Tips for a Safe and Secure Holiday Season

The holiday shopping season is here, and while millions of Americans will be looking for the best deals the internet has to offer, cyber criminals will be hard at work looking to target online shoppers. The holiday shopping season is a prime opportunity for bad actors to take advantage of unsuspecting shoppers through fake websites, malicious links, and even fake charities.

Staying Safe at Home

Using strong passwords, updating your software, thinking before you click on suspicious links, and turning on multi-factor authentication are the basics of what we call “cyber hygiene” and will drastically improve your online safety.

Here are the 4 common sense ways to protect yourself online:

  • Implement multi-factor authentication (MFA) on your accounts and make it much less likely you’ll get hacked.
  • Update your software. In fact, turn on automatic updates.
  • Think before you click. Most successful cyber-attacks start with a phishing email.
  • Use strong passwords, and ideally a password manager to generate and store unique passwords (P.S. – National Life has a password manager available for all our users, reach out to Information Security to get set-up!)

Staying Safe at Work

The holiday season is also well known for being a prime time to target companies and organizations with cyber-attacks. While we are enjoying time with family and friends, cyber criminals are unleashing their attacks while they hope no one is watching. Even if you are taking some time off this year, be sure to keep an eye out for anything out of the ordinary.

For example, “MFA Prompt Bombing” is on the rise, with Microsoft, Okta and Uber all falling victim to cyber attacks that utilized the technique.

MFA prompt bombing essentially is an attempt to trick a user into completing an MFA security request on their devices. Methods utilized in the attacks include:

  • Sending a series of MFA requests and hoping the target finally accepts one to make the noise stop.
  • Sending one or two prompts per day. This method often attracts less attention, but “there is still a good chance the target will accept the MFA request.”
  • Calling the target, pretending to be part of the company, and telling the target they need to send an MFA request as part of a company process.

For more information on staying secure this holiday season, check out these resources from the Cybersecurity and Infrastructure Security Agency (CISA).