While Jamaica has no database about the increase of local cyber-attacks during the Christmas Season, according to US-based cyber-security company, Carbon Black, organisations should expect to see a spike in potential cyber-attacks, starting from Black Friday/Cyber Monday and continuing through the holiday shopping season.
Carbon Black, which tracks more than 16 million endpoints, reveals that global organisations encountered a 57.5 per cent increase in attempted cyber-attacks during the 2017 holiday shopping season; and, during the same time period in 2016, attempted cyber-attacks increased above normal levels by 20.5 per cent.
“Based on existing precedent, we expect the same trend to continue, if not increase, during the 2018 holiday shopping season,” Tom Kellermann, Carbon Black’s Chief Cyber Security Officer, said in the company’s November 2018 Report.
“During the holiday season, there is a ton of noise in the online world and attackers do everything they can to take advantage of that situation. This applies not only to consumers, who shop online, but also to businesses, many of which are understaffed and, in the case of retailers, approaching the busiest time of the year,” he explained.
Dr Moniphia Hewling, head of the Jamaica Cyber Incident Response Team in the Ministry of Science, Technology, Energy and Mining said there was no local data to indicate that cyber-attacks spiked in the Christmas Season; however, she cautioned that persons need to be careful when doing online transactions.
“While there is no local data to support that claim, based on increased shopping activity during particular times of the year; however, data is reflected in other jurisdictions,” she pointed out, urging online users to be vigilant.
Colin Burgess, IT Infrastructure Manager at MC Systems, echoed the same caution.
“What they do is target persons who shop on-line, and send unsuspecting users email messages through an attack method, termed “Sphere-Phishing,” which is a targeted attempt to steal sensitive information, such as: account credentials or financial
information from a specific victim, often for malicious reasons,” he explained.
Mr Burgess said the attackers disguise themselves as a trustworthy friend, or entity to acquire sensitive information, typically through email or other online messaging. This is the most successful form of acquiring confidential information on the internet, accounting for 91 per cent of attacks.
“How you actually mitigate against this is most times non-technical. It will require for you to evaluate your email, scrutinize the spellings of the emails, verify the source of the emails, and read the content of the email,” he advised.
He also informed that users need to be careful when downloading attachments, which sometime have malwares that will infect their machine.
Mr Burgess noted that attackers use information from social media platforms to acquire personal information to launch an attack. He said it is important that limited information be posted about you on these platforms, including emails and your workplace.
Other tips to safeguard against these attacks include:
Frequently update your software: If your software provider notifies you that there is a new update, do it right away. The majority of software systems include security software updates, which can protect you from common attacks. Where possible, enable automatic software updates.
Do Not Click Links in Emails: If an organisation, such as your bank, sends you a link, launch your browser and go directly to the bank’s site, instead of clicking on the link itself. You can also check the destination of a link by hovering your mouse over it. If the URL does not match the link’s anchor text, or the email’s stated destination, there is a possibility that it could be malicious.
Mr Burgess said many spear-phishing attackers will try to obfuscate link destinations by using anchor text which seems to be a legitimate URL. “Use logic when opening emails: If you get an email from a “friend” asking for personal information including your password, carefully check to see if their email address is one that you have seen them use in the past. Real businesses will not send you an email asking for your username or password. Your best bet would be to contact that “friend” or business outside of email, or visit the business’ official website to see if they were the party who actually contacted you,” he advised.
Implement a data protection programme in your organisation: Your data protection programme should combine user education about data security and best practices. This data protection will also help to prevent data loss, due to spear-phishing attacks. For midsize to larger corporations, data loss prevention software should be installed to protect sensitive data from unauthorized access or egress, even if a user falls for a phishing scam.