Businesses Get the Gift of Phishing Risk During the Holiday Season

November 26, 2021


‘Tis the season for shopping, travel, shipping, charitable giving and fraud. Every holiday season is rife with phishing risks for consumers and businesses. Bad actors use the season as leverage for social engineering feats to drive phishing, and it’s expected to reach new heights this year. A recent article in Security Boulevard noted that experts expect an estimated 50% increase in digital fraud in the upcoming holiday season, as bad actors make the most of the surge in digital traffic during this period. That’s more than 8 million cyberattacks per day, and some of them are heading right for your business in the form of a phishing email. 


Learn the secret to ransomware defense in Cracking the RANSOMWARE Code. GET BOOK>>


Fraud Costs Businesses a Pretty Penny


Businesses lose a hefty chunk of revenue to scammers every year. According to the “2020 Report to the Nations,” published by the Association of Certified Fraud Examiners (ACFE), their experts estimate that organizations lose an estimated 5% of annual revenue due to fraud. Much of that loss comes through scams perpetrated on a company’s accounting departments, especially accounts payable.  

Watchdogs that monitor online fraud including the US Federal Bureau of Investigation (FBI) and the Better Business Bureau (BBB) are sounding the alarm about an expected surge in holiday-related fraud, especially phishing. Because it is such a dynamic weapon of attack, cybercriminals can wield it in myriad ways that can devastate businesses. The danger doesn’t just come from employees shopping at work. The bad guys will take advantage of this opportunity to attack businesses when they’re short-staffed because of holiday travel or just distracted with the hustle and bustle of the holiday season and the end of the year.  


See how to avoid cybercriminal sharks, phishing & ransomware in Phishing 101. DOWNLOAD IT>>


These three holiday phishing scams could cost your business a fortune this holiday season. 

Invoice/Payment Scams 

Threats: Business Email Compromise, Spear Phishing, Whaling 

ACFE warns that invoice and payment scams are especially tricky. Fake billing is hard to detect and poses a significant risk, with a median loss of $100,000. Invoice or payment fraud is a common tactic used in business email compromise attacks. Anyone with the authority to pay an invoice from the shipping clerk to the CEO is at risk. The danger for this type of scam amps up during the holiday season as cybercriminals take advantage of factors like low staffing levels, get-it-done attitudes and the general carelessness that can come from holiday pressures to strike business where it hurts: in the checkbook.  

Shipping Scams 

Threats: Business Email Compromise, Spoofing, Brand Impersonation 

The Federal Communications Commission (FCC) released a fresh warning about shipping scams just this week. In the scam that they highlight, cybercriminals use spoofing and brand impersonation to trick the recipients into believing that they’re receiving a routine message from a legitimate mail or package courier like DHL (the most imitated shipper) or the US Postal Service. These messages typically include a fake tracking link that leads victims to the scammers’ website stealing credentials or installing malware. This is an easy scam to pull on businesses that receive many shipments or do a great deal of correspondence by mail.  

Account Compromise Alerts 

Threats: Business Email Compromise, Credential Compromise, Spear Phishing 

This classic is even more prominent around the holiday season and equally likely to be targeted at businesses and consumers. It is often used in combination with brand impersonation as cybercriminals try to trick unwary employees or consumers into believing that they need to reset a password or provide credentials for an online account. Cybercriminals also use this method to collect information that enables them to conduct BEC operations.  


Get on the road to security success with a 5 Steps to Ransomware Readiness infographic! GET IT>>


What Departments Are the Most At-Risk for Phishing in Q4 2021?? 


No department is safe from the tsunami of sophisticated phishing messages that businesses will be receiving this holiday season.    

Most Likely Departments to be Targeted by Phishing   

IT = 74%   

Sales =35%   

Executives = 27%   

Marketing = 25%   

Customer Support = 21% 


It Is Likely An Employee Will Interact with a Phishing Message This Holiday Season


Unfortunately, far too many of the employees that receive a phishing email click on it. Harried, tired, distracted or just plain stressed employees make mistakes and the holiday season can create an abnormal amount of pressure on everyone. Plus, if an office is shorthanded, security procedures can go by the wayside, creating even more risk for unsafe email handling and a recipe for disaster.  

Likelihood of Dangerous Employee Email & Phishing Behaviors  

1 in 3 employees are likely to click the links in phishing emails.  

1 in 8 employees are likely to share information requested in a phishing email.    

60% of employees opened emails they weren’t fully confident were safe  

45% click emails they consider to be suspicious “just in case it’s important.”  

45% of employees never report suspicious messages to IT for review.     

41% of employees failed to notice a phishing message because they were tired.  

47% of workers cited distraction as the main factor in their failure to spot phishing attempts. 


What’s next in phishing? Find out in the 2021 State of Email Security Report! GET IT NOW>>


AI Never Takes a Holiday 


Social engineering tricks don’t work on AI, and automated security is never off balance because it is a holiday. In fact, the Forbes Technology Council says that AI is a big benefit for businesses that are looking for ways to prevent expensive fraud like business email compromise or invoice scams and stay a step ahead of the bad guys. Solutions that rely on AI and machine learning aren’t as expensive or complicated as you may think.  

 Keep Your Business Safe from Phishing Scams Like These with Graphus 

Graphus gives you two key advantages to combat this problem: automated phishing protection and Phish 911. Both of these tools provide defensive tools that prevent staffers from interacting with phishing email, reducing the chance that they’ll fall for a scam and hand over their login credentials – or worse. 

TrustGraph Stems the Tide 

Employees can’t click on an email that they don’t get. That’s the biggest reason why automated phishing protection with Graphus is a smart move for every business. Our patented AI uses predictive reasoning and pattern recognition to create trusted email profiles based on your staff’s email traffic patterns and compares incoming communications to these profiles to detect and prevent sophisticated phishing, spear phishing and business email compromise attacks. Through TrustGraph, this analysis of over 50 different attributes of your employees’ communications learns to spot and stop suspicious messages before they land in anyone’s inbox. 

Empower Defensive Teamwork with Phish 911 

Phish 911 is a clutch player in this situation too. By making it painless for employees to report suspicious emails with just one click, staffers are more likely to alert IT staff to potential problems. Office workers receive an average of 52 emails per day, and with the pressure to remain efficient and be diligent about job details, workers can feel like reporting dodgy emails could be seen as incompetence. But when you make it easy and encouraged, they’ll feel more confident that they won’t get in trouble if it turns out to be nothing after all. 

Stay safe from even the most sophisticated cyberattacks and social engineering scams

Put the powerful TrustGraph® AI of Graphus to work for your business, and in minutes you’ll get a powerful, easy-to-use, and customizable EmployeeShield® against phishing attacks.
Get a Demo of Graphus