InfoSec Insider

Tis’ the Season for Online Holiday Shopping; and Phishing

holiday season phishing

MobileIron’s Brian Foster says to watch out for these top phishing approaches this holiday season.

While online holiday shopping is nothing new, more of us will be avoiding the malls and brick-and-mortar stores this year — which opens up big opportunities for cybercriminals. This, along with COVID-19, is expected to anchor most of the scam and phishing lures in circulation this season.

Since pandemic lockdowns began in early 2020, contactless transactions skyrocketed, and seasonal holiday shopping will likely continue that trend.  According to a recent survey from, more than 70 percent of Americans will make most of their holiday purchases online this year, compared with 51 percent in 2019.

Unfortunately, that also means we have to look forward to more cyberthreats trying to cash in on the spirit of gift-giving and charity donations during the holidays.

Meanwhile, we already know that COVID-19-related phishing scams skyrocketed 600 percent between February and March this year, shortly after the pandemic took hold across Europe and the U.S. This year, along with the usual garden-variety holiday scams, we’re likely to see more phishing attacks both directly and indirectly related to the pandemic.

Although phishing scams are likely to target consumers in volume during the holiday season, there are many versions, such as whale-phishing, that are designed to target high-level executives and other key individuals.

In fact, the majority of your remote employees who use either personal or corporate-owned devices probably encounter at least one of these scams every day. Even one successful breach could put your company’s data at risk, especially if a hacker manages to get a remote employee’s corporate login credentials.

It’s also important to note that while there are all kinds of complex online scams, many hackers go for the easiest targets — usually mobile users who lack robust security awareness and protection on their devices.

Top Phishing Scams to Watch For

Email Phishing: It’s hard to believe that email phishing scams are still around and just as successful as they’ve always been. Sure, they’re a tad more sophisticated than the mocked-up bank emails from 20 years ago, but their shtick is still the same: Convince the user there’s a problem with their bank account, online order, etc., and direct them to a fake website to enter their login credentials, which, of course, the hacker then steals for future use.

Spear-Phishing: Unlike most email phishing campaigns that cast a wide net, spear-phishing horns in on specific individuals — using personal details that can make these scams more believable. For example, let’s say a user recently booked a holiday home through a vacation reservations site. The next day, the user receives a message stating that there’s a problem with their recent reservation, with links to a fake website to update credit-card or other personal information.

Vishing: Voice-based phishing or “vishing” attacks can be highly deceiving. In this case, a hacker actually calls the user and tricks the person into giving the attacker their credentials or sharing other useful information. Remember that the Twitter hack from back in July actually started with a hacker calling a Twitter employee and convincing the person that he was a colleague. Little by little, the hacker was able to use employee credentials and company information gathered from the calls to gain access to some of the world’s most high-profile, verified Twitter accounts.

Smishing: Text-based or SMS “smishing” threats are also on the rise. In fact, according to Verizon’s 2020 Mobile Security Index, smishing attacks have increased from 2 percent to 13 percent in just the past year. In the pandemic era, with more people ordering online, smishing attacks frequently target users with fake delivery messages from carriers. They might convince the user that there’s a problem with the delivery, such as an insufficient address, and direct the user to a fake website to enter personal information. Now with the holiday season well underway, we’re likely to see these attacks continue to increase.

Avoid Unwanted Security ‘Presents’

So, how can consumers prevent hackers from gaining access to their personal and company apps and data? Like most prevention tips, awareness is key.

Staying alert is especially important nowadays when mobile users are constantly distracted by other things such as work, family, shopping and the millions of other things that demand our attention while we’re on our phones. The key is to know that these types of attacks are out there and avoid clicking on links sent to your email or phone.

If you get an authentic-looking message from a company you normally do business with, simply take the extra step and go directly to the website without clicking on the link in the message you received. If it’s legit, you’ll see the message on your account, and it will save you the potential risk of handing your credentials or personal information over to hackers.

For mobile-security professionals, now is always a great time to review your mobile security practices to better protect users from these scams. While it’s important to educate mobile employees, it’s up to IT to prevent hackers from getting through to them in the first place. At minimum, mobile security should include the ability to access a phishing URL database to immediately prevent known phishing attempts from coming across text and SMS messages, instant messages, social media and other modes of communication.

While phishing scams will probably always exist in some form, more of our daily life is now taking place on mobile devices, apps and social media. As we gear up for contactless holiday shopping and beyond, that’s where our security focus should be as well.

Brian Foster is senior vice president of product management at MobileIron.

Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.

Suggested articles