Most people – we hope – can smell a rat when supposedly African Royalty offers us several thousand dollars as a ‘gift’ to help them get money out of the country, but what about when a well known brand you love offers you free samples or invites you to enter a competition? 

The recent Heineken Father’s Day beer contest on WhatsApp is just the latest in a long line of seasonal or topical attacks that are run almost like marketing campaigns. Like all phishing attempts there are a few common themes. One is a sense of urgency, in this case the fact that there are only a certain number of freebies available. There’s also nudging text like ‘don’t miss out’ ‘exclusive’ and ‘enter now’.

The Threat Actor’s Editorial Calendar

But what’s also interesting is that this attack came on Father’s Day, when a brand like Heineken might legitimately launch such a campaign and when people are thinking about last minute gifts for Dad – it feels legit because it plugs into where your employees’ heads are at. Heineken wasn’t the only ‘Dad brand’ that suffered a scam, UK hardware stores ScrewFix and B&Q also had exclusive Father’s Day competition prizes that were actually scams. 

That topicality and seasonality is played out throughout the year, on national awareness days, public holidays and yearly events like tax deadlines and Black Friday. As one attendee at our October Human Layer Security Summit told us “in the Fall, someone is always going to click on FREE STARBUCKS PUMPKIN SPICED LATTE”. We’ve seen this in the world of entertainment too. In November 2021, fans were promised early access to the new season of Squid Games, only after filling in a short ‘survey document’.

Cost of Living Scams

Having targeted tech and finance brands for years, as well as logistics and delivery brands during the pandemic, it seems scammers are teeing up a summer of cyberattacks on consumer brands and retailers. The cost of living crisis, rising inflation and surge in food and energy costs now makes grocery stores, food companies and energy companies prime targets for scams. In June, we saw a scam featuring UK supermarket Tesco, with the promise of a £500 gift card. 

In May the UK energy regulator, Ofgem, alerted consumers to a new energy rebate scam as energy prices soared. Meanwhile in the US fuel company Shell highlighted a gas card phishing scam involving their Fuel Rewards program. And with some US employers offering to pay towards employees’ gas costs, you can see why things are getting confusing. The brand and sector may change but the scam is always the same; the promise of something for free coupled with a sense of urgenc

Education and awareness

These new threat vectors join the long queue of existing ones that your staff and organization are already vulnerable to. As we saw with Covid bad actors thrive in times of confusion and uncertainty. And after global pandemics, global economic turbulence and spiraling cost of living is the next theater on which bad actors like to strut their stuff. So what to do? 

As Bobby Ford said at our Human Layer Security summit, the way you ‘crack the nut’ is putting a little piece of cybersecurity awareness in all your other programs, projects and meetings happening across your organization. That can be a quick update at the all-hands or creating material, updates and awareness within your team that you don’t just push out, but people actively come and seek out. 

Work with your allies. Who else in the company can you form an alliance with? Perhaps you can bring in your internal comms or PR team’s experience? Getting the people team involved to make cybersecurity part of the onboarding process helps new joiners orient themselves before they touch your network. 

Finally, the C-suite is critical to supporting any initiative you design, which matters because as Mike Privitte notes in this Linkedin post, “Phishing doesn’t have “work life balance.” Company executives and their families will only see increased attempts outside of the 9-5 space”.