Woman sitting at the table working with laptop around Christmas tree showing phishing campaigns during holiday season

Five Best Practices for Consumers to Beat Phishing Campaigns This Holiday Season

The holiday season is rapidly approaching, and with it, a surge in hacker activity. The second quarter of 2022 alone set a new record for phishing scams, with over a million attacks in the span of three months. But the final quarter of the year may very well outdo these figures.  The massive increase in online shopping around the holidays offers hackers ample opportunity to deceive shoppers with social engineering attacks like phishing campaigns.

With consumers making multiple online purchases, across a wide variety of sites, in a short period of time during the holiday season, it is dangerously easy for cybercriminals to target them using deceptive communications from legitimate brands, financial services, and delivery organizations. As a result, consumers can be tricked into clicking malicious links, downloading malware, or handing over incredibly sensitive data like login information and credit card numbers. The effects of these crimes can be devastating. Victims of phishing emails suffer the consequences of stolen funds, identify theft, and unauthorized purchases.

As the tactics hackers use grow more sophisticated, how can consumers better protect their data during the 2022 holiday season? Below are some best practices for shoppers to help avoid phishing scams.

1. Stay aware of suspicious activity

While inboxes may be flooded with order confirmations, holiday gift guides, and seasonal promotions, it is up to consumers to break through the noise, stay on guard, and know the signs of a phishing email or text message. Most basic phishing campaigns are unfortunately deployed to thousands of individuals, but by casting a wide net, it’s easy to uncover clues that reveal a communication’s true nature. Some of the most common signs include:

  • A high degree of urgency
  • Misspelled words or incorrect grammar
  • Awkward greetings
  • Strange requests
  • Inaccurate email domain names

For instance, a victim may receive an email message seemingly sent from a national brand demanding they update their credit card information or risk an account shutdown. But subtle signs like a long email domain name that doesn’t match previous communications, a suspicious subject line reading “LAST WARNING, ACCOUNT SUSPENSION,” or a generic greeting (e.g. “Sir/Madam”) can give the subterfuge away.

2.   Know the signs of spear phishing attacks

The warning signs above are clear indicators of a digital scam perpetrated en masse, but what happens when cyber criminals have the time and resources to craft a personalized communication? Also known as spear phishing, these targeted messages are trickier to identify. Hackers will gather personal data from public social media accounts to send messages that include private information like employers, spouses, or hometowns. These details make the communications seem more legitimate. Due to the care with which they are created, they are also less likely to have the copy mistakes or key identifiers found in a general phishing campaign. Just as users should keep an eye out for emails that are too general, they should also be on guard for messages that seem too specific. In this case, consumers should always err on the side of caution.

3.   When in doubt, go straight to the source

If a consumer is ever unsure about the validity of an email or text they receive from a company, it is always better to be safe than sorry. Reach out to the company through the phone number or email provided on its official website to speak with a representative who can confirm if the email is real or fraudulent. Consumers should never use the contact information given in the suspicious email, even if it looks legitimate. Hackers can use brand logos and other details to create an illusion of authenticity, and any link or phone number in the email could bring users to a malicious site or to the hacker directly.

4.   Report confirmed phishing cases

If a communication is identified as false and illegal, the recipient can take steps to ensure the matter is thoroughly investigated. The email or text message should be forwarded to the company impersonated by the hacker, as well as to the US Cybersecurity and Infrastructure Security Agency and Anti-Phishing Working Group (APWG) at: phishing-report@us-cert.gov.

With millions of fraudulent emails reaching inboxes every day, reporting just a few may feel like a drop in an infinite bucket. But there’s strength in numbers; the more users that take action and report phishing campaigns, the likelier it is that the authorities will be able to stop these types of threats. In doing so, they can prevent more individuals from falling victim.

5.   Take a proactive approach

Protection against phishing campaigns shouldn’t just be a reactive process. Consumers can take proactive measures to protect their private information from hackers by maintaining good digital hygiene. This includes keeping your software up-to-date by installing the latest patches and updates and opting into two-factor authentication when creating new accounts. Think of it as the moat around a fortified castle, or another level of protection against cyberattacks. In the unfortunate event that a hacker is successful in stealing account credentials, any log-in attempt will require additional authorization through a secondary device.

Similarly, updating spam filters in email applications can also prevent some phishing communications from ever hitting inboxes, but they should never be relied upon for complete protection. As hackers’ campaigns evolve in sophistication, consumers need an integrated approach consisting of two-factor authentication, cybersecurity software, and awareness is ultimately the most comprehensive way consumers can safeguard themselves from phishing campaigns.

Consumers can protect their data this holiday season

Amid the bustle of the holiday shopping season, hackers are counting on consumers to be distracted. They’re betting that you don’t think twice about clicking a suspicious link.

If last year’s phishing data is any indication of what we could see in 2022, we should expect a tidal wave of phishing emails to hit inboxes in the upcoming months. But, consumers are not helpless against hackers. By understanding the tell-tale signs of fraudulent communications and maintaining good cyber hygiene, shoppers can enjoy a holiday season free from phishing campaigns.


Director of Technology, Office of the CTO at Imperva