By now, government contractors are probably aware that, in October, the Department of Defense ("DOD") published the final rule for its long-awaited Cybersecurity Maturity Model Certification ("CMMC") Program (discussed here), which takes effect in mid-December. And while securing the defense industrial base against cyberattacks from nation-state actors and their proxies is top of mind for DOD and industry, another type of cyber threat is looming: holiday cyber scams.

The Cybersecurity and Infrastructure Security Agency ("CISA") and others say that holiday cyber scams include too-good-to-be true deals, fake charities, and fake delivery notices, among other things. The tactics that these cyber criminals use to accomplish their scams typically involve sophisticated phishing attacks with malicious links, files, or requests (text and email), which can result in drained financial accounts and identity theft. 

So, as we head into this holiday season chock-full of gingerbread lattes, family events, and last-minute online holiday shopping, now is the time to learn some tips – from federal agencies and industry – that can help to stay safe this holiday season, both when online shopping and when checking your email for the latest deals.

CISA

According to a CISA post, in 2022, approximately 12,000 people were victimized by holiday shopping scams. Essentially, cyber criminals target individuals by searching for weaknesses in devices or internet connections and also attempt to steal personal and financial data through sophisticated fake messages, websites, charities, and email. To stay safe this holiday season, CISA recommends the following actions:

• Update Software (on all devices, regularly)

• Use Strong Passwords. Make them unique to each account and complex

• Use a Password Manager

• Enable Multifactor Authentication

• Beware of Phisihing

• Don't Click Links or Download Attachments

• Be Wary of Requests for Information

• Report Scams

• Check Encryption

• Choose Reputable Vendors

• Use Credit Not Debit

• Check Accounts Frequently

FBI

According to the FBI, non-payment and non-delivery scams cost people more than $309 million in 2023. The FBI also states that credit card fraud accounted for another $173 million in losses. To guard against cyber threats this holiday season, FBI recommends the following (non-exhaustive):

Practice good cybersecurity hygiene.

• Don’t click any suspicious links or attachments in emails, on websites, or on social media. Phishing scams and similar crimes get you to click on links and give up personal information like your name, password, and bank account number. In some cases, you may unknowingly download malware to your device.

• Be especially wary if a company asks you to update your password or account information. Look up the company’s phone number on your own and call the company.

Know who you’re buying from or selling to.

• Check each website’s URL to make sure it’s legitimate and secure. A site you’re buying from should have https in the web address. If it doesn’t, don’t enter your information on that site.

• If you’re purchasing from a company for the first time, do your research and check reviews.

• Verify the legitimacy of a buyer or seller before moving forward with a purchase. If you’re using an online marketplace or auction website, check their feedback rating. Be wary of buyers and sellers with mostly unfavorable feedback ratings or no ratings at all.

• Avoid sellers who act as authorized dealers or factory representatives of popular items in countries where there would be no such deals.

• Be wary of sellers who post an auction or advertisement as if they reside in the U.S. but then respond to questions by stating they are out of the country on business, family emergency, or similar reasons.

• Avoid buyers who request their purchase be shipped using a certain method to avoid customs or taxes inside another country.

Be careful how you pay.

• Never wire money directly to a seller. 

• Avoid paying for items with pre-paid gift cards. In these scams, a seller will ask you to send them a gift card number and PIN. Instead of using that gift card for your payment, the scammer will steal the funds, and you’ll never receive your item. 

• Use a credit card when shopping online and check your statement regularly. If you see a suspicious transaction, contact your credit card company to dispute the charge.

Mastercard

According to credit card company Mastercard, "more online shopping means more opportunities for cyber scams." In light of the hightened threat level this time of year, Mastercard has some recommendations to stay safe and secure:

• Update your devices

• Avoid public Wi-Fi for financial transactions

• Skip ads and go straight to the merchant's site

• Keep your digital wallet as safe as Santa’s sleigh

• Use credit cards instead of debit cards

• Watch out for "account compromise" emails

• Look out for fake delvery notices (texts/emails that purport to be from FedEx/UPS/etc.)

• Watch out for QR codes (they boomed during Covid-19 and now can be malicious)

Trustwave

According to cyber company Trustwave, online shoppers can implement the following to help stay safe from cyber scams while holiday shopping:

• Shop Only on Trusted Websites (and look for "HTTPS" or Lock on the URL)

• Beware of Phishing Scams (e.g., claiming to offer special deals or alerting you of "account issues")

• Use Strong, Unique Passwords and Enable Two-Factor Authentication (2FA)

• Avoid Public Wi-Fi for Online Shopping (e.g., at coffee shops and malls)

• Opt for Secure Payment Methods (credit cards over debit)

• Watch Out for “Too Good to Be True” Deals (steep discounts)

• Keep Your Devices and Software Updated (and use anti-malware)

• Monitor Your Financial Statements

• Be Cautious with Social Media Deals 

• Beware of Fake Charity Appeals (very common during holidays)

Takeaway

Bad actors and cyber threats – targeting both enterprises and individuals – are not going away anytime soon. With the 2024 holiday season upon us, everyone should expect an uptick in malicious activity, particularly to your email. As the foregoing shows, government and industry consensus is to take your time and be skeptical when checking your inboxes and searching for the latest online deal (e.g., do not click suspicious links or download files), as cyber scams are incredibly sophisticated. In addition, shoppers also should be sure to leverage technology to keep safe. Ultimately, while the tips above are not exhaustive, they provide a good starting point to stay vigilant and secure this holiday season. Happy Holidays!

. . .

#govcon #cyber