Recognizing Holiday Business Scams

Share This Post

Recognizing Holiday Business Scams

It’s the holidays, and while that typically comes with extra efforts, increased profits, and seasonal fluctuations, it also comes with bad actors, scam artists, and fraudsters looking to take advantage of the excitement and lack of routine. Small and medium-sized businesses can be especially vulnerable as a large number of cyber attacks capitalize on communication channels like email, text, and phone calls, in addition to seasonal fluctuations often experienced in companies of this size. Let’s walk through the areas that make businesses most vulnerable, the most popular types of attacks, what you can do to prepare, and of course how and where to report any attempts that occur.

Top 5 Holiday Gaps

Reduced Staffing. About three quarters of American businesses are understaffed. Many more operate with reduced or limited staff during the holiday season especially. Reduced staffing means businesses are slower to recognize and respond to a threat.

Increased Transactions. If your business engages in any type of ecommerce, your online transactions likely increase during the holiday months, leaving you more exposed to cyber threats like credit card skimming and phishing.

Seasonal Staff. Many businesses use temporary or seasonal staff this time of year. Beyond the shortage in seasonal staffing, short-term employees are often participating in abbreviated or quick-start training, not fully understanding cybersecurity policies or knowing what to look out for.

Distraction. Over 60% of employees report mental distraction around the holidays. In a season filled with irregular emails, deals, and added rush or stress, distracted employees are more likely to click on malicious links or fall victim to social engineering tactics, increasing the risk of breaches and scams.

Remote Work. In the United States, remote work is highest around the holidays, be that a permanent arrangement, a relaxed work environment, or a contractual agreement. However, remote work can carry risk if not properly accounted for. Unknown devices that may be older or require updates as well as less secure connections and lack of moderation all increase the vulnerability of an attack or breach.

Popular Attacks

Ransomeware
Ransomware is a type of software designed to block access to a computer system until an amount of money is paid, often in cryptocurrency. They’re orchestrated through a variety of channels, from phishing emails with an attachment or link to fraudulent websites that automatically download the destructive software. Attackers pray on unpatched operating systems, outdated software, or exposed remote desktop protocols. Reports show a 30% rise in ransomware attacks around the holiday season compared with other months of the year. 
Phishing
Scam artists often use various types of phishing to impersonate your business or those you engage with. They are often disguised as holiday deals or alert notifications that come through email or text (smishing) and can even be customized to the victim’s details (spear phishing). Some phishing efforts can occur as phone calls where someone impersonates a trusted entity—from tech support to the government or even a friend or relative. The objective is to collect sensitive data, account, or personal information. Clicking a link will often take you to a fake website that looks very similar to the authentic one or quickly redirect you to a fake website even if the URL appears correct. It will then prompt the user to enter sensitive information or download an attachment that will invite malware or ransomware onto that device. Clone phishing uses a copy of a legitimate email to resend it with a link or attachment, even something as simple as a holiday party invitation. Phishing is extremely popular because it’s simple and highly successful.
Online Shopping Scams
Online shopping scams are designed to trick a customer into paying for something they will never receive or for a product that is actually counterfeit. Businesses can just as easily be victims of this type of scam as individuals. In response, the fraud artist gets personal or financial information from the transaction. Often fraudsters will create fake websites or listings, or mimic a legitimate retailer. Fraudulent advertisements for these scams are often popular on social media or presented as renewal notices, payment penalties, or account changes. Order confirmation emails and delivery notifications will appear legitimate, but any prompts could lead to malicious links as well. The opposite can also occur, where scam artists pose as buyers yet never pay for the goods or services, either by way of trickery or bad payments. Other online shopping scams often come in the form of gift card deals or subscription traps, enrolling a buyer into a subscription without consent.

Malware & Spyware

Malware scams are often designed to disrupt operations as well as collect information, and consist of software designed to gain access to devices. They can consist of viruses, trojan horses, adware, and worms. Spyware is a specific and especially dangerous type of malware designed to monitor and collect information from a device by recording keystrokes to steal passwords, capturing sensitive information, monitoring online activity and browsing habits, and enabling unauthorized use of webcams and microphones. It’s important to understand that malware can spread through USB and external devices as well as infected attachments, fake websites, and impersonation attempts.

