Impact of Cybercrime on Small Businesses During the Holiday Season

December 20, 2024

Photo of Dr. Rachel McNealeyWith the Holiday Season in full swing, and many businesses experiencing an influx of customers, many businesses are at an increased risk of being victimized by cybercrime, scams, and fraud. We asked Dr. Rachel McNealey, Assistant Professor in the School of Criminal Justice and an expert on cybervictimization and cyberoffending, how businesses can protect themselves during this time of year.

 

We often focus on consumers falling victim to fraud, scams, and other forms of cybercrime during the holiday season, but how might businesses (especially small businesses) experience cybercrime during the Holiday Season?

During the holiday season, scammers can take advantage of increased business by relying on social engineering and human error to gain access to sensitive data. This can include fake invoices, phishing emails, or phone calls that claim to be from government agencies, fellow businesses, advertising or credit card agencies, or even utility companies. Businesses are inundated with transactions and purchases leading up to gift-giving season, and technology allows bad actors to distribute a large number of malicious requests for information that can go unnoticed in the holiday rush. Even if businesses and their employees are diligent in spotting these attempts, just one oversight can provide scammers with a wealth of sensitive data.

 

Are there particular types of businesses that are especially vulnerable during the Holiday Season? What makes them unique targets?

Businesses that deal with other businesses through invoices and rely on direct communication (phone or email) are at risk from these techniques, as those points of contact are where scammers can attempt to gain information. Businesses that keep record of customer data or handle personally identifiable information (PII) must be especially diligent, as even a minor breach can allow malicious actors to connect and compile entire data profiles on affected customers.

 

Is there anything a business can do to reduce their risk of being a victim of cybercrime before next year’s Holiday Season?

The Federal Trade Commission (FTC) encourages businesses to maintain employee training on proper practices, as well as being diligent in reviewing and verifying invoices and requests for payment. Additionally, employees should be especially wary of emails with links and downloadable attachments that may allow for remote access to a workplace computer system. When in doubt, businesses should research any new or unknown business/persons contacting them for information to ensure it is a legitimate request.

Beyond the holiday season, the Cybersecurity & Infrastructure Security Agency (CISA) has recently released guidelines for businesses in light of news that foreign actors have gained access to several major U.S. telecom companies. CISA is encouraging businesses to implement encrypted messaging for all communication platforms and to ensure that all device operating systems are updated. The CISA published guidance can be found here.