Businesses of all sizes are always a little more on edge this time of year as employees are spending more time shopping online from work computers. Most business leaders indicated that they will not make an effort to prevent employees from doing so. It's important to bear in mind that the holidays always present an added opportunity for attackers since everyone is generally spending more time shopping online, opening and clicking emails with links for things like shipping confirmations and special offers, etc...
Of course, engaging in these actions from a company device will thus introduce the risk to the business. Entering things like personal work credentials for a bogus offer would naturally expose the company to unwanted risk. Since malware distributors often use things like malicious banner ads or links to fake coupons (among many others) to infect users this risk increases exponentially during the holidays when online shopping activities are at their peak.
An interesting example of this is the recently reported incident with Maze ransomware. This event looks like a first of its kind, in that, the ransomers were publicly releasing stolen data due to non-payment of the ransom. Why this relates to our topic at hand is that one method for Maze ransomware distribution was through a fake website. The site was reportedly posing as a crypto-currency exchange and using paid ad traffic to drive users to the malicious site. The technique could just as easily be used to distribute ransomware via a product site, any hot or hard-to-find holiday shopping item would suffice.
Something else to consider is that most people will have multiple online orders being shipped by services such as Amazon, Best Buy, etc. This makes the consumer far more susceptible to falling for phishing attacks spoofing a brand they have done transactions with. Additionally, these packages are en route via UPS, FedEx, USPS, DHL - this presents another vector that attackers can - and will - exploit as people are eager to get their packages. What’s more, with online payment transactions either their bank or services such as PayPal (think phone payment rejected notices or phony charge notifications) are yet another attack vector that, while always exists, is more likely to be secession with deception during these times of increased activity.
Some other issues to consider are:
Employees on vacation and perhaps posting about it on social media, lends itself to social engineering attacks
Increases in BEC gift card scams become far more believable and tend to surge this time of year
The risk is the entire gamut of cyberattacks ranging from malware infections, stolen bank info, Ransomware incidents, phishing leading to credentials theft or BEC leading to the fraudulent transfer of funds by many different means. These are risks that are always there but are amplified during the holiday shopping season. Having the proper acceptable use policy in place is one key component to mitigating these threats. Blocking access to shopping sites from the corporate network is a good idea, though most will choose not to do so. Ensure that your email security meets the standards of today's threats. Employee awareness training can be especially helpful this time of year as well. Remind employees that they are not only protecting the business but also themselves.
WANT TO KNOW MORE?
Find out how prevalent is it for employees to shop online at work, and what employers doing about it in the latest Zix | AppRiver Cyberthreat Index for Business Special Holiday Shopping Edition.