Holidays bring phishing scam surge aimed at small business

The email looked legitimate, so Danielle Radin clicked on the link it contained, expecting to have her products included in a holiday gift guide.

Posted: Dec 4, 2019 12:45 PM

NEW YORK (AP) — The email looked legitimate, so Danielle Radin clicked on the link it contained, expecting to have her products included in a holiday gift guide.

“I instantly regretted it,” says Radin, owner of Mantra Magnets, a website that sells wellness products. “It took me to some random website that looked like those pop-ups telling you that you’ve won the lottery.”

Within days of that click three weeks ago, Radin began getting notifications that people in Ecuador, China and elsewhere were trying to access her email account. She wasn’t surprised; she knew her San Diego-based small business had been the target of a phishing scam.

While cybercriminals strike at any time of the year, they’re particularly active during the holiday and income tax filing seasons when computer users expect to see more emails — and scammers are increasingly targeting individual small businesses with phishing scams, sending messages that look legitimate but do harm instead. An unsuspecting owner or employee clicks on a link or attachment and like Radin finds that malicious software has invaded their PCs.

Cybersecurity experts find that criminals who used to blanket thousands of computer users in hopes of fooling a handful have refined their methods. Scammers find small businesses through websites, social media sites and by combing email address books. They also mine personal data from breaches at retailers and other large companies. Then, using a process called social engineering, they construct emails that increasingly look realistic, as if they truly come from a boss, colleague, friend, potential client or vendor, a bank and even the IRS.

“In the last year or two they’ve been running more professional campaigns,” says Perry Toone, owner of Thexyz, an email service provider based in Toronto. “It can take a couple of minutes for me to determine that they’re phishing scams. That tells me they’re doing a very good job.”

Radin believes the scammers found her through her website or a blog. Like many small businesses, she has an email address on her site, and the scammers figured out that she might be interested in selling via a holiday gift guide. But finding a target is one thing; the scam won’t work unless it tricks an email recipient into clicking. Even those who are tech-savvy can sometimes let their guard down. Radin was duped even though she’s the author of “Everyone’s Been Hacked,” a book sold online.

Often a scam succeeds because there’s just a shred of doubt in a computer user — the email is realistic enough that an owner or employee feels they need to read it. Sometimes a staffer clicks out of fear or a sense of responsibility, says Rahul Telang, a professor of information systems at Carnegie Mellon University’s Heinz College.

“It might not sound very personal, but you have an idea that you should go ahead — you feel like the email is coming from the boss,” he says.

Computer users may not be looking as closely as they should at an email — there can be subtle signs that a message is trouble. Terry Cole, owner of Cole Informatics, a company whose work includes cybersecurity, recalls getting an email that truly seemed to be from a colleague. He was one of several people in the industry to receive it.

“It said that this colleague had sent me a secure private message that was ready for me to read and included a link to click. This was absolutely consistent with my normal experiences communicating with him,” says Cole, whose company is located in Parsons, Tennessee.

Cole didn’t do in that instance what he usually does and advises everyone to do: check the email address to be sure it’s completely correct. When he clicked on the link, it took him to a bogus website claiming to be connected with Microsoft and asking him for his ID and password. He went no further and suffered no damage to his PC.

The holidays provide scammers with extra opportunities: emailed greeting cards, package shipment notices, offers of discounts — all of them false. Cybercriminals also seek personal information from owners and employees under the guise of needing them to create a W-2 or 1099 tax form; at this time of year, business owners’ thoughts are turning to taxes.

“Something that claims to know you, your name, where you work and wants you to take some action is harder to spot,” says Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, a cybersecurity company based in Sunnyvale, California.

A common scam at holiday time is an email purportedly from the boss telling a staffer to go buy gift cards and email the numbers back, DeGrippo says.

“When it appears to come from a boss or CEO, I think there is that tendency among employees to follow those directions. They’re playing on their emotions,” she says.

Often, a scam succeeds in getting an employee to click on a personal email while on a company PC — many workers check their personal email while at work. Even though the email came through on a personal message, it’s the company’s machine that can be infected.

Companies can protect themselves in part by restricting employees’ access to personal email sites, Telang says. He also suggests seminars to help staffers understand the risks that even legitimate-looking emails can present.

Some of the scams aim at monitoring a user’s keystrokes. So anyone accessing a company or personal account of any sort can be giving a criminal access to their money or sensitive personal data. One tool to prevent a bank account from being emptied or a credit card maxed out is to have accounts with multifactor authentication; that requires a password and a separate code sent to a different device and that is different for each login.

