Christmas 2019 Seasonal Awareness
The NCSC would like to remind everyone that the Christmas period is a particularly opportune time for criminals to take advantage of unsuspecting online shoppers.
Email is a common attack vector for such crimes with over 90% of cyber attacks beginning with an email. In addition to the regular email phishing; phones are also targeted through SMS phishing (smishing) and through malicious links embedded in popular messaging & social media apps. Another attack method used by cyber criminals is fake refund or shipment tracking sites that attempt to harvest credentials (username/passwords/credit card details etc.) from unsuspecting members of the public.
The success of these tactics are based on the increased likelihood of using an online platform to purchase goods over the festive period, coupled with the increased urgency people feel to track their purchased goods in order for them to arrive in time for Christmas. This can lead to some people being less vigilant about clicking links and visiting sites than they might otherwise be throughout the rest of the year.
Christmas messages from untrusted sources that ask a user to click a link or play a video/audio file etc. should not be clicked. Even if the source is trusted, extreme caution should be exercised as the source itself may have been compromised or spoofed. Be particularly vigilant around New Year and Christmas Eve when the volume of messages, both legitimate and malicious, increase greatly.
Here is some general advice around staying secure online below:
- Create strong complex passwords and do not use the same password across different accounts. The NCSC strongly encourages the use of a password manager in order to manage multiple online accounts.
- Please be wary of unsolicited phone calls claiming to be from banks, internet providers or any other entity requesting passwords, usernames or money for any service. If necessary contact the site or service through an established contact method and not through any links or numbers provided within the communication received.
- Invoice re-direction/Business Email Compromise (BEC) fraud is prevalent at this time of the year as businesses are preparing for financial year end. People should be wary of this and enhanced vigilance should be practiced when receiving emails from vendors/clients notifying of a change of bank account and requesting payments made into the new account. Users should verify the change using established forms of communication and not through contact details within the suspicious email.
- Do not enter your account credentials if you receive an unsolicited email purporting to be an online shipment company without verifying first. In the event of users wishing to query the status of a particular item they should take note of reference numbers etc. provided at the time of original purchase and ensure these match any subsequent correspondence.
- Manually type in URLs to sites you want to visit rather than clicking on links.
- Be wary of fake websites. When browsing, make sure each site you visit starts with HTTPS, this indicates that malicous 3rd parties cannot intercept any of the details being sent between you and the website you are currently visiting.
- Use caution when connecting to public Wi-Fi. Public Wi-Fi is often targeted by malicious actors and used to eavesdrop on unsuspecting users online activity. We would recommend that you use the mobile network if in doubt.
- Secure your devices and accounts:
- – Deploy Multi-Factor Authentication (MFA) on all of your accounts where possible
- – Only install apps from the offical App Store or Play Store and assess the permissions that each app requests in your phone settings, such as access to your text messages, contacts, stored passwords, photos and administrative features
- – Make sure to update the device software and applications to the latest version
- – Use an ad blocker locally on your browser. These will often block any malvertisingcampaigns that aim to capitalise on shoppers looking for deals
- – Consider installing reputable anti-virus software on the device
- – Select the most secure settings on your device
- – Turn off Bluetooth when you are not using itIt should be noted that even the most advanced threat actors use these methods, particularly at this time of year, to gain unauthorised access to networks, or at the very least steal users’ credentials. If you suspect that your details may have been compromised, contact your bank and please report the crime to your local Garda station.
The NCSC would like to take this opportunity to wish all of our constitiuents a Merry Christmas and a happy New Year.
National Cyber Security Centre,
Department of Communications, Climate Action and Environment, 29-31 Adelaide Road, Dublin 2.
(01) 6782333 • firstname.lastname@example.org • https://www.ncsc.gov.ie