Spoofing

Spoofing is a type of business scam where criminals impersonate other people or businesses. By disguising their identity or the source of the communication, they gain the victim’s trust and steal personal information. Often, the criminal will make a small change to the communication, as simple as changing a letter or symbol, to make the communication seem legitimate at first glance. While it can occur in various forms, the goal is typically to trick someone into believing that the spoofed communication is from a trusted source.

Data Breaches

Many of these types of attacks and business scams result in data breaches. The cost of a data breach is much greater than the initial outlay of damage. Data breaches can compromise your company reputation, resulting in significant long term financial losses as well. In the case of a data breach, and in addition to the types of attacks we’ve addressed, employees and contractors with access can intentionally or accidentally expose data if they have authorized access. This particular type of breach can be difficult to educate or combat because individuals have legitimate access, making this type of attack both highly successful and often very damaging as they are able to access large amounts of data easily. They are, however, not nearly as common.

7 Questions to Spot Red Flags

Am I expecting this communication?

If you weren’t expecting this, or if this is coming through a channel you didn’t expect, question it before responding or taking action.

Is the communication asking for money?

Point blank, if you are asked to pay something up front or to pay by a method other than a credit card, this is likely to be a scam aimed at your business.

Is it telling me that I have to take action quickly?

If the communication requires you to act urgently to avoid negative consequences, it is much more likely to be a scam.

Are there spelling or grammar errors?

Messages from companies will not likely contain glaring errors. If the message is worded strangely, has spelling errors, or grammatical inaccuracies, it’s probably fraudulent.

Is it telling me I have a violation, infringement, or penalty?

If the correspondence insinuates that you have defaulted, infringed (such as copyright), or incurred any kind of violation or penalty, stop! Go to the company website for the contact information listed there and call to verify.

Is it asking me for account information or to change account information?

If you get a message asking you to verify, change, or login to your account from a link within that email, question it. If you’re concerned, go to the website you normally use to login and change your password. Do not click on any links or buttons within the email and do not use that URL to access your account, even from a new window. Many business scams are designed to look like official communication.

Does the message have links, buttons, or attachments?

If you’re unsure of any message—email, text, phone call, or traditional mail—do not go to or click through to any web addresses or links. Do not click buttons or download attachments. Use your browser to find the company website and contact information, and reach out to them for verification.

Preventing Attacks and Thwarting Scams

There is not a 100% failsafe way for your business to avoid scams and fraudulent intentions. The social architecture plays on natural, human weaknesses. Companies can, however, take measures to reduce susceptibility and improve awareness.

Keep software updated

There are many excuses people push off software updates. They take time, they’re inconvenient, and sometimes they come with frustrating bugs. Some demographics even feel updates are dangerous or allow more oversight. The truth however, is that software updates are essential for security and majority include features to patch and combat recent attack attempts. Businesses must keep devices and software up-to-date to offer the best protection. To avoid letting updates go, make it a habit to promptly or automatically apply them. Scheduling software and devices to auto-update can create less disruption by initiating during off hours.

Update Equipment & Devices

If your business hosts seasonal or temporary labor, you may be accessing devices less often used or contractor devices you have less control over. Ensure those machines are up-to-date and running the latest software and operating systems if at all possible. Because some situations put devices more out of your control, consider browser-based last mile security measures. 

Manage Access

Control access to your sensitive data to reduce the risk of breaches and fraud attempts. Access control starts with strategies like password policies, including Single Sign-on (SSO) and Multi-Factor Authentication (MFA), to reduce hacker attempts. It also includes leveled privilege to limit employee access to data through role-based or attribute-based access control. Adopting a least privilege principle ensures that employees only have access to the specific resources they need for their position. Moving further, zero trust principles assume nothing and no on in a particular environment can be trusted and continuously verify access requests. While it can be challenging to balance security with usability, especially with remote work and BYOD (bring your own device) environments, consistent effort to do so carries the greatest protection.

Educate Employees

Educating employees often goes overlooked or left to an HR handbook, but it is one of the best defenses against your business becoming victim to a scam or attack. Protocols and procedures for identifying and responding to business scams are of course, necessary, but ensuring supervisors walk through those procedures is equally important. Always make reporting part of your procedure to continue the effort to track and prosecute these criminals.

