, as disgruntled employees or those seeking financial gain may exploit their access to compromise organisational security.

13. Bot-based site interruptions

Automated bots flood e-commerce sites during the holidays, artificially inflating shopping carts and causing inventory and sales disruptions. This deceptive tactic impacts both the customer experience and the financial health of businesses.

14. Juice jacking

Public charging stations pose a threat through juice jacking, where attackers compromise devices connected to these stations. This tactic can lead to data theft and unauthorised access to sensitive information.

15. Public wi-fi breaches

The use of public Wi-Fi during holiday travels exposes individuals and organisations to security risks. Cybercriminals may exploit unsecured connections, highlighting the importance of using Virtual Private Networks (VPNs) and other security measures.

16. SMS scams

Text message scams increase, with attackers attempting to deceive individuals into clicking on malicious links or divulging sensitive information. Users must exercise caution and verify the legitimacy of incoming messages.

17. Supply chain attacks

The interconnected nature of supply chains becomes a target for cyber attackers. Organisations must assess and fortify their supply chain cyber security to prevent disruptions and unauthorised access to sensitive information.

Examples of recent holiday cyber attacks

• During the 2013 holiday season, Target was hit by one of the biggest security breaches in history. Cybercriminals stole 40 million credit and debit card records, alongside 70 million customer records. Eventually, Target were ordered to pay $18.5 million in a settlement. This attack stemmed from a compromised third-party vendor.
• In 2014, Sony Pictures was hacked by a group called the Guardians of Peace, thought to be associated with North Korea. The hackers stole tonnes of information from Sony’s network including private messages between Sony employees and executives.
• In December 2020, SolarWinds Inc., a leading IT provider of monitoring and management systems, was hit by a widespread supply chain attack that trojanised its business software updates. Compromised SolarWinds clients included the US government and tech firms in Europe, Asia, the Middle East, and North America.
• In November 2021, Colonial Pipeline was hit by a ransomware attack. The Darkside hacker group demanded, and received, a ransom of $4.4m. The CIA attributed the attack to a ransomware cartel in Russia and recovered just under half of the ransomware fee paid.
• During the same holiday season, meat processing company JBS was hit with a ransomware attack and eventually paid a whopping ransom of $11m!
• In January 2022, New Mexico's Bernalillo County closed most county buildings on after a suspected ransomware attack targeted its systems. The attack compromised cameras in the county’s jail system and even affected the jail’s lockdown system.
• In January 2022, Maryland officials confirmed a ransomware attack shut down their Department of Health amid a surge in COVID-19 cases. Their digital systems were crippled with death certificates not issued and health information shared physically as a result.
• Before the 2022 Superbowl, Cyber-criminals attacked the San Francisco 49ers American football team with ransomware. The BlackByte ransomware group claimed the attack and presented data worth more than $4 billion on dark web forums and the black market.

Stay safe with TSC this festive season

In the midst of the heightened cyber threats during the festive season, TSC can be the cyber security training and awareness partner you need. Committed to equipping organisations and employees with the knowledge to combat both common and emerging cyber threats, we have meticulously crafted a comprehensive library of ready-to-go resources tailored to fortify your defences.

We can fortify your festive cyber security defences and awareness with:

• 'The Festive Fraud Countdown' Advent Calendar: Embark on a daily journey of enlightenment with our advent calendar. Each day unveils insights into cyber threats, providing bite-sized, actionable tips to enhance your cyber awareness throughout the holiday season.
• 'Snowball Strike!' Festive Fakes Game: Immerse your team in a dynamic learning experience with our interactive game, 'Snowball Strike!'. Simulate real-world scenarios of festive-themed cyber-attacks, empowering your staff to recognise and thwart potential threats in an engaging and risk-free environment.
• 'Parsnip Delivers a Warning!' Character-based GIF/MP4: Inject a dash of humour into your awareness campaign with 'Parsnip Delivers a Warning!'. This animated character-based GIF/MP4 delivers crucial cyber security messages in a memorable and entertaining format.
• 'Are You a Noel-it-all?' Festive Scams Quiz: Challenge and reinforce your team's knowledge with our 'Are You a Noel-it-all?' quiz. This interactive quiz covers a spectrum of festive scams, testing and enhancing your employees' ability to identify and respond to potential threats.
• '12 Festive Fraudsters' Static Infographic: Visualise potential threats with our '12 Festive Fraudsters' infographic. This visual resource offers a quick reference guide to the diverse range of cyber threats during the holiday season, aiding in recognising and mitigating risks.
• 'Dangerous Differences' Suspicious Websites/Phishy Emails Game: Elevate your team's ability to identify phishing attempts with our interactive game, 'Dangerous Differences'. This gamified experience hones employees' skills in distinguishing between legitimate websites and phishy emails, fostering a culture of heightened awareness.
• 'Whack-an-Elf' Festive Fraud Game: Transform learning into an enjoyable experience with 'Whack-an-Elf'. This festive fraud game engages users in a dynamic environment where they actively identify and eliminate cyber threats, reinforcing cyber security best practices with a touch of holiday fun.

To ensure your organisation is well-prepared for the cyber security challenges that accompany the festive season, we invite you to explore TSC's Festive Products Leaflet. This comprehensive guide details our array of resources and solutions, providing a roadmap to fortify your defences against cyber threats.

At The Security Company, we specialise in boosting cyber awareness, targeted training, customised projects and role-based solutions. Through our tailored subscription services, targeted and customised eLearning and awareness materials and our behavioural assessments, we're committed to helping organisations like yours instil long-term, security-conscious behaviours.

Our method is distinct. We begin by diving deep into your team's current mindset, pinpointing lax behaviours, security gaps and departments in need of focus and attention. From there, we craft tailored solutions that encourage better cyber practices from your employees. With comprehensive training and seamless integration into your current systems, we're here to fortify your team against modern cyber threats and be your trusted cyber security and awareness partner.

Ready to take the next step?

We can help you to formulate an effective and comprehensive festive cyber security training and awareness program for your organisation.

Do not hesitate to contact us for further information.