‘Tis the Season: Bogus Discounts and Cybercriminals Want Your Gift Budget
As Christmas approached during the pandemic year of 2020, GoDaddy employees received an unexpected email that seemed to embody the holiday spirit:
Happy Holiday GoDaddy!
2020 has been a record year for GoDaddy, thanks to you!
Though we cannot celebrate together during our annual Holiday Party, we want to show our appreciation and share a $650 one-time Holiday bonus!
To ensure that you receive your one-time bonus in time for the holidays, please select your location and fill out the details by Friday, December 18th.
Click here to choose your location and fill out the details.
Happy Holidays!
However, this cheerful message masked a more sinister reality. For those who clicked on the link, what awaited them was not a bonus but mandatory training on phishing awareness—an ironic twist that left many feeling like they received coal in their stockings instead.
While the criticism GoDaddy received for this insensitive and tone-deaf phishing test is understandable, it served a valuable lesson. Threat actors thrive on exploiting vulnerabilities during times of celebration and are unconcerned with the distress they may cause their targets. This time of year, rings in a surge in deceptive tactics from cybercriminals looking to exploit the festive spirit. There is no honor amongst thieves.
The Season of Scams
Nowadays, technology has revolutionized how we connect during the holidays, effectively shrinking the barriers of time zones and physical distance. It is not long ago that spending time with loved ones required driving long distances fueled by caffeine or shuffling through airport security lines. It is thanks to human ingenuity and the mass adoption of the Internet that you can now send your holiday wishes via video calls and virtual gift cards.
Instead of dealing with long checkout lines at department stores or fighting physical battles over TVs on Black Friday, consumers are now flocking to e-commerce sites for Cyber Monday – collectively accounting for $12.4 billion in online spending last year. This figure represents a 9.6% year-over-year increase even though analysis shows that the vast majority of “deals” are cheaper or for the same price at other times of the year.
This boom of economic activity is a cybercriminal’s wish list come true. People seeking steep discounts or scrambling to find a last-minute gift prove to be easy targets for digital con artists to take advantage of.
The Better Business Bureau maintains an entire database of scams that use pretenses even more insidious than fake holiday bonuses, including:
- Pet scams: Those looking to add a furry friend to their family may be shocked to learn that an estimated 80% of sponsored pet advertisements may be fake.
- Fake charities: Scammers will even masquerade as a charity with a righteous cause. These “charities” will trick victims into purchasing expensive items and claim the proceeds will be donated to a cause or those in need. However, the item may not be as advertised or may not be received at all.
- Fake shipping notifications: Package deliveries skyrocket during the holiday season. Scammers will send text or email messages claiming there has been an issue in the delivery process of a package. Usually accompanied with a phone number or link, these spoofed messages are used to collect personal and payment information.
Given this context, it becomes believable that 36% of Americans have become victims to online shopping scams. When it comes to online bargains, the old adage “too-good-to-be-true” rings like jingle bells.
Cybercrime Never Rests
The classic imagery used to depict a criminal presents them as someone lurking about at night, wearing a ski-mask to conceal their identity, testing for unlocked windows and doors. However, most home burglaries actually occur between 10:00AM to 3:00PM, when most of us are at school or work.
Similarly, cybercriminals also take advantage of the typical work schedule to target organizations when they are vacant. But unlike physical theft, digital heists can be launched from anywhere, with countless cybercriminals worldwide constantly probing for vulnerabilities in an organization’s online defenses.
According to the Semperis 2024 Ransomware Holiday Report, 96% of the 900 organizations that participated in the study maintain a 24/7 year-round security team. However, 85% admit to scaling back the number of personnel on duty during weekends and holidays by as much as half. Nearly 5% admitted to not having anyone present.
Cybercriminals are aware of this and take advantage of these skeleton crews, with 72% of survey respondents reporting they were attacked during these times. Out of those that were victims of ransomware, this figure is even higher – reaching an alarming 86%. The level of confidence in their security capabilities does not match their true posture either, with 81% believing they possess the necessary expertise to counter identity-related attacks while 83% suffered a successful ransomware attack within the past year.