Monitor Activity

Actively monitor network traffic to detect anomalies and catch for suspicious activity quickly. Routine monitoring can allow for faster response time and action if threats do arise.

Backup Data

Your business regularly backs up critical data, but during the holidays, it’s a good idea to increase that frequency and include full system backups if you don’t already. Retail and e-commerce businesses experience peak activity around the holidays, making downtime or data loss even more costly. A robust plan that includes more frequent backups ensures a quick recovery. Consider the 3-2-1 rule: keep three copies of the data—two stored on different media and one stored off-site or offline.  Cloud storage can offer simple, scalable options as well. Remember to regularly test the ability to restore backups, not only to ensure they work and everything is there, but also to gauge the downtime needed to restore functionality. Setting up alerts to report errors and applying restrictions that prevent modification (immutable backups) are additional safeguards to ensuring your backup data is secure.

Communicate with Customers

Don’t let your customers fall victim to scams impersonating your business. Explain your  communication practices, and let them know what the email address will be or where the text message will come from. You can also remind them that you will not communicate with them through certain channels (e.g., social media or text message for example) or will not communicate about certain subjects (payment concerns) through certain channels. Remind them that the best practice if they are unsure is to look up the phone number they know belongs to your business and call it for confirmation first.

Report & Warn

Following an attempted scam or attack on your business, contact the appropriate authority and report the incident. Save all documentation and note the time, phone number, or email address of the sender. The more information you can collect and preserve, the more likely the criminal is to be caught.

Reporting scams and fraud allows authorities to take immediate action—often a requirement when fraudsters move and hide so quickly and easily. It also helps to stop the current attack, future attacks on your company, and future attacks on others more quickly. 

You can additionally warn others by submitting feedback to review and ranking sites. Creating public warnings can help to keep the same experience from happening to others and tarnish the name of the fraudulent company. 

Below is a list of reporting sites in the United States, but you can also go to usa.gov for further information on where and how to report a scam.

Federal Trade Commission (FTC)

Report scams to the FTC by phone at 1-877-FTC-HELP (1-877-382-4357) or online at ReportFraud.ftc.gov

Internet Crime Complaint Center (IC3)

Report scams to the IC3 at IC3.gov

Department of Justice

Report scams to the Department of Justice at justice.gov

A Little About VirtualPBX SecureTeam

Last Mile Protection Without Device Access

Like many companies, VirtualPBX offers a browser-based product, SecureTeam, for last mile protection, especially for when you don’t have device access. Whether you employ contractors, operate in a remote or BYOD environment, or just want the added protection needed to offer more flexible employment relationships in the future, SecureTeam can offer high level protection in an intuitive, user-friendly environment your team will want to use with tailored control and leveled access. SecureTeam offers peace of mind. 

But what really makes SecureTeam different is the company that stands behind it. VirtualPBX is a founder-based, privately-owned US business that’s been around nearly 30 years. We take a lot of pride in what we offer, which always includes service and support from real humans who know our products inside and out. We pride ourselves on being a partner to our customers, whether that’s problem solving to manipulate a product into exactly what you need or navigating the set up of your business phone system.

As a communication company, we at VirtualPBX understand the responsibility we hold to the general public to ensure scammers, hackers, and other bad actors cannot use our tools to cause harm. While we cannot disclose our precise procedures to protect the process, VirtualPBX implements stringent security measures and policies to verify identity and transaction history to put every effort into thwarting negative intentions before they even get off the ground. 

More To Explore on the VirtualPBX Blog

Founded in a San Francisco, California basement in 1997, VirtualPBX delivers premium Business Phone, Messaging, POTS replacement, and Contact Center solutions for our customers, who work in the office, remotely, and everywhere in between. We offer more than just products and services; we make your business better with quality customer care and 24/7 support.

Linkedin Facebook Twitter Youtube

Sign Up for Our Newsletter

Company

Partners

Customers

Unified addresses the risk and cost of NPE litigation by strategically protecting broad areas of technology, such as cloud storage or content delivery.
Consent Preferences

1998-2025. VirtualPBX.com, Inc. All rights reserved. VirtualPBX, TrueACD, and ProSIP are ® trademarks of VirtualPBX.com, Inc.