Staying vigilant for cyber threats during the holiday season

Throughout the calendar year, businesses and other organizations can be prone to a variety of potentially costly cyberattacks. During the holiday season, however, some organizations and employees may let their guards down — and threat actors are eager to take advantage.

Opportunities for cyber threat actors

For businesses, a major reason why cyber threats are especially worrisome during the holiday season boils down to the human factor — namely, a shortage of human capital and a myriad of distractions as the end of the year approaches.

In a 2021 report, cybersecurity consulting firm Cybereason noted that major ransomware attacks “tend to occur on weekends and holidays (opens a new window) when fewer staff are around to detect and respond to them.” During the holiday season, organizations can be especially susceptible not only to ransomware threats but to phishing attacks and other dangers, as November, December and January represent ideal times for many employees to use paid time off.

When employees are out of the office, their responsibilities may be temporarily transferred to others, including some with little to no experience carrying them out. In some cases, employees may fail to designate backups while they are out of the office.

In addition to observances for year-end holidays, some organizations elect to shut down for more extended periods of time. For example, nearly half (44%) of U.S. employers responding to Lockton’s 2021 HR Trends Survey (opens a new window) reported that they closed their doors for Christmas Eve in 2021, and 5% were closed from Christmas through New Year’s Day 2022.

Through all of this, employees may feel a sense of year-end fatigue. The end of the calendar year is often also the end of an organization’s fiscal year. As employees seek to tie up loose ends before the new year begins, there may be less attention to detail on a number of things.

On top of all of these developments, there is the current labor environment. As of the last business day of August 2022, more than 10 million jobs were open across the U.S. (opens a new window), according to the Bureau of Labor Statistics. While this represents a decline from the 11.1 million openings that existed at the end of July, it’s still a sizable number.

Similar figures have been reported elsewhere. According to the Office for National Statistics, for the period from July through September 2022, job vacancies in the U.K. totaled 1.25 million (opens a new window) — a drop from the previous three-month period but significantly higher than the number of vacancies recorded for July through September 2019, before the pandemic.

These unfilled jobs have contributed to employees in the labor force often being overworked and burned out. Unfortunately, this problem is only exacerbated for those employees who are working during the holidays while their peers take paid time off.

Combined, these trends create a perfect storm of potential vulnerabilities that could put organizations at greater risk of cyber threats during the holidays, which can cost thousands or even millions of dollars. These vulnerabilities and threats can manifest in several ways.

Lax cybersecurity hygiene

Many large organizations contract with third-party vendors to monitor their technology infrastructure and warn their information technology (IT) and information security (IS) teams of potential dangers in real time. In some cases, these alerts will include directions to take specific actions — for example, to apply software patches to eliminate specific vulnerabilities.

Under “normal” circumstances, IT and IS staff will respond to such alerts quickly, but response times can be slowed if certain employees are out of the office and their teammates/backups are busy with other work, oblivious to the urgency of various alerts or unaware that nobody is monitoring them.

For smaller entities, the responsibility for monitoring alerts from software vendors is generally kept in-house. Alerts can similarly be overlooked or missed entirely due to a lack of staffing and employees in the office being stretched thin with other responsibilities.

The result is that information shared during the holiday season about identified vulnerabilities or new patches that should be applied immediately may not be acted upon until after January 1 — a reality that attackers often count on as they seek to infiltrate corporate systems.

Phishing emails and fraudulent websites

In the second quarter of 2022, global shipping company DHL was the third-most impersonated brand in phishing emails (opens a new window), according to cybersecurity firm Check Point. FedEx (opens a new window), UPS (opens a new window) and some retailers have warned of similar scams, which can increase in frequency during the holiday season.

In such an email, an attacker warns the recipient of a supposed problem in delivering a package, directing the recipient to click on a malicious link where they are required to enter login or credit card information. Phishing emails — including those sent to personal email accounts but accessed on work devices — may also be used to plant malware on corporate systems. Attackers may also use fraudulent websites, which are often spread around major shopping days, such as Boxing Day and Black Friday, to achieve the same goals.

Phishing emails can be used to obtain a treasure trove of information for attackers. Employees’ personal information, such as login and password information, may be used for access to other sources, such as bank accounts. Phishing scams can also result in attackers collecting corporate login and/or credit card details if, for example, an employee has used a corporate shipping account or card to send gifts to fellow employees and/or customers. More importantly, a phishing email may be the means by which malware or ransomware enters an organization’s computer systems.

MFA fatigue

Multifactor authentication (MFA) has become so pervasive that many individuals respond to authentication requests almost instinctively, without taking the time to confirm that a request is genuine. And some enterprising hackers are capitalizing on this trend.

After stealing login credentials, some attackers are executing a form of social engineering that has become known as an MFA scam. Here, an attacker repeatedly attempts to log in to a corporate network, leading to a targeted individual receiving on their mobile device a seemingly endless stream of requests to allow access.

In carrying out these attacks, hackers and other threat actors are counting on a recipient ultimately relenting under pressure and allowing access before realizing their mistake. Even if the mistake is quickly caught, a successful attack can do serious damage to an organization, including putting highly valuable corporate systems and data at risk.

Threat actor strategies and tactics

Threat actors exploit multiple vulnerabilities that may exist in an organization’s computer system. Some of the most frequently targeted include Microsoft Exchange vulnerabilities, many of which have been reported recently (opens a new window), and poorly configured remote desktop protocols in Windows.

Threat actors, however, are always looking for new zero-day vulnerabilities and for ways to exploit them. All too often they succeed.

The most worrisome attacks today involve ransomware. In the past, threat actors would attack an organization by encrypting its computer systems and demanding a ransom in return for a decryption key. But in the first quarter of 2021, nearly 80% of ransomware attacks involved the threat of leaking data stolen from victims’ systems (opens a new window), according to Kroll. This is often referred to as “double extortion” because a victim will have to pay to unlock its system and to prevent the release of the stolen data.

Lockton is aware of “triple extortion,” attacks where a threat actor contacts individuals whose data has been stolen from a victim’s system to encourage them to persuade the victim to pay.

Cyberattacks like these are highly stressful for victims whenever they happen, but the distractions of the holiday season can make them much worse. Threat actors count on this stress contributing to their success.

Preparing for and responding to attacks

As the holiday season approaches, organizations can take several actions to mitigate their potential cyber risk.

One of the most important steps organizations can take is to conduct phishing simulation training. Such training can help employees learn to identify malicious attachments and links and to not share login information with unverified recipients. Instead, employees should understand the importance of verifying emails with unexpected attachments and links, including calling senders at known phone numbers, if possible.

If an employee falls victim to a phishing attack but realizes the mistake, it should be reported to IT support teams immediately. IT should then initiate password changes and determine if there is additional risk because of the attack, which may then trigger notification to a cyber insurance carrier.

Organizations should also be prepared to execute incident response plans. If they have not recently done so, organizations should review and update existing plans before the holidays begin, including ensuring contact information for key participants is accurate. If possible, organizations should conduct internal reviews to ensure all team members understand plans and their specific responsibilities. Tabletop exercises can be especially useful in identifying potential gaps in plans and addressing them before attacks occur.

IT and IS teams should ensure they are aware of vulnerabilities as they are announced and are as diligent in applying vulnerability patches during the holidays as they are during the rest of the year. Specific personnel should be assigned to monitor alerts even in times when business is slow and/or many employees are out of the office to ensure critical patches made available during the holidays are not ignored or delayed.

For more information, contact your Lockton advisor or email cyber@lockton.com (opens a new window).

For more information, visit our Cyber and Technology page. (opens a new window)