Thanksgiving in the U.S. signals the start of the holiday shopping season, stretching all the way to Christmas. During this time, businesses offer various deals and incentives, triggering a surge in orders, deliveries, and returns of goods. Unfortunately, this season is also a prime opportunity for attackers seeking to capitalize on unsuspecting individuals, employing identity-based cyberattacks such as phishing to compromise users’ credentials and take control of their accounts.

In fact, the FBI reported almost 12,000 victims reporting non-payment/non-delivery scams during the 2022 holiday shopping season, resulting in losses over $73 million. This number doesn’t account for organizations that have experienced breaches due to employees falling victim to phishing while using corporate devices for online shopping. Additionally, it doesn’t acknowledge the number of victims who never report these incidents. While education on phishing scams and how to stay safe is a necessary step in helping protect users against account takeover (ATO) and other identity-based attacks, it is not a foolproof way to secure your users and their data.

Most organizations have implemented some form of multi-factor authentication (MFA), which is usually based on SMS/email one-time passcode (OTP) or mobile soft tokens to improve security for their users and customers. At the same time, attackers are becoming increasingly sophisticated, using tools such as phishing-as-a-service and generative AI. These technologies enable the creation of phishing emails and campaigns that look alarmingly authentic, often evading the most well-trained and vigilant security-aware individuals. In addition, MFA bypass attacks like SIM swap and MFA fatigue/prompt bombing render traditional MFA options vulnerable to attacks.

Organizations need to implement phishing-resistant and MFA bypass-resistant multi-factor authentication to protect their users and customers.

Types of Holiday Scams

Most holiday phishing attacks exploit users’ distractions amid holiday festivities and shopping. This leads to financial losses and identity theft, causing long-term repercussions such as damage to credit scores, mortgages, and more.

  • Fake promotions – These are emails or advertisements that offer attractive discounts, leading victims to phishing sites that replicate genuine retail websites. Users unknowingly make purchases using their credit cards, only to never receive the items they paid for.
  • Delivery notifications – As online holiday shopping increases, cybercriminals exploit it by sending fake delivery notifications. These messages pressure victims to click on links to resolve supposed issues, such as delivery address or payment of additional fees, often leading to compromised credentials.
  • Fake charities – Preying on the goodwill of people during the holidays, attackers create deceptive websites impersonating charities to solicit donations.
  • Fake order receipts – Cybercriminals mimic well-known, reputable retailers by sending fake order receipts through email. These emails contain links supposedly allowing the recipient to cancel or modify their order, tricking them into visiting phishing sites where their credentials are compromised.

While most attacks are targeted toward consumers, organizations should also be alert. Employees often use corporate devices such as laptops and mobile phones for holiday shopping, potentially risking the compromise of business accounts and applications. In addition, many users reuse passwords across personal and corporate accounts, making them susceptible to credential stuffing attacks.

Phishing-Resistant Passwordless MFA

Certificate-based authentication (CBA) with Bluetooth proximity is the highest assurance phishing-resistant MFA option available in the market. It is the most recommended approach to securing access to organizational resources and data for users including employees, contractors, and B2B customers.

For most consumer use cases, passkeys are starting to gain adoption as the phishing-resistant MFA that utilizes a user’s smartphone to utilize cryptographic key pairs when authenticating users to applications or services. Passkeys are generally multi-device enabled with the private key stored across a user’s device ecosystem and in their platform’s cloud account (i.e. iCloud, etc.).

Risk-Based Adaptive Authentication (RBA)

While phishing-resistant passwordless MFA provides enhanced security and protection against ATO attacks, enforcing a risk-based approach can help add additional layers of security while balancing security with user experience, only introducing friction in the process when necessary. Risk inputs like travel velocity, behavioral biometrics, and other external risk feeds such as threat feeds, etc. can help evaluate the risk score of a user during an authentication event, allowing for access to be blocked or requiring the user to use a different 2FA based on risk score thresholds.

Identity Verification (IDV)

Another common entry point for attackers is during password/MFA reset, where they can gain access to a user’s account by triggering a reset and adding additional authenticators to the account. Using identity verification solutions can help combat these attacks. Requiring users to verify their identity with physical credentials such as a driver’s license, passport, etc. can add another layer of defense in securing users against ATO attacks. IDV as a step-up authentication can help protect high-value transactions or out-of-policy/out-of-compliance users.

Combining phishing-resistant MFA with RBA and IDV offers a layered approach with defense in depth against identity-based attacks. Learn more about the various phishing-resistant passwordless MFA options and risk-based adaptive step-up authentication from Entrust and sign up for a free trial of Entrust’s Identity as a Service platform to experience enhanced security for your users and applications.