The holiday season marks an especially busy time of year for many companies, but experts warn that scammers and other cyber criminals are looking to take advantage of their end-of-the-year scrambling to score big paydays.
Workers might be eager to click on emails that include mentions of holiday parties or end-of-the-year bonuses, and it’s likely that many also will be doing some non-work-related shopping on their company-issued devices. Those activities potentially open up their employers to online risks.
Meanwhile, many businesses could see their reputations threatened by scammers who look to impersonate their company’s names and brands as part of scams that involve everything from fake seasonal job offers to counterfeit merchandise.
“This always happens this time of year,” said Selena Larson, staff threat researcher at the cybersecurity company Proofpoint. “[Cybercriminals] start incorporating these types of lures and themes. And, to me, it’s kind of interesting. If they’re doing it every year, they must be successful.”
In its November advisory, Google Security also noted the prevalence of holiday-themed scams, warning businesses to be on the lookout for potential Black Friday and Cyber Monday related financial fraud.
All of this comes at a time when cyber criminals are using advanced social engineering techniques combined with artificial intelligence and other automated technology tools to craft much more sophisticated scams at a larger scale than ever before.
That all may seem daunting, but Larson and other experts say there are steps companies can take to protect themselves. Here’s a look at some of the top online threats facing businesses—and what you can do about them.
Holiday-themed social engineering
Cybercriminals are using combinations of sophisticated social engineering and AI tools to create highly customized emails, texts and other communications designed to dupe people into doing things they normally wouldn’t.
This time of year, that could mean tricking an administrative assistant into buying a pile of gift cards they think are for company holiday gifts and sending them to a scammer they think is an executive. Other workers might inadvertently hand over their company credentials or personal information to online thieves because they believe it will get them signed up for a holiday party or expedite their annual bonus.
While they once had to do their research by hand, spending hours mining social media networks like LinkedIn to gather details, then target just a few people, cybercriminals can now automate the process, using AI to craft scam emails in just a matter of minutes and target countless people, says Gavin Reid, HUMAN Security’s chief information security officer.
While the scam may start with an email, criminals will also trick targets into moving communications off email and to alternative methods like encrypted messaging services, such as WhatsApp, or phone calls, which help them avoid company detection.
These kinds of scams are often associated with consumers, but Reid says companies are the real targets. Smaller businesses with less advanced cyber defenses are easier marks, but larger ones have more money to lose.
“For the scammers, the bigger the better,” Reid said.
Impersonation scams
Not surprisingly, retailers are some of the most at risk during the holiday season. Google notes that criminals will set up fake websites that impersonate well-known brands, offering amazing deals on hard-to-find gifts, tricking shoppers into buying counterfeit merchandise or handing over their credit card and other personal information.
The criminals use not just emails, but also scam texts and ads posted on social media to get shoppers to the fake sites, rather than the legitimate ones they would have reached through an online search.
Companies such as Amazon, Best Buy and PayPal have all been frequently impersonated by scammers in the past, according to the FTC. In addition, according to a recent study done by McAfee, luxury gift brands, including Coach, Dior, and Ralph Lauren were some of the most impersonated brands this year.
The price businesses pay for that is in the form of damage to their reputations. If shoppers aren’t confident that the site they’re shopping on is legit, they’re going to take their money elsewhere, Reid says.
“I think it’s important, especially for retailers, that companies have a point of presence that people can see and use, rather than go to third-party retailers,” Reid said. He adds that it’s when people can’t find what they need on a regular retail website that they start shopping around on potentially scammy ones.
In addition, companies could suffer a data breach or end up with malware on their systems if they don’t have adequate cyber defenses in place.
Larson notes that companies are being increasingly hit with so-called “ClickFix” attacks. In these kinds of attacks, an employee could be doing some shopping on a questionable website and get a pop-up notification telling them that there is something wrong with their computer. They just need to “fix” by copying a block of text and pasting it into PowerShell, a Windows tool that lets users run commands and programs.
But instead of fixing their computer, the text will actually run a script that infects their machine, and potentially their company’s systems, with malware.
How to protect your company
It can be tough for companies to fight back against these scams, especially if they don’t have a big security budget. But strong security practices that should be in use all year long will go a long way toward protecting against holiday scams, Larson says.
A large part of that is basic security awareness training for all employees, she says, making sure that workers know how to identify phishing emails and other scams.
Company systems should also be locked down. If an employee doesn’t need access to a particular system or feature, don’t give it to them, Larson says. For example, most people outside of an IT department don’t need access to PowerShell. Disabling that would prevent many ClickFix scams.
“We know that people will make mistakes,” Larson said. “What’s important is being able to stop them before they get very bad.”
The final deadline for the 2026 Inc. Regionals Awards is Friday, December 12, at 11:59 p.m. PT. Apply now.
Bree Fowler
Source link