This time of year is a winter wonderland, especially if you are a hacker looking for financial information and other sensitive data being sent online. Cybersecurity may be the last thing on your mind right now, but it shouldn’t be.

Your employees will be taking advantage of many online sites this season. Most likely they will be taking their lunch breaks in front of their work computer, logging on to sites and making purchases on your network. Even if your company has a BYOD policy, your company may still be at risk for cybercrime.

No one wants to be a Scrooge, but there are a few things to keep in mind this year to keep sensitive data safe from cybercrime over the holidays.

Do You Hear What I Hear?

Cyberspying sounds like a science fiction movie plot, but it happens every day to companies…just like yours. Hackers sneak into your network and can stay hidden for days, months, and even years. Operation Shady Rat went unnoticed by affected networks for five years as it stole proprietary secrets from victims. The attack was released by employees clicking attachments in the process known as “spearfishing.”

Generally, cyberspying is done by groups seeking to steal information that will benefit them; rival companies looking to uncover your company secrets, for instance. They usually attack computers and users most likely to give them the information they need, so it is a more targeted attack seeking very specific information.

Keep your sensitive data safe from cybercrime over the holidays by screening email messages before clicking attachments.

On the First Day of Christmas, a Hacker Gave to Me…A Nightmare for My IT

Stealing credentials is a fun holiday pass-time for cybercriminals. Your employees will be logging in to sites, filling out order forms, and leaving their information exposed.

This is dangerous for them on a personal level, but it can have devastating consequences for your business.

Cybercriminals will be using one of three ways to steal your employees’ credentials.

• Hacking directly into the websites of popular e-commerce sites
• Sending out phishing emails
• Malware that targets keystrokes in real-time as a user logs into the network

Once a user’s password is uncovered the hacker has access to all the information he or she has on the site, including financial data. The hacker may also have access to the user’s work accounts, making it harder to keep sensitive data safe from cybercrime over the holidays.

Pro Tip: To minimize the damage of a cyberattack, passwords should never be reused across multiple platforms. Follow password best practices for strong password creation.

I Saw Mommy Kissing Santa Claus

Your employees may not realize that someone is posing as someone else within their corporation, asking for sensitive data via email. Criminals will stalk a user’s social media to gain information about their supervisor, the chain of command, even the CEO of the company. The hackers will use this information to contact an employee. These emails are usually “urgent” in nature, and ask for financial information, information about the employee, or other potentially useful data.

In these “spoofing” attacks, the employee will hand over this information thinking they are helping a boss, the human resources department, or even a customer.

Pro Tip: Never allow employees to respond to emails asking for sensitive data.

Rudolph, The Red–Nosed Hacker

Online cybercrime may not be as obvious as a shiny red nose on a reindeer, but hackers have some red flags of their own.

Your employees will be surfing the net in search of deals from popular websites. They may be responding to emails from sites they trust, eager to cash in on the big sales they offer. Not all websites that look legitimate are legitimate.

In a process known as “water-holing,” hackers take advantage of known websites to infect a visitor’s computer with malware. In 2013, this cyberattack targeted the US Department of Labor and gained information on thousands of users.

Another way your employees may be tricked is to click on a link that mimics a trusted website. The user will then be redirected to a fraudulent website where they will unwittingly give financial information and more, thinking they are on a legitimate site. This is called “typosquatting” or “lookalike domains.” The copycat site itself may closely resemble the original site, adding to the overall hoax.

Unsuspecting employees may fall prey to a completely fake website that promises sales and deals. These sites will be for companies they have never heard of with deals that are “too good to be true.” The employee will attempt to buy something and by the time they realize they will not be receiving the product, the company and all traces of it will be gone. Meanwhile, the employee may have opened the door for cybercrime targeting your business. It’s a good idea to read reviews on sites you are unfamiliar with to make sure you don’t fall victim.

Pro Tip: Always look for a “secure” connection and check for common tricks such as “.net” vs “.com” or misspelled company names.

All I Want for Christmas is Your Credit Card

Hackers are getting more sophisticated, leaving your employees and your company at risk. “Magecart” is another example of cyber-savvy criminals taking advantage of your network and your employees this holiday season.

Magecart is a Russian-based hacking scheme that targets digital credit card information. Magecart was used to steal financial information from Ticketmaster and British Airways customers. Hackers insert code into a breached company’s website, effectively “skimming” credit card numbers from unsuspecting customers.

Your company may be held financially responsible for any information lost to cybercrime. Additionally, it’s well known that even established companies will lose their reputation after a breach, taking months or years to recover. Some companies may never recover from the financial hit when a hacker gains control of customer financial information.

Pro Tip: Remove some of the liability of cybercrime by outsourcing your IT needs to an MSP.

There’s No Place Like Home Page for the Holidays

Your employees may be sneaking into social media sites like Facebook, Twitter, and Instagram to keep up with holiday happenings back home. They will be tempted to click on ads they see for gift-giving ideas, opening themselves wide for scams and hackers. Unfortunately, social media has become a playground for cybercriminals who can track sites the employee visits and steal information.

The ads on social media run a high risk of being “baiting” sites, inviting unwitting consumers to log on, log in, and create an account. This is bad news for your employee and could be even worse news for your company if the hacker gains access to the user’s computer.

Pro Tip: If a website requires extensive data to create an account before you can view it, avoid the site.

It’s the Most Wonderful Time of the Year

It’s the most wonderful time of the year to inform your employees about their role in keeping sensitive data safe from cybercrime. If you haven’t scheduled employee cybersecurity training, this is the time to decide on a comprehensive plan. The more informed your employees are, the more proactive they will be in detecting a potential cyberattack.

This holiday season, your employees may be taking chances to score those top deals. Don’t be a Grinch; just make sure your employees are “cyber aware” as they cruise the sales.

Call us to see how we can help you keep sensitive data safe this year. Happy holidays from all of us and have a cyber safe season!