© 2020 Content Security Pty Ltd.


5 Festive scams and phishing attacks to look out for this year

The festive season is rife with fraudsters looking to take advantage of people opening their wallets and feeling merry. Here are 5 scams to look out for not only during the holiday season, but the rest of the year as well.

Why are businesses more vulnerable this year?

Phishing emails are already a highly popular threat vector but at this time of year staff may be more distracted with festivities. In anticipation of receiving packages, buying gifts and making donations to charity, staff may click, download or disclose information without thinking twice. In a festive mindset, they are more susceptible to scams and might mistakenly click emails or text messages disguised as retail companies, parcel services, and banks.

The Coronavirus pandemic has shifted the way we work

Given the current climate, users are more likely working from home which means the traditional perimeter of the corporate network is disappearing. Most companies do not have a Bring Your Own Device (BYOD) policy which means corporate devices are at risk while users are working remotely. Moreover, traditional solutions such as firewalls can only monitor traffic that is traveling in, through and out of the corporate network.

Users may be accessing emails and websites that pose a risk to the business: in the short term this may lead to compromised credentials and exfiltration of data that is stored locally on the device. In the long term it may result in a widespread attack after the infected device re-joins the corporate network and has access to more data.

Blurred lines between corporate and personal matters 

The other threat users pose is they may be using their corporate devices for personal matters and social media. Most organisations use an email filter which is bound to the company’s email domain, but if a user accesses their personal email on a company device, the device is at risk of being infected by an email based threat as the gateway is not scanning the user’s personal emails and attachments.

Downloading such attachments can lead to the corporate device being infected with malware and ransomware. This can be detrimental to remote users if onsite support is required to bring the device back up to an operating state, and it could result in exfiltration of both company and personal data.

What are common best practices your business should be following?

Staff should use corporate devices for business purposes only

Personal emails and social media should not be accessible via corporate computer, tablet or mobile phone. This will minimise the risk of any email and online related threats impacting your business. Corporate emails should not be used for personal matters such as online purchasing.

Ensure a multi-layered cyber security platform is in place

This is to make sure that activity from all vectors – whether via email or the web –  is being monitored and checked, thus minimising the risk of a successful attack on a user. A basic platform may include controls for endpoints such as endpoint protection combined with a web and email filter to monitor threats, and a firewall to monitor traffic entering and exiting the network.

Staff must be educated on the cyber threat landscape.

Staff need to be vigilant about the types of threats they may face. Remember: the user is the weakest link in any organisation. All users should be aware of:

  • How data is shared;
  • What risk it can pose to an individual/organisation; and 
  • How to identify and respond to common threats that may come from vectors such as emails, websites, texts and phone calls.

These are 5 phishing-related scams to look out for this season:

1. Shipping notification scams:

Millions of packages are being sent during the festive season and if you are expecting a parcel from or for family and friends it is important to stay on top of parcel delivery scams. Scammers may text or email pretending to be a parcel delivery service such as Australia Post, UPS, or DHL.

Typically the fraudster will send a ‘delivery failure’ message, suggesting the package was going to be delivered while you were out. There’s usually a file or link attached asking you to make a customs payment or provide details for a better delivery time. This may lead to compromised credentials, financial theft or malware installation. For example:


How to protect yourself:

  • Avoid clicking on links or downloading attachments, especially if there are spelling or grammatical errors. Be wary if the sender is requesting you to pay ‘unpaid customs charges’ etc. If possible, hover over the link to see the intended address. For example, the link in the text message above has the domain of bit.do when it should be coming from ups.com, though keep in mind this can still be spoofed.
  • Check the order delivery number matches the number given to you in the order confirmation email and verify the parcel delivery service stated by the company you purchased from.
  • Avoid providing any personal information, such as contact, bank account or credit card details.
  • If you are unsure go back to the website you originally purchased the goods from and login from there. Never use a provided link as it may be spoofing or masking the real URL.

2. Holiday accommodation scams:

Whether you’re vacationing closer to home or spending the holidays overseas this festive season, you need to look out for fake accommodation offers, fraudulent travel deals and scammers emailing you to transfer upfront deposits for lodgings.

How to protect yourself:

  • Before booking a hotel or other accommodations be sure to check the hotel offers are genuine by searching the offer terms and double checking the legitimate hotel website.
  • Never provide contact or financial information to someone you don’t know or trust.

3. Gift voucher and free product scams:

These are typically distributed via social networking sites and other advertisements, such as surveys and questionnaires. They involve fake gift cards and other free products being offered in exchange for personal details. The prize will never arrive and you will not be honoured in the instance that you do fill out the survey. The scammer can then use your details to enact further fraud.

How to protect yourself:

  • Never click on suspicious links on social media, especially if you suspect the friend or connection who posted it has been hacked.
  • Again, avoid accessing social media or other personal accounts on corporate devices to minimise risk.
  • Be cautious when filling in online questionnaires, especially those that offer free products. Avoid giving out your personally identifiable information (PII).
  • If you have provided your bank details in the hope of financial reward, contact your bank or financial institution immediately.

4. Online shopping scams:

Scammers will post fake classified advertisements, auction listings and bogus websites to coax people into buying products at a much lower price than other sites.

Losses to online shopping scams have increased by 42 per cent in 2020, and the ACCC’s Scamwatch has received over 12,000 reports of online shopping scams with around $7M in reported losses. Losses on classified websites, such as Facebook Marketplace and Gumtree have also increased by 60 percent to $4.5M [1].

How to protect yourself:

  • Don’t be pressured by special offers. Take your time to consider who you are dealing with and do your research on seller/website reviews.
  • If it is a well-known brand such as JB Hi-Fi check the validity of the sale via their official website. Never use a link provided in an email or text message as they may be masking the true URL.
  • These are top ten products involved in online shopping and classified scams – be especially careful when shopping for: pets, shoes, vehicles, phones, drones, clothing, toys, gaming consoles, barbecues and handbags. [2]

5. Charity scams:

These scams are typically executed door-to-door, via telephone or online. They are more successful around this time of year, as many legitimate charities appeal for donations of money, food, clothing and more. The scammers operate in one of two ways:

1. They might pose as a volunteer from a legitimate charity/entity looking to raise funds on their behalf.

2. They will create an entirely bogus charity, stringing a narrative together about the need for donations of gifts and money during this festive time.

How to protect yourself:

  • If a charity approaches your business for a donation, and you are suspicious of a volunteer’s  requests, let them know you will visit the legitimate website and make a donation when it is a more suitable time.
  • Don’t rely on any phone number or website address given to you by the person who called, visited or emailed you from the charity. Do independent research for the charity name online to find any recent scam reports.

For more information please contact our cybersecurity professionals today.

Recent news