This Cyber Monday, watch out for phishing attacks

Attackers might use “special” days to launch more targeted social engineering attacks, says professor Engin Kirda. Photo by Adam Glanzman/Northeastern University
Engin Kirda, professor in Northeastern’s Khoury College of Computer Sciences and College of Engineering. Photo by Ruby Wallau/Northeastern University

Cyber Monday is upon us—a marketing campaign that caps off the post-Thanksgiving shopping surge that marks the beginning of the holiday shopping season. But with recent, large-scale hacks to companies like Equifax and Yahoo, can shoppers buy online safely? We asked professor Engin Kirda, who holds joint appointments in the College of Computer and Information Science and the College of Engineering at Northeastern.

“The risk may be a little greater on special days,” he said. And while there’s no “silver bullet” to prevent against cyberattacks, vigilance is key to avoiding the type of targeting phishing attempts we may see today.

Kirda, an expert on network security, also offered a few tips for shopping safely today.

Is there a greater cybersecurity risk on days like Cyber Monday, when so many people will be shopping online?

Yes, the risk may be a little greater on special days. However, this is not necessarily because more people are shopping online, but because the attackers might use “special” days to launch more targeted social engineering attacks. For example, I would not be surprised if we see phishing campaigns that promise users deep online discounts, such as “Get an iPhone X for $500, click now!” Cyber criminals typically use important days and world events to launch targeted campaigns because they know many people will be more susceptible to clicking on attack links.

Is it just phishing attacks we should watch out for?

I’d be more vigilant about targeted phishing campaigns. Most of the successful attacks we see these days have a phishing or social engineering component. The tricks that the attackers use are simple, but they are also effective. Hence, we still see these attempts as a first step in a cyberattack.

What should people do to protect themselves?

Being vigilant and knowledgeable is the key. I would be very careful about clicking on URLs in emails. Even if it looks like the email is from a trusted party—such as a friend—it could still be a fake, so it is important to check emails for suspicious signs. For example, does the signature look strange? Does the address look authentic? If it looks authentic, is the style of the email suspicious?

I would also not directly open any attachments because many successful attacks have exploitative attachments these days. If there is an attachment, a useful trick is to upload the document to Google Drive and to open the document in the browser. I would do this even for attachments coming from trusted parties. This is not a fool-proof technique, but online conversions do offer some protection, and Google does a pretty good job of filtering malicious documents. This trick would give you quite a bit of protection. The downside, of course, is that some of the attachments you receive might be private and you might not want to load them into Google’s cloud.

Unfortunately, there is no silver bullet in these cybersecurity related things, but vigilance can certainly help.