That Personal Email May Not Be Personal at All … or How to Spot Phishing During the Holiday Season

Published: December 21, 2018 by Michael Gross

Woman on phone holding paperwork.

I nearly made a bad mistake a couple of weeks ago after I received an email from a top online retailer stating there was a “problem with my recent order.” I had recently purchased several items and knew that any delay would jeopardize my holiday gift delivery. I was just about to click the “Login” button and then stopped. Thankfully, I had the presence of mind to double-check the sender, and, it wasn’t my favorite shopping site after all – just a really good fake email from a phishy sender.

I had almost fallen victim to one of the oldest and most common fraud scams in the books — a phishing email. Phishing is the fraudulent practice of sending emails claiming to be from reputable companies. Fraudsters do this to get recipients to click a link and reveal personal information, like passwords and credit card numbers. Sometimes, they will even install malware on your mobile device or computer, directing you to a fake storefront to pilfer information like bank accounts or create new fraudulent accounts using your identity information.

First, I thought, “Wow, what a dumb mistake, especially given our focus at work.” But phishing scams today have become more sophisticated and personal. We are all busy with life – our work, family, commute, and dinner plans, along with keeping up on the latest news cycle. Virtually anyone could be inclined to quickly click on a link stating there is an issue with their recent order.

The best phishing scams are those that appear to come from a trusted source and reference real information about you, one of your recent shopping orders, or your personal preferences. Sometimes, a scam can even take the form of an “update” on the delivery of your recent orders, and you might rush into clicking links to resolve the problem.

Know then trust

What is it about phishing scams that make them so effective? It is the personal nature of the attack. The best ones are those that appear to come from a trusted source and discuss information about you, a recent order, your personal preferences, or even just to provide an “update” on delivery to rush you into clicking based on an issue or delay.

One extremely lucrative attack that comes to mind is a recent UK bank attack where fraudsters obtained banking login credentials and accessed accounts in an attempt to submit fraudulent wire transfers. Posing as bank employees, the fraudsters contacted the accountholders to let them know that a fraudulent wire transfer attempt had been made on their account. And in order for the bank to cancel the wire, they needed the accountholders to provide a confirmation code that they would receive instantaneously through their mobile device to confirm their identity.

What the accountholders didn’t realize is that the bank’s standard process for any wire transfer was to send a one-time password to the mobile phone number on file to confirm an abnormal transfer’s authenticity – not to stop fraudulent attempts. So, when the accountholders received the passcode, they unknowingly provided them to the fraudsters over the phone, effectively authenticating the transfers with the bank.

Oh phishing fraud… Oh phishing fraud…

But what about the holidays, you ask? Given our chaotic lives, fraudsters love to use phishing during the holidays.

Attackers generally focus on major online retailers to enable the largest possible attack. Many consumers have established two-factor verification for accounts with top online retailers, but fraudsters can use this to their advantage if you’re not vigilant. For example, a scammer might send an email to suggest there is a problem with your recent order, then when you click on a link in the email to check on the issue, you might see a pop-up indicating that you’re using a different device than previously seen in the account.

Without thinking too far into it, you’re given a one-time passcode that you enter to confirm your identity. The attacker can use your credentials and passcode to successfully log in as you, purchase goods using on-file payment information, and have the goods shipped to an alternate address.

Another effective method for fraudsters is to leverage mediums that billions of consumers around the world use daily, like social media. This is the time of year where everyone is sharing photos and links with their friends and family – which is a prime opportunity for fraudsters to use malware or keyloggers to access social media accounts, masquerade as you, and amplify attacks by reaching out to all of your connections. And since fraudsters can just as easily take advantage of the latest AI and machine learning advances, scams are more sophisticated than ever before.

Today’s attacks often use millions of servers worldwide to make attacks appear personal – to look like messages from a friend, family member, or other connection. They know your name, mention something personal that they found on one of your social media posts and ask you to do something – like click on the latest viral video or picture. This can all be done automatically and be sent to millions of people at the touch of a button.

Send phishing scams on their way

I know this all seems unsurmountable, but there are things that businesses and consumers can do to identify if they’ve been a victim and to avoid becoming a victim in these types of schemes. From a business perspective, the most effective approach is to assess users’ historical behavior.

Are you seeing a large number of customers trying to move similar amounts to recently linked accounts or purchasing huge volumes of in-demand items? Perhaps the contact center is getting a lot of calls claiming fraud, which can be a sign of recent fraud attacks. Businesses can closely monitor transactions, educate their employees and customers to not click on untrusted links, and make sure there is more than one person to sign off on any account changes or large money transfers.

For consumers, the number one thing you can do is to immediately contact the organization or financial institution where you were victimized. I know this takes time out of an already busy day, but it provides the best chance of recouping any lost funds. The other thing you can do is to immediately notify your social contacts about the scam if you’ve fallen victim. That way, others can protect themselves and help limit the damage and spread of any phishing incident.

My experience with an “almost” phishing scam is that no one is immune. But the more everyone is aware of the potential consequences and how they can protect themselves, the less likely phishing attempts will be successful.

Check out the Experian Insights blog to learn more about how Experian helps businesses and consumers during the holidays and throughout the year.

Never miss a blog post!

Subscribe to keep up with all things Experian.