End-users should brace themselves for a new wave of phishing emails that reference the recipient's holiday credit card spending pattern during the Christmas season.

The phishing campaign, expected to begin this week and last until the middle of next month, coincides with the arrival of credit card statements that document transactions made during the holiday season, said Andy Klein, senior product marketing manager at internet security firm SonicWALL.

Social engineering
plays an integral part in the attacks, which seek to pilfer account information -- such as account numbers, usernames and passwords -- from victims, he told SCMagazineUS.com today. For example, consumers are receiving messages which indicate there may be a problem with their transaction.

“It's all in the message that gets delivered,” Klein said. “They're all centered on the fact that there is more opportunity for people to be confused at this time of year because of all the transactions they conducted in the last 30 to 60 days.”

Leading up to the expected phishing run has been a spike in directory harvest attacks, which are instances in which criminals bombard companies with meaningless spam directed to random email addresses, Klein said.

The legitimate addresses do not bounce back, thus they can be mined as part of these phishing assaults.

“We saw a tremendous increase in those [directory harvest attacks] in the November-December timeframe,” Klein said.

Meanwhile, the phishing attacks tend to not threaten businesses with malware, he said. In most cases, the emails will try to redirect users to spoofed credit card websites or to fake sites set up to dispute transactions.

But companies who issue corporate credit cards to employees should pay attention to the expected spike, he said.

January typically produces large numbers of phishing emails.

From September 2006 to September 2007, January 2007 marked the month with the second-largest number of phishing emails, according to data from the nonprofit Anti-Phishing Working Group.