Don’t Get Reeled in by Holiday Phishing Attacks


holiday phishing

We expect the holiday season to be a time of good cheer, and peace and goodwill to all, right? Except cyberattackers didn't get the memo. They are more likely to attack businesses with phishing attempts during the holidays. Prevent issues by knowing what to expect.


Cybercrime research shows the season “dramatically impacts” the volume of phishing attacks. Phishing attacks "spiked to more than 150% above average” the week before Christmas. After the holidays, the number of attacks dwindled significantly in Barracuda research.


Why would hackers target a business during the holidays? Because they know things can slow down and people aren't paying the same diligent attention. They’re already mentally out the door sipping eggnog and planning where to do last-minute shopping. Oops! They click on a malicious link or fill out a form seeking sensitive information.


Or they expect you're overwhelmed, trying to get everything done before the holidays. Purchase orders, bills, and emails are flying around. They bank on people overlooking details.


The Basics of Phishing


Phishing uses social engineering to expose security weaknesses and leverages potential vulnerabilities. The hacker dupes someone into responding to a fake request from a bank, vendor, or colleague. They are hoping to get a nibble from unsuspecting employees who don’t think to:

  • check the spelling of the URLs in email links;

  • be wary of URL redirects to fake sites made to look legitimate;

  • question why Jamie in HR needs their access credentials;

  • contact the sender of a suspicious email for confirmation before responding.

During this season at the office, everything can feel urgent, and employees are more likely to fall for emails telling them to do something right now. They might not notice that the invoice from a usual supplier has a new bank account number, or they could fall for something dumb because they are distracted or too busy.


Top email subject lines that target employees for phishing attempts include:

  • “Undelivered mail”

  • “HR: Your Action Required”

  • “HR: Download your W2 now”

  • “Microsoft Teams: Rick sent you a message.”

It's easy to imagine how someone would click on those without thinking twice.


What to Do About Phishing