This content is viewable by Everyone
Nov 2022: Shopping and Shipping Themed Mobile Attacks Likely to Ramp in Coming Weeks
Holiday-Related Phishing Attacks: What You Need to Know
- Every year, as the holiday shopping season approaches, holiday-themed phishing attacks rise. Attackers know the season brings a high volume of ecommerce activity—and related notifications. This provides an opportunity to slip malicious messages in with legitimate ones.
- Last year, security researchers noted a particularly large increase in malicious mobile/text message- based attacks, which are also known as SMS phishing (or smishing).
- The most common lures seen in the late-year surge of mobile attacks were related to package/gift deliveries, special retail offers, and delivery issues or exceptions.
- As with email-based attacks, holiday-themed smishing messages may claim to be from reputable organizations, including prominent retailers, ecommerce brands, and parcel delivery providers.
- Successful attacks could result in account compromise, lost money, or disclosure of sensitive data.
Key Action: Report or Delete Suspicious Messages
Text messages
- If you receive a suspicious text message on a work-issued device, contact the Service Desk.
UCSF IT Service Desk – Available 24/7
Phone: 415-514-4100
Web: http://help.ucsf.edu
Email: [email protected]
- If you receive a suspicious text message on a personal device, use available features within your messaging application to report the text, or simply delete it without engaging.
Emails
- Report ANY suspicious emails you receive at work using the Phish Alarm button in your email menu bar.
- If you receive a suspicious email in a personal inbox, use available features within your application to report the message as spam or malicious, or simply delete the email without engaging.
Tips to Remember (at Work and at Home)
- Avoid engaging with unexpected shopping- and shipping-themed messages. Do not click links or call phone numbers included in unsolicited or unusual emails or text messages. If you want to confirm a claim or offer, go directly to a legitimate source. For example, key in the URL of a retailer’s website, log into an account via a trusted app, or call a known contact number.
- Don’t be tricked by imposters. Attackers often use familiar brand names, logos, images, and other impersonation tactics in their communications. These aren’t signs that a message is safe.
- Remain alert to emotional manipulation. It’s common for attackers to promise access to amazing, limited-time deals, or to make people afraid that a shipment or gift won’t be delivered. They do this to trick people into acting in haste, based on an emotional response.
- Think beyond email and text messages. Attackers use all available channels during the holiday shopping season. That means you could see similar tactics being used on social media, lookalike websites, printed materials, and malicious and misleading ads.