TASB Risk Management Fund

While You're Celebrating the Holidays, Cybercriminals Are on the Job

December 14, 2020 Jessica Clark, David Wylie, and Lucas Anderson

With the holiday season in full swing, school districts should remain on high alert for cybercriminals looking to take advantage of the hustle and bustle. We encourage everyone to take extra precautions to avoid landing on Santa’s naughty list, or worse, falling victim to cyberattacks during the holidays.

Ho ho hold on before you click that link

Cybercriminals commonly pose as banks, retailers, and package-delivery services such as Amazon, the United States Postal Service, and other legitimate organizations. Their goal is to trick you into clicking on a link that will infect your computer or steal your login information. Common emails include can’t-miss bargains, fake shipping confirmations, and notifications about fraudulent charges on your account. Avoid that lump of coal this holiday season by thinking twice before responding. Instead, search Google for reports that the email is a scam. You should also check out these tips for protecting yourself from phishing emails.

Holiday gift exchange, anyone?

Cybercriminals constantly tweak their scams to stay one step ahead of victims. The Better Business Bureau cautions consumers to be on the lookout for this year’s version of the Secret Sister scam. Here’s how it works.

The victim, usually a woman, gets an email promising that if she buys one gift for a “Secret Sister,” she will get between six and 36 gifts in return. If the victim agrees, she is prompted to share additional personal information to receive her gifts. In some cases, the attackers then pose as law enforcement agents and claim that Secret Sister is a form of mail fraud and demand federal fines be paid immediately, or the participant will be arrested.

We “vish” you a merry…

You better watch out! That incoming call may be from a grinch! Voice phishing, also known as ‘vishing’, comes in the form of unsolicited phone calls. Vishing attacks increase during the holidays because so many online purchases and expedited deliveries are in motion. Attackers may call and masquerade as a delivery service, an online vendor, or your financial institution. They might request that you confirm your credit card number, your account name and login, or other personal information to ensure that your holiday purchase arrives on time. Be wary of unsolicited calls, and think twice before providing personal information to a stranger.

These vishing scams are hot this holiday season:

  • Best Buy: Cybercriminals are calling potential victims and posing as the Best Buy “Geek Squad.” They claim there is a problem with the computer you purchased recently, or that your support plan is about to expire. You are then directed to visit their online support center and enable screen sharing so the technician can help you resolve the issue. They will then install a remote access tool, which gives them complete control of your system.
  • Amazon: Malicious actors assume many folks are doing their holiday shopping online due to the pandemic. Posing as Amazon customer support representatives, they call and ask if you recently purchased anything from their website. If you did, they then express concern that someone fraudulently charged a large purchase to your account.  To confirm your identity and sort out the incorrect charges, you share personal account and financial information. The hacker now has everything they need and will terminate the call.

Share these best practices

In organizations that have built strong cybersecurity cultures, everyone takes responsibility for protecting sensitive data. Share these best practices with your employees before they leave their holiday break.

Protect district devices

If you’re taking your district-assigned device home, take extra care. School may be out for holiday break, but criminals are just getting started. Continue to report suspected cyber-attacks and lost or stolen devices immediately.

Avoid free Wi-Fi

If you do visit brick-and-mortar stores, protect yourself by following public health best practices and restrictions in your area. You should also protect your employer’s sensitive information by understanding the risks associated with public Wi-Fi. Coffee shops, restaurants, bookstores, and other public places often maintain low-level network security cybercriminals can easily hack. Any information you view or passwords you enter on public Wi-Fi are fair game. Avoid logging into district accounts or connecting school computers to public Wi-Fi networks when possible. If this is unavoidable, always use a Virtual Private Network (VPN) to secure the connection and protect your data.

Restrict privacy settings

Preserve data privacy and security by selecting the appropriate privacy settings for documents in public cloud-based services such as Google Drive and Dropbox.

  • Never use anonymous sharing on documents that contain personally identifiable information.
  • Don’t be fooled by the false sense of privacy provided by the “anyone with the link” feature or the easy-to-use “get shareable link” feature on the context menu and simplified sharing dialog box.
  • Avoid granting access requests to Google documents from individuals you do not know. Criminals often get access to personal information or sensitive school documents by simply requesting it.

Ready to test yourself?

If you’re worried about falling victim to common holiday scams, test your knowledge with this quiz. If you want to stay one step ahead of cybercriminals year-round, follow our InsideRM blog, and attend our member-exclusive webinars. Fund members with Liability coverage can also reach out to Privacy and Cyber Risk Consultant Lucas Anderson for expert advice.

Editor's note: This article was originally published in December 2018 and has been updated for accuracy and comprehensiveness.

Tagged: "cyber security", cybersecurity, "data breach"