December is a highly lucrative time for online retailers, especially since 70% of the U.S. population shops online. In 2022, the U.S. saw online holiday retail sales reach a staggering $228 billion, and forecasts for 2023 estimate an increase to $253.71 billion.

The surge in e-commerce activity during December offers an incredible opportunity for online retail businesses to generate significant revenue. However, cyber attackers see this time of year as an ideal time to target busy employees who fail to recognize their tricks.

Learning and development (L&D) leaders must work to prevent cyber attackers from jeopardizing their organization’s financial well-being during this critical time of year. Learning leaders must familiarize themselves with the different types of cyber threats and then train their people on best practices to keep the organization safe.

Recognizing Common Cyber Scams

Cybercriminals have increased their efforts alongside the growth in online retail traffic. Earlier this year, fashion retailer JD Sports had a data breach that compromised the personal information of more than 10 million customers. Just last month, Amazon issued an official warning to customers after noticing a surge in actors posing as customer service reps to gain access to Prime accounts.

Successful attacks can lead to serious financial hardship for businesses and customers and cause lasting damage to brand reputation for those who fall victim. Below are a few of the most common pitfalls and types of attacks that L&D professionals should know and teach their people to recognize.

  • Weak passwords: Employees often have several different logins for work applications, leading many to use obvious passwords for quick access. Cybercriminals frequently attempt to gain access to those accounts by simply guessing employee passwords, offering an easy avenue into company systems.
  • Spam: These are unsolicited, often irrelevant, advertising emails sent to a massive number of inboxes. Although these emails can be legitimate advertisements for companies, there is also the possibility that they hold malicious files or viruses that can put recipients at risk.
  • Social engineering: This technique is used to gain the trust of users through manipulation tactics. For instance, cybercriminals impersonate real people, and then persuade them to share personal information through seemingly legitimate conversations. They can also exploit user impatience with “MFA fatigue attacks” which involve sending so many multi-factor authentication requests that the target eventually accepts the request out of sheer frustration or by mistake. Attacker-in-the-middle attacks (like EvilProxy), which involves tricking users into inputting their credentials into phony web pages, also rely heavily on social engineering.
  • Phishing: These are fake email campaigns that appear legitimate. Unsuspecting recipients are lured into clicking unsafe links or sharing personal information. While most recipients avoid falling for these scam emails, even a small number of successful attacks can lead to big payoffs for cybercriminals.
  • Distributed denial of service (DDoS): Hackers can flood a website with an overwhelming number of requests that servers cannot handle. This traffic overload makes websites and other pages inaccessible, preventing visitors from accessing pages, often for an extended period.
  • Malware: This is malicious software that cybercriminals use to damage or exploit any digital system. Malware comes in different forms: viruses, worms, trojans, ransomware, spyware, adware and more. Cybercriminals send this software to businesses and individual users through emails that include bad links, attachments and advertisements. It can also be bundled with legitimate software, or uploaded into a system when a hacker finds a system vulnerability.

Best Practices to Reduce Risk

Cybercriminals employ a wide array of tactics to target businesses. However, L&D leaders can improve their organization’s defensive posture by implementing robust security systems coupled with a “human firewall:” a concept that teaches employees in every department how to identify and combat cybersecurity threats. This emphasizes a security-centric company culture, while also acting as a first line of defense against common scams.

Learning leaders that follow these best practices can build a resilient human firewall to keep their organization safe during the holiday season and beyond.

  • Educate employees on cyber threats: Employees in every department should learn to identify common threats to avoid falling for obvious tricks. Teach them to spot spam emails, phishing attempts or suspicious attachments, effectively preventing cybercriminals from gaining access.
  • Implement and review security policies with employees: The World Economic Forum found that 95% of all cybersecurity breaches have been traced to human error. Employees may not realize that their work behavior can put the business at risk. Implement company-wide security policies and regularly review them to ensure employees understand how to work safely and securely.
  • Improve password management: Even if the company security policy already mentions it, L&D professionals must clearly communicate to employees the risks of weak passwords to company security. They should require employees to create complex passwords that cybercriminals cannot easily guess and promote the use of secure password management systems for convenient access into applications.
  • Advocate transparency and communications: Employees need to understand the importance of reporting any suspicious activity they observe. For example, if an employee spots a suspicious email in their regular inbox, they should immediately alert their manager and co-workers to prevent them from opening potentially harmful software. Having an automated way to do this will make things easier and faster.
  • Establish an incident plan: Well-trained employees can still make mistakes. In the event of a major security incident or data breach, business leaders should train employees on what to do when they believe they have fallen prey to a cyberattack or that cybercriminals may have access to their computers, devices or company systems.

Cybercriminals consistently pose a threat to businesses, so companies must empower their employees to exercise additional caution to avoid falling victim to scams. By following these best practices, L&D and business leaders can feel confident that their employees have the knowledge to stop cybercrime from compromising their business success this holiday season and beyond.