Holiday Phishing Scams


Once again numerous federal agencies have sent out alerts to be on the lookout for spikes in several holiday-related email and voice phishing scams. Here’s what to be aware of.

  1. Fake Shipping/Delivery Notifications – Don’t fall for a failed delivery email that appears to come from a legitimate carrier like FedEx, UPS, USPS, or others. Because these fake emails are difficult to detect, it’s best to NOT click on any links in emails from any shippers, and instead, go to their websites directly and enter any tracking numbers or other information you may have regarding expected deliveries. Also, when in doubt, contact the sender for confirmation.
  2. Fake Purchase Confirmations and Invoices – DId you get an email purchase confirmation from Nordstroms or Walmart, but you didn’t buy anything from them? Chances are it’s a fraud. Again, don’t fall for the fake.
  3. E-Cards – It’s great to get e-cards from friends and family, but be aware that even those can be fake and contain malware. They may even come from a friend who has unknowingly had their account hacked. Be aware, don’t click on them unless you are certain they are legitimate.
  4. Fake Coupons, Discounts, and Sales – Retailers have been ramping up their email communications with their customers, but don’t trust all of the emails you receive. Again, rather than click in the email, go to the store’s website directly. 
  5. Charity Scams – Criminals love to take advantage of your generosity during the holiday season. Don’t fall for charities asking for gift cards or calling you for donations. If you want to be charitable, you make the call or initiate the contact yourself.
  6. Gift Card Scams – Buy $50 in Amazon gift cards and get $100 worth, just click here for this special Amazon deal – don’t believe it. Be wary of gift card purchases and only buy them from legitimate outlets.

What does it look like if you fall for one of these schemes? Let’s say you receive an e-card from a friend who actually had their email account hacked and didn’t know it. You click on the e-card and here’s what could happen: 1. Nothing (you executed code with no visual warning); 2. A black box quickly appears on your screen and then disappears; 3. A browser page opens that looks like a real website like Amazon, or FedEx, or whatever the bait was in the phishing email. They’ll ask you to enter your credentials. If you do, you’ve just handed over your info to hackers; 4. A blank PDF document opens. These are all examples of how malware can get installed on your computer without you knowing it. That malware can then record all of your keystrokes (stealing login and banking information), extract saved browser passwords, engage your webcam, install ransomware and lock you out of your computer, or a host of other devious attacks. 

The National Cybersecurity and Communications Integration Center’s (NCCIC) recommends the following actions:

If you believe you are a victim of a scam or malware campaign, consider the following actions:

Stay safe and have a happy Holiday Season.

If you have any questions or if you are concerned about your organization’s cybersecurity, give us a call at (800) 970-0402. We’ll be happy to help.

For more HIPAA information, download our ebook – The Ultimate HIPAA Compliance Handbook.

The HIPAA Security Rule requires the implementation of a security awareness and training program for all members of its workforce (including management). Have your team sign up for weekly HIPAA Security Reminder to help stay compliant.