Protect yourself and your organization from holiday scams

Woman holding a phone with a lock picture on the screen.

The holiday season is something many of us look forward to each year. Unfortunately, it’s a “most wonderful time of the year” for bad actors and cyber attackers as well. To help keep you and your team safe, we’ve put together a few tips to protect you from potential cyber threats. 

Tips to Protect Yourself From Potential Cyber Threats

Watch for phishing attacks 

Phishing attacks are always a favorite, especially in retail and doubly so during the holidays. According to a recent article1, hackers try to take advantage of the busy season by targeting users through phishing attacks, such as fake emails, appearing to come from retailers or well-known organizations that are popular during the holidays. 

During a recent Fortified Roundtable, several attendees shared stories of people they know who’ve fallen victim to phishing attacks this year. User education on phishing attacks is one of the first lines of defense – and quite impactful. Reminders about phishing attacks during the holidays are also a great way to help raise awareness.

If you, or anyone you know, personally falls victim to a phishing scam, the Federal Trade Commission has resources3 to help identify and report the incident. And as always, you can contact the Fortified team with any questions or help educate your organization about phishing. 

Shopping Tips 

As much as we might like to lock down our company networks to prevent employees from browsing social media or shopping online, it’s just not feasible, nor does it foster good employer-employee relations. But the reality is that e-commerce drives online fraud. If you make online purchases, not even the most reputable retailers can guarantee your personal data’s safety. We advise you to educate your employees about the importance of keeping personal and business accounts (email, payment, shipping) separate, to limit the chances of a crossover malware infection. 

Segmentation of personal and private accounts will also help in the event there’s an incident involving financial institutions or information. Fraud is high this time of year with threat actors seeking to drain any account4. Again, reminders to your team about cyber hygiene best practices are advised. 

One of Fortified Health Security’s partners, KnowBe4, offers the following considerations5 for making online purchases, which are valuable tips that can be shared with your team: 

  • Refrain from shopping on social media 
  • Only browse and shop on sites you’re familiar with or that are reputable 
  • Verify links by checking domain spellings – malicious sites often have slight modifications or can also be entirely unfamiliar
  • Monitor credit card usage after transactions 
  • Verify confirmation emails are authentic before clicking on anything 
  • Check to ensure the domain is secure (https vs. http) 

Another important tip for your team is to remind them not to click links in emails asking to verify information. Instead, advise them to navigate to the account’s website directly, log into their account, and verify the request.

 Password and Multifactor Authentication 

This is a great time of year to do something you and your team may have been putting off…changing passwords and activating Multifactor Authentication (MFA), which usually involves setting up an additional layer of security such as a PIN or a question-and-answer challenge. Let’s be honest, at least one account (or more!) has been bugging you about a password change or enabling MFA for a while now.

 Some best practices on passwords:

  • Change passwords at least every 90 days. Many organizations have more rigorous standards, but this is a baseline.
  • Storing passwords in your browser is handy, but it’s not secure. 
  • Avoid password reuse, and if possible, implement procedures to prevent users from reusing “most” of a previous password.

Mixed passwords are not easy to recall, but password managers can assist with helping to manage them. Tim Ramsey, Director of Threat Assessment Operations at Fortified advises, “Password managers are a great security enabler, especially when considering the recommendation of avoiding password reuse. But the password manager itself should be protected by a complex and lengthy password, passphrase, or even a full sentence. Password managers also make it easier to use complex passwords, both personally and professionally, because the burden of remembering all those different credentials goes by the wayside.” 

If you haven’t enabled MFA on your accounts, consider making it a resolution for 2023. It can take a little bit of time but can save you or your healthcare organization from a major incident. A recent Dark Reading6 article titled, “Is MFA the vegetable of cybersecurity?” hits the point in the title (as in, something no one likes). So, take some time over the next few weeks and “eat some veggies.” 

That same article shared some eye-opening statistics:

  • There are 921 password attacks every second — almost double what we saw a year ago. 
  • Basic security hygiene, like multifactor authentication (MFA), can protect against 98% of attacks.

Unlike that fitness resolution that can take months to deliver results, doing a significant amount of cyber hygiene and turning on MFA can be done in a few hours – and will protect your healthcare organizations, patients, and personal information.  

Things to remember 

Cybersecurity doesn’t have to be difficult to be effective, at home or in the office. 

Jason Stewart, a VISO at Fortified, proposes the following simple steps everyone can take to be more secure: “The key is to warn people to be suspicious of anything that makes you anxious in the slightest – whether it’s about a package delivery delay or a purchase that you don’t remember making.”  

Retail and healthcare organizations are especially vulnerable during the holiday season, so stay safe and know that Fortified is always here to help. Get connected to the Fortified Ecosystem7 for the latest cybersecurity threat news, education programming, and invitations to exclusive events. 

  1. https://www.axios.com/2022/11/22/retailers-holiday-shopping-cyberattack-phishing-scams 
  2. https://rhisac.org/wp-content/uploads/Holiday-Trends-Report-2022_White.pdf  
  3. https://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams
  4. https://www.forbes.com/advisor/personal-finance/online-shopping-scams
  5. https://www.spiceworks.com/it-security/cyber-risk-management/articles/cybersecurity-threats-in-the-holiday-season
  6. https://www.darkreading.com/microsoft/is-mfa-the-vegetable-of-cybersecurity-  
  7. https://fortifiedhealthsecurity.com/getconnected/