Blog :: Security Operations

Holiday Phishing Scams

jarryd phishing ornament

With the holidays right around the corner, the conditions for phishing couldn’t be better. Order verification, delivery confirmation, emails that look and feel important but are actually hiding a sinister, Grinch-like objective… With holiday phishing scams in full effect, let’s take a look at how we can prepare ourselves this season and keep our information safe!

holiday-phishing-scamLike many reading this blog, I am sure you are biting your nails watching your holiday gift tracking information and wondering if the 2-day shipping promised will be correct. With the pressure on and the phone email alert volume turned up to 11, we anxiously await any word of our precious death star waffle maker’s delivery. An email comes in, you click a link that brings you to your account login, you log in and nothing… or you have an attachment accompanying a nice message that politely asks you to download your confirmation info. As easy as that, you have been compromised and the Grinch gets his way.

We have all heard of phishing by now and it feels like every day I see a new warning about clicking on links or downloading attachments. US-CERT issued alerts back in November, urging people to take precautions in regard to holiday phishing scams and, if compromised, to please file complaints with the FBI and Federal Trade Commission. Even mainstream news outlets like USA Today have been posting articles about this year’s phishing.

So there is no doubt that if you are an email user this holiday a-christmas-lureseason, things have already been a bit crazy. What if you do get your account phished, or you had a Yahoo! account, what is the big deal? So what if someone has all my old spam emails and embarrassing photos? Well, according to IBM, this is a “455 billion dollar business” and I can assure you, those embarrassing Christmas party photos are not what these criminals are selling. When your account is stolen, you could lose your name, number, address, Paypal account, ebay account, and anything else attributed to that email, along with your precious password. Now, don’t lie, I know you use the same password for your email as you do for most things and this is the first piece of advice I’ll mention.

How to Avoid Holiday Phishing Scams

Use different passwords

If your account has been compromised, so has your password. An attacker will keep that password and then look to see if any other accounts are tied to that email. They will then see if they can use your skeleton key of a password to unwrap any more Christmas gifts.

Use a harder password

“Theywillneverguessthispassword” is not a good password, people. Use characters, use numbers. One of my favorite tips is to use the first letters in a sentence. “They Will Never Guess This Password” becomes “TWNGTP,” which is inherently going to be harder to crack. Then, like using tinsel, you can bedazzle that password with numbers and both uppercase and lowercase characters.

Use Multi-Factor authentication or dual authentication

As a simple example, when you input your password, you will be prompted to input another code possibly sent to your phone. This adds an extra layer of defense to your now-amazing password. Even if your password is compromised, the attacker will have to have access to your second system that contains that unique pin or code.

Read your emails carefully

Here is an example of a delivery confirmation phishing attempt. Take a moment to look at it and see if you can spot some of the glaring issues with it.


Why would FedEx be using grapplingdummys as a domain? Would a FedEx ground worker himself email me from a personal account? I mean, they do have awesome customer service, but that seems a bit phishy.

With these little steps, you should be pretty prepared to avoid holiday phishing scams. Also, this is the season of giving, so help those around you understand what to look for in regard to phishing attempts. Anti-phishing tools like Click Click Phish are built to help teach everyone how to spot a phishing attempt. For the network admins reading this, if you suspect someone on your network has been hit with some unwanted holiday cheer, use technology like NetFlow and tools like Scrutinizer to hunt down the problem.

Stay safe this holiday!