Skip to main content

Phishing during the holiday season: When personal devices become a risk to the business

|   Blog
[Translate to English:]
[Translate to English:]

Personal smartphones, BYOD and company devices used for personal purposes can put organisations at risk. Why phishing during the holiday season calls for clear rules and technical safeguards.

The holiday season is a peak time for digital carelessness. Trips are booked, hotels confirmed, credit cards checked, QR codes scanned and messages from booking platforms, airlines or accommodation providers replied to. Much of this happens quickly in between other tasks: on a smartphone, on a laptop, via the hotel’s Wi-Fi or through messaging apps.

This is precisely where a risk arises for businesses – one that is often underestimated. After all, the distinction between work and personal device use has long since blurred. Sometimes a work device is used privately to book a trip. At other times, a personal smartphone is used for work emails, multi-factor authentication (MFA) approvals or quick queries from the team. In many companies, this hybrid use is part of everyday life.

The problem is that attackers do not distinguish between personal and work-related use. They exploit every device, every click and every point of access that allows them to gain entry. If a personal phishing link is opened on a device that is also used for work, a travel booking can turn into a security incident.

Why the holiday season is so prone to phishing

Phishing works particularly well when a message appears credible and creates a sense of urgency. This is exactly what happens particularly frequently in the context of travel. Anyone who has booked a hotel expects messages regarding their reservation. Anyone planning a flight expects updates. Anyone who has paid for a holiday let takes payment reminders more seriously.

Criminals deliberately exploit this context. They send messages with subject lines such as ‘Your booking is at risk’, ‘Please confirm your credit card’ or ‘Your payment could not be processed’. Sometimes such messages even contain genuine or plausible-looking booking details. As a result, they no longer look like typical mass emails, but rather like a specific message arriving at just the right moment.

The result: the link is clicked on more quickly. The webpage is scrutinised less critically. Payment details, login credentials or personal information are more likely to be entered.

Attention levels are particularly low during the holiday season. Staff are travelling, working remotely, dealing with personal matters on the side or taking on other tasks within the company. Time pressure, distractions and expectations make phishing particularly effective.

The real risk lies in the mixing

Many companies still regard the private use of devices as a minor issue. In practice, however, it is often part of everyday working life.

A company laptop is used for personal bookings after work. A company mobile phone receives WhatsApp messages about a holiday let. A personal smartphone is used for work emails because no company mobile has been provided. Or employees are expected to be contactable but are not issued with a mobile phone and therefore use their own device.

This is convenient and, at first glance, cost-effective for companies. From a security perspective, however, it is problematic.

This is because a device used for work is no longer simply for private use. It may have access to company emails, cloud services, calendars, contacts, authenticator apps, customer data or internal systems. If this device is compromised by a private user clicking on a phishing link, the company may be affected.

The same applies the other way round: a company device used privately remains a company device. If a fake payment page is opened on it, malware is downloaded or a browser is compromised, this affects more than just a private travel booking.

The crucial question is therefore not: Was the click for private or work purposes?
The crucial question is: Did the device have access to company data?

If so, the incident is also relevant to IT security.

BYOD: Convenient, but not free

Bring Your Own Device, or BYOD for short, has long been a reality in many companies. Employees use their personal smartphones, tablets or laptops for work purposes. Sometimes this is officially permitted. Sometimes it creeps in gradually: for reasons of flexibility, to save costs or due to a lack of equipment.

Particularly problematic is the often unspoken expectation that employees must be contactable even without being provided with a company mobile phone. This expectation effectively transforms the personal smartphone into a work tool, without it being treated or regulated as such.

This may save on hardware costs, but it shifts security risks onto both employees and the company. This is because personal devices are often not centrally managed. Operating systems, apps, security updates, device locks, encryption and access rights can only be controlled to a limited extent. At the same time, business emails, messenger communications, MFA authorisations and cloud access all run through these devices.

BYOD is therefore not a free solution. It requires rules, minimum technical standards and clear responsibilities. Companies must define which personal devices may be used for which business purposes, what security requirements apply, and what happens if a device is lost, compromised or a phishing link is opened. 

Without this clarification, a grey area arises: the device belongs to the employee privately, but the business data stored on it concerns the company.

What happens after you click on a phishing link?

Clicking on a phishing link for personal use can have various consequences. Login details may be stolen. A fake login page may collect passwords. A manipulated website may download malware. A payment page may steal credit card details. A compromised browser may put sessions and stored information at risk.

The situation becomes particularly critical if business applications are used on the same device. In such cases, an attacker may attempt to gather further information, misuse corporate access credentials or spread malware to business systems.

The initial damage is often not immediately apparent. Perhaps a page was simply opened. Perhaps data was entered. Perhaps something was downloaded in the background. This is precisely why reporting the incident promptly is crucial.

