Identifying and Avoiding Phishing Attacks During the Holiday Season

Phishing attacks are on the rise, and the impact on individuals and organizations has never been more significant, especially during the holiday season. A recent FBI Internet Crime Complaint Center 2023 Report found that non-payment and non-delivery scams amounted to over $300 million, and credit card fraud accounted for an additional $173 million. Most of the complaints received were in the first two months of 2024, suggesting a high correlation between the frenzied purchases of the holiday season and the latter part of 2023. 

Scammers look to entice unsuspecting buyers, taking advantage of them during the holiday season with unbelievable deals. They direct you to fake websites or personal sellers. These sites may appear to be real, as they are often built with fake photos from legitimate businesses seeking your personal identifiable information, including credit cards.

Therefore, it is essential to be vigilant when shopping online, and you should consider the following awareness tips:

How to Identify a Phishing Scam

  1. Sender Address: An email from a seemingly recognizable sender (perhaps your bank, utility, or online music account) asks you to reset your password or update your banking information as soon as possible. This common attempt should be easily identified, and if there is any doubt, you should contact the company directly via phone to legitimize the query. 

  2. Fake Links: Hover over them without clicking to establish the legitimacy of the source. If you have a question about your potential order, confirm the seller's physical address, support email, and phone number. 

  3. Company Website: Make sure the URL is legitimate and secure. Don't provide any information if you don't see the "https" in the web address with a padlock next to it. 

  4. Spelling and Grammar: Poor spelling and grammar used to be an explicit identifier of a phishing scam. However, recent advances in AI have allowed threat actors to assemble email scams in less than 5 minutes and with greater sophistication and personable attributes, along with minimal spelling errors. Refrain from relying on grammar/spelling as your failsafe email safety net.

  5. Memberships: Are you a member of the alleged sender's organization? More often than you would imagine, your data, whether a member or not, has yet to be retired from the source organization that may have experienced a data breach. 

  6. Deals: Be wary of an incredible deal—if it looks too good to be true, it probably is. Scammers typically list luxury items at cut-rate prices that can be delivered the next day.

  7. Fake gift cards to valuable clients: These emails often have a personalized salutation and message that can appear legitimate. Make sure you check the source of the email and if in doubt check the company's website for additional details.

  8. Public Wi-Fi: Avoid using public Wi-Fi. Unsecured networks are a feeding ground for hackers. Use a VPN or wait until you are in a secure network to process transactions.

  9. Incomplete Deliveries: Watch out for parcel delivery scams suggesting "a delivery could not be completed" and follow up with a link or call a toll-free number. Do not click on any provided links, and remember that all major carriers (FedEx, Amazon, UPS, Purolator) will never ask you for your social security number or credit card information to complete a delivery.

  10. Email Authentication: One of the latest email security layers being incorporated by leading organizations is through PhishFlagger. Its unique numeric registry identifier (SMS, QR Codes and email), launched in August of 2024 (Link to the press release here), allows safe communications between registered parties. Questionable emails not in numerical sequence can be immediately flagged and quickly disposed of. 

Be vigilant and have a safe and happy holiday season.

Mike Boland
President, PhishFlagger