Tips to Avoid Being Hacked over the Holidays

Posted on by John Pescatore

With the holiday season upon us and the end of the year quickly approaching, a sense of urgency is in the air. After all, there’s much to get done—holiday shopping, health benefits renewals, goal setting for the new year, etc. In the cyber realm, attackers feed on this atmosphere, and this time of year in particular, they will often try to create a sense of urgency in their victims to get them to move quickly.

But let me offer some holiday security advice: This season, make sure your car is locked and your hands are clean. Most importantly: Don’t be in a hurry to respond to anything you see on your computer! I’ll explain.

Side-Step Phishing and Watering Holes

We’ll see phishing campaigns toward the end of the year that aim to create a false sense of urgency, for example—“click here quick, otherwise you’ll lose your dental benefits,” or “only two tickets left at this price!!”

These attacks can be standard phishing campaigns, where attackers attempt to trick people into giving away their password and account information, or they can be what is often called a watering hole attack, where attackers try to get you to go to a place you think is safe but is actually a compromised location or website. When you visit that site, a keystroke capture executable could be downloaded onto your PC, and they get your information the next time you log in anywhere.

It’s not unusual to see end-of-year scams revolving around past-due taxes, but rest assured, email or phone communications claiming to be from the IRS are never from the IRS. If you think about your regular dealings with your real bank or insurance agency, they’re almost never in a hurry and they very rarely go to the expense of calling you on the phone. And if you get notifications about an undeliverable package that includes a link to click to get to the bottom of it, think before you click. Remember that creating false urgency is one of the top tactics malicious attackers use to getting people to act.

There are other things to be on the lookout for. Be wary of the seemingly innocuous games and quizzes you see on social media that are about finding out your elf or reindeer name. These quizzes ask questions like what your first pet’s name was or what street you were born on. By entering these answers into the quiz to generate your reindeer name, you are giving away answers to common security questions that an attacker could use to gain access to your accounts.

Look Out for E-skimmers

Most people know about physical skimmers that are placed over credit card machines at gas stations or on ATMs to capture people’s payment and account data. In the past two to three years, one trend that’s really ramped up is e-skimming. E-skimming is a software-based attack where rogue code is injected into an e-commerce site to capture payment card information from online shoppers. In fact, Macy’s website was just recently breached via an e-skimming attack.

As soon as somebody sold something on the web, the bad guys figured out how to use skimming techniques to steal consumer data. The traditional physical skimmers only allowed attackers to capture one thing at a time, but now with so many small businesses using payment-as-a-service type capabilities (think the rise of Etsy shops), the bad guys have figured out how to compromise those payment-as-a-service providers. This means that they’re effectively able to put a skimmer on tens of thousands of merchants at once, providing them with a much higher payout.

Lock Down Defenses

As a rule, you should make sure that any communication invoking an action that says it’s urgent, is truly urgent. Cybersecurity awareness officers need to make sure their staff is informed about such schemes so they can be extra cautious and avoid clicking on suspicious email links.

Consumers must practice safe shopping. Wherever possible, stick to retailers that you have already dealt with. If you have to use a brand-new site, always use proven payment options (like PayPal or Visa Checkout) rather than entering in your credit card number and info.

Cybersecurity professionals need to practice basic security hygiene to get ahead of these threats and make sure you don’t lose your customers’ trust. Implementing the Center for Internet Security’s Critical Security Controls will take care of the well-known web application and server security that is needed. These are the security equivalent of washing your hands and locking your car, something we all should be doing regardless of what time of year it is.

John Pescatore

Director, SANS

Hackers & Threats


Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community