_____

Terre Haute
Partly Cloudy
44° wxIcon
Hi: 60° Lo: 37°
Feels Like: 38°
Robinson
Clear
43° wxIcon
Hi: 59° Lo: 36°
Feels Like: 39°
Indianapolis/Eagle Creek
Cloudy
42° wxIcon
Hi: 55° Lo: 38°
Feels Like: 36°
Paris
Partly Cloudy
44° wxIcon
Hi: 58° Lo: 37°
Feels Like: 39°
Mattoon/Charleston
Clear
44° wxIcon
Hi: 59° Lo: 37°
Feels Like: 37°
Terre Haute
Partly Cloudy
44° wxIcon
Hi: 59° Lo: 37°
Feels Like: 38°
Terre Haute
Clear
44° wxIcon
Hi: 59° Lo: 34°
Feels Like: 38°
Sunny with a Cold Wind
WTHI Planner
WTHI Temps
WTHI Radar

Latest Video

Image

Thursday Morning Weather Update

Image

Northview golf

Image

ISU Soccer

Image

Caitlyn Newton

Image

ISU Baseball

Image

National Public Safety Telecommunicators week honors 911 dispatchers

Image

Terre Haute is one of two cities in the nation designated a 'Runner Friendly Community'

Image

Registration is now open for YMCA summer camps

Image

New businesses to take part in downtown Terre Haute's Eat in the Streets

Image

Reaction to the J&J vaccine pause

WTHI Events

 

Illinois Coronavirus Cases

(Widget updates once daily at 7 p.m. CT)

Cases: 1288844

Reported Deaths: 23865
CountyCasesDeaths
Cook5163999792
DuPage855231244
Will70961955
Lake64047962
Kane54919750
Winnebago30606457
Madison29676513
St. Clair27035500
McHenry26618277
Peoria20652277
Champaign19604136
Sangamon17522229
McLean16577169
Tazewell15617253
Rock Island14137303
Kankakee13369196
Kendall1216290
LaSalle11634228
Macon10130189
DeKalb9120118
Vermilion9003125
Adams8141116
Williamson7179125
Whiteside6738162
Boone630871
Ogle569578
Clinton569390
Grundy557971
Coles549294
Knox5258136
Jackson483363
Henry467261
Effingham466471
Macoupin456681
Livingston455083
Stephenson446379
Marion4379114
Woodford432962
Franklin431470
Monroe430190
Jefferson4129118
Randolph408384
Lee391449
Morgan373979
Montgomery363772
Logan359856
Fulton357250
Bureau351279
Christian348971
Perry312959
Fayette312754
Iroquois288964
Jersey260448
Douglas254135
McDonough252742
Saline248053
Lawrence238625
Shelby224137
Union222840
Crawford208825
Bond196024
Cass194424
Pike175551
Clark175032
Jo Daviess174624
Warren172646
Wayne172451
Hancock171730
Richland170840
Carroll169436
Ford168346
White166226
Edgar165839
Washington162525
Moultrie156025
Clay147042
Greene142032
Piatt141014
Mason139941
Johnson138614
De Witt136823
Mercer134633
Wabash134112
Massac130939
Cumberland127819
Menard117511
Jasper114017
Marshall96617
Hamilton81815
Schuyler6975
Brown6846
Pulaski6787
Stark60123
Edwards54912
Henderson51914
Calhoun5072
Scott4671
Alexander46210
Gallatin4534
Putnam4403
Hardin36512
Pope3053
Out of IL10
Unassigned02295

Indiana Coronavirus Cases

(Widget updates once daily at 8 p.m. ET)

Cases: 701971

Reported Deaths: 13187
CountyCasesDeaths
Marion958051716
Lake51105939
Allen38867670
Hamilton34212404
St. Joseph33638539
Elkhart27021431
Vanderburgh22016393
Tippecanoe21602212
Johnson17408373
Porter17157297
Hendricks16711310
Clark12640190
Madison12287337
Vigo12139244
Monroe11336166
LaPorte10760204
Delaware10288184
Howard9606211
Kosciusko9051113
Hancock7922139
Bartholomew7839153
Warrick7671155
Floyd7533176
Wayne6871198
Grant6755168
Boone6517100
Morgan6362138
Dubois6068117
Marshall5743108
Dearborn566975
Cass5668102
Henry5558100
Noble536983
Jackson491869
Shelby476895
Lawrence4324118
Gibson426889
Harrison426070
Montgomery416286
Clinton415053
DeKalb405483
Huntington376480
Whitley374939
Miami371365
Knox364889
Steuben361357
Putnam351760
Wabash345877
Jasper344846
Adams337652
Ripley333268
Jefferson310779
White307154
Daviess288699
Wells284780
Decatur278592
Fayette276962
Greene269985
Posey268133
Scott259853
Clay252044
LaGrange250970
Randolph234380
Washington230329
Spencer227431
Jennings224447
Fountain207445
Sullivan207342
Starke201152
Owen191456
Fulton190439
Jay185529
Carroll185220
Perry179136
Orange176253
Rush170224
Vermillion165643
Franklin165135
Tipton160843
Parke143716
Blackford132631
Pike130034
Pulaski112945
Newton102834
Brown99340
Crawford96914
Benton95613
Martin82215
Warren78715
Switzerland7698
Union69510
Ohio55511
Unassigned0405