The holidays are no time for cheer for security specialists: They’re seeking a spike in the number of phishing emails, and in the people who are gullible enough to open them.
For example, Barracuda Networks detected a higher-than-usual number of people clicking on malicious links on Cyber Monday — around 53,000. Granted, the number of general clicks also rose — to 36 million, maybe a 50% increase over a normal Monday.
The actual threat volume was not that high in comparison with normal days. But it did spike in the days after Cyber Monday.
On Wednesday, November 29, for example, the phishing numbers alone rose to 27 million. These emails largely consisted of fake shipping notices and invoices attempting to take advantage of shoppers tracking their purchases.
On a typical Monday, Barracuda will see between 20 million and 27 million emails.
Why the increase on that Wednesday? The opportunity presented by human behavior, according to Eugene Weiss, lead architect at Barracuda.
“The centers of phishing attacks are going to redouble their efforts if they see this seems to be working right now,” Weiss says. “If an email gets a good record of response, they’re going to send a lot more of them, just as a legitimate business does.”
Weiss notes that seasonal spam emails are designed to look like “the large volume of e legitimate holiday marketing email. The idea is, you fill out a survey or get a free gift card.” Instead of just being a marketing survey, however, they are gathering information for phishing.”
The problem is worsened by the fact that some consumers will open almost anything in their holiday shopping frenzy.
Spoofing off of large brands like Amazon and Walmart is also prevalent.
What can legitimate email marketers do to prevent their emails from being mistaken for spam?
One thing is to “personalize the emails to greatest extent possible,” Weiss says. “It makes it easer to establish that you have some knowledge of person you’re sending it to, as opposed to being a generic thing.”
This becomes more difficult as malware senders get better at extracting personal information. Weiss advises firms to never ask people to put information on a form — instead, lead them to a product page, and offer the chance to buy.
Of course, responsibility also falls on consumers — they should look a the URL bar to make sure it is legitimate
Barracuda tracks emails through its Link Protect tool, which “wraps a link on an email message and sends to Barracuda’s server and blocks it at that point or forwards it on,” Weiss explains.
In general, the firm has seen an increase in email security problems in the past year, with ransomware dramatically increasing. And there has been the usual flow of spam emails containing nickel-and-dime swindles
Don’t think Christmas is the end of the holiday surge: It will go on to “the end of the calendar year,” Weiss sadly concludes.