Staff need to be aware that if a suspicious link has been opened on a work device, the incident should be reported. Even if it was a personal booking. Even if no damage is yet apparent. And even if it feels uncomfortable.

Many security incidents do not escalate because the initial mistake was particularly serious. They escalate because they are discussed too late.

Companies need clear rules rather than unspoken expectations

Personal device use, BYOD and mobile working cannot be managed through general appeals alone. Companies need clear, understandable rules.

This includes answers to simple questions: 

  • Can company devices be used for personal purposes?
  • Can personal travel bookings or payments be made using them?
  • Can personal devices receive work-related emails?
  • Which apps are permitted?
  • What security requirements apply?
  • Who is responsible if a personal device is used for work?
  • What happens in the event of loss, theft or a suspected phishing attack?

These rules should not only be legally sound, but also practical for everyday use. Overly strict guidelines that nobody follows create a false sense of security. Guidelines that are too vague leave staff to their own devices.

Fairness is also important. If companies expect staff to be available, they must ensure the necessary equipment and security measures are in place. Anyone using personal devices for work needs clear guidelines. Otherwise, companies benefit from their staff’s flexibility without properly bearing the associated risks.

Technical safeguards remain necessary

Rules and awareness are important, but they are not enough. Modern phishing attacks are designed in such a way that even vigilant people can make mistakes. That is why technical safeguards are needed to provide additional protection.

  • Email security helps to detect suspicious messages, malicious attachments, manipulated links and fake senders at an early stage. Securepoint Mail Security can be regarded as the first line of defence against phishing, fraud and malware.
  • Endpoint protection is crucial when malware is executed or suspicious behaviour occurs following a click. Securepoint Antivirus Pro protects Windows endpoints and helps organisations contain attacks on laptops and workstations.
  • Mobile device management is particularly relevant for smartphones and tablets, whether they are company-issued devices or part of a BYOD scenario. Securepoint Mobile Device Management can help to centrally manage mobile devices used for business purposes, implement security policies and respond more quickly in the event of loss or compromise.
  • DNS and web protection reduces the risk of users even accessing dangerous domains, fake login pages or fraudulent payment pages. Securepoint Cloud Shield can act as an additional layer of protection, helping to block known malicious or suspicious targets at an early stage.
  • Added to this are network and access protection via a UTM firewall, VPN, multi-factor authentication and clear authorisation policies. The key lies in how these elements work together. A single product will not solve the problem. However, multiple coordinated layers of protection significantly reduce the risk.

Awareness must address specific everyday situations

Many training courses still explain phishing in overly abstract terms. This is not enough in practice. Employees need to be familiar with examples that relate to their everyday lives.

These include booking private travel on a company laptop, WhatsApp messages on a work mobile, business emails on a personal smartphone, QR codes in hotels, payment requests from booking portals, or multi-factor authentication (MFA) approvals whilst on the move.

The key message is this: any suspicious click on a work device must be reported, even if the reason for the click was personal. This is not to assign blame, but to prevent damage.

Securepoint Awareness Next can help organisations communicate such scenarios regularly and in a practical way. The aim is not to unsettle employees, but to give them the confidence to act: recognise, stop, report.

What businesses should be doing now

Organisations should first assess how devices are actually being used.

  • Are there official BYOD policies?
  • Are personal smartphones being used for work emails or MFA?
  • Are company laptops being used for personal purposes?
  • Are there clear guidelines on travel bookings, payments and personal apps?
  • Are mobile devices managed?
  • Are email security, endpoint protection, DNS protection, MFA and VPN consistently implemented?

Rules and technology should then be aligned. Any organisation that permits or tolerates BYOD must define minimum standards. Any organisation that allows personal use of company devices must set boundaries. Any organisation that expects staff to be contactable must clarify whether personal or business devices should be used for this purpose.

A brief internal security briefing is recommended before the holiday season. It should include specific examples: fake hotel messages, credit card verification requests, WhatsApp links, QR codes, booking portals and payment requests. A clear procedure is crucial: do not click, check immediately, report internally.

Conclusion: ‘Private use’ does not mean ‘private risk’

Phishing during the holiday season highlights just how closely personal and professional security are linked today. A single click in a private context can become a problem for a company if it takes place on a company device or on a personal device used for work.

BYOD, mobile working and flexible availability have become indispensable in many organisations. But they are not automatically secure, and certainly not free of risk. Anyone who uses or permits the use of personal devices in the workplace needs clear rules, technical safeguards and a culture of open reporting.

The most important insight is this: what matters is not whether a message appears to be private or work-related. What matters is whether the device has access to the company network.

If so, the risk must be placed on the agenda of senior management, IT management and staff. This is because attackers exploit precisely those grey areas that companies have neglected for too long in their day-to-day operations.

Back

Public Relations

Download (jpg)

 

Kevin Thomas
phone: +49 (0)151/70509020
email: presse@securepoint.de