Social Engineering – Holiday Style!

‘Tis the season to be a skeptic.

The holiday season is here and despite the warm and fuzzy feeling it might imbue in you, for hackers and scammers, it holds a very different meaning – for them this is open hunting season. and it’s you they’re hunting for.

As we have mentioned in the past, a talented scammer can help you part ways with money, passwords and your ID without ever accessing your computer – they do it by breaching the one thing that should be the most secure, given the proper training and circumstances – you.

The problem is that under the wrong circumstances, the human mind is an open book and scammers revel in our predictability. By using social engineering tactics an experienced scammer knows just how to tug heartstrings and push buttons and this time of year is a favorite for them. The holiday season is filled with crazed deal-seekers, repenters seeking an end-of-year clean slate, and all shapes and flavors of religious fervor/guilt. Emotions run high, rational thought is at an all-time low.

Capitalizing on the impulsive nature of the season, scammers get right in on the action creating holiday-themed scams. Here are some classic holiday social engineering scams that have gotten a high-tech upgrade in the last few years to watch out for:

Charity fraud:

Charity fraud is a big thing this time of year. Taking cues from current events and social issues, scammers compel targets to donate to victims of terror or natural disasters, abused demographic groups and the overall less fortunate. Charity scams can come in the form bogus, websites, emails, phone calls and even text messages beseeching you, the kind-hearted soul, to “DONATE NOW!”

During the holidays you might end up with an inbox filled with emails that sound something like this:
“Look into the eyes of this baby koala and tell him that you won’t let him starve this holiday season. Donate now and you can tell the koalas you did your part.”

These emails are a twist on the typical Nigerian Scam emails we are used to because, technically, they