History has shown that attacks aligning with weekends or holidays are not mere coincidences but rather explicit strategic decisions:
- June 27, 2017: On the eve of Ukraine’s Constitution Day, the infamous NotPetya malware attack spread across the world, resulting in an estimated $10 billion in damages.
- May 7th, 2021: The operations of Colonial Pipeline, responsible for 45% of the fuel consumed by the East Coast of the U.S. came to a halt leading into Mother’s Day weekend. The ransomware attack led to state of emergency declarations in 17 states and Washington, D.C. due to fuel shortages.
- May 30th, 2021: JBS Foods Group, the largest meat supplier in the world, was forced to halt operations in North America and Australia due to a ransomware attack during Memorial Day weekend. After consulting with experts, the company made a ransom payment of $11 million to put an end to the attack.
- September 5th, 2022: The Los Angeles Unified School District, the second-largest in the U.S., identified a ransomware attack on its networks during Labor Day weekend.
- December 25th, 2023: On Christmas Day, the Anna Jaques Hospital in Massachusetts was forced to turn away ambulances due to a cyberattack that disabled the health records system. The Money Message ransomware gang claimed responsibility for the attack and the exfiltration of 600GBs of patient data.
- July 3rd, 2024: The Patelco Credit Union, with over $9 billion in assets and half a million members across dozens of branches in California, was hit with a ransomware attack just before Independence Day. Patelco customers were unable to withdraw more than $500 from ATMs and were unable to access their online accounts.
Security Teams Never Rest
Is it fair to blame these teams operating at half-strength? Employees need sufficient rest and relaxation outside of the workplace to avoid the feeling of burnout, and the cybersecurity industry is no exception.
A study conducted by Hack the Box revealed that 84% of cybersecurity professionals claim to have experienced burnout in 2024 and the financial ramifications attributed to this exhaustion is staggering. On average, the decrease in productivity due to stress and fatigue among medium to large organizations within the United States leads to over $626 million in annual losses.
Even at full staffing, the constant barrage of security alerts overwhelms security teams to the point where many are not addressed. Research shows that an average of 11,000 security alerts is received every day, with 28% of them left unresolved.
Not only are alert queues written by IDS and SIEMs larger than can be handled, the National Vulnerability Database is backlogged too. In May of this year, 93.4% of new vulnerabilities and 50.8% of known exploits were still awaiting analysis by the National Institute of Standards and Technology.
This high burnout rate, combined with a critical shortage of skilled security workers, is a troubling combination. According to IBM, organizations with a shortage of experienced cybersecurity professionals saw an average increase of $860,000 in data-breach related costs. Within the same report, it was discovered that IT failures or human error was to blame for nearly half of all breaches – demonstrating just how risky it is when staff are not operating at their full potential due.
With exhausted workers, budget cuts, mass layoffs, and skeleton crews defending against the busiest time of the year for online shopping – it is no wonder that scammers and hackers are more active this time of year. It is arguable that those within information security are most deserving of time off.
Secure the Season
During this time of year, many articles offer tips on how to bolster security in anticipation of the end-of-year holiday season. However, as any CISO knows, these measures are relevant year-round and are likely already in place.
One often-overlooked suggestion, yet one of the most effective, is this: communicate the importance of adequate staffing and budget to higher-ups. While no one wants to work through the holiday break (or even be on-call), this critical duty can be incentivized. Not only are your employees sacrificing time with loved ones, but the increased threat activity during the holidays also means a heavier workload.
Consider offering extra days off after the holiday rush for those willing to shoulder this burden or provide additional overtime or bonuses. Even if you don’t have the authority to make these decisions yourself, work through the chain of command to ensure that you and your team are fairly compensated for this stressful time of year.
By prioritizing cybersecurity staffing and resources during the holidays, organizations can better shield themselves from the relentless tactics of cybercriminals, ensuring a safer and more secure festive season for all. Stay safe and Happy Holidays!
