Research conducted by technology services provider Probrand has found that 43 percent of UK businesses are targeted by scam emails, with incidents increasing significantly during the festive period.
The study, which analysed hundreds of small to mid-sized organisations, found that 83 percent of employees have received scam emails from individuals impersonating senior staff members. A separate study by Semperis found that 86 percent of businesses experiencing ransomware attacks reported incidents occurring over weekends or holidays, when staff numbers were reduced.
The risks are compounded as employees often use unsecured public WiFi networks while travelling, or rely on reduced staffing and unfamiliar colleagues during holidays, leaving businesses exposed to cybercriminals. Despite this, only 19 percent of businesses have tested their employees’ responses to phishing attempts, and over a third (36%) have not implemented measures to prevent future attacks.
Holiday Cybersecurity Risks
Scammers frequently exploit the festive spirit by impersonating CEOs or senior executives in what is known as Business Email Compromise (BEC). These emails often contain urgent requests for gift cards, vouchers, or financial transactions, making them a significant risk for businesses that fail to train employees to identify phishing attempts. Only 19 percent of organisations have conducted phishing response tests, while 81 percent lack a valid disaster recovery plan for addressing major cybersecurity incidents.
Matt Royle, Marketing Director at Probrand, said, “Scam emails are on the rise, and in the business world these are often labelled as phishing attacks; emails that trick victims into doing something. As businesses prepare for the festive season, it is vital to remain vigilant against potential increased cyber threats.
“The festive period is prime time for cybercriminals, exploiting a busy time followed by a period of reduced staffing with often new tactics like spurious eChristmas cards, that prompt staff to click. Our research revealed 48% of UK businesses don’t currently offer cyber security training to staff, and employee awareness is the number one way to lock down threats early.
“That is why it’s so important for UK businesses to provide continuous cybersecurity awareness testing to all employees. This will help keep them consistently aware of the latest tactics being used, and help them identify and act upon cyber attacks to minimise the risk of financial impact on their organisation.
“On top of this, it’s important for businesses to communicate policies and advice during this festive period to minimise risk.”
Best Practices for Cybersecurity During the Festive Season
The findings call attention to the urgent need for businesses to adopt comprehensive cybersecurity measures during high-risk periods such as the festive season. While Probrand’s research highlights these vulnerabilities, the organisation has also provided key recommendations to help businesses mitigate threats:
- Minimise Risks on Public WiFi
Employees working remotely or travelling during the holiday season should avoid accessing sensitive business accounts or files over public WiFi networks. Using Virtual Private Networks (VPNs) and disabling auto-connect features can help safeguard data from interception. - Train Staff to Identify Phishing Emails
Providing employees with training to recognise phishing attempts, such as misspelt domains or unusual requests, is essential. Organisations should encourage employees to report suspicious emails to their line managers or IT teams. - Establish Central Communication Channels
Ensuring a centralised communication platform, such as Microsoft Teams, enables staff to report suspicious activity easily, even during reduced staffing periods. Maintaining a clear list of on-duty employees and their roles can also help identify fraudulent communications. - Implement a Crisis Plan
Creating a detailed incident response plan is critical to minimising the impact of a cyberattack. Developing a recovery playbook and ensuring all employees understand their role in the plan will help businesses respond effectively to cybersecurity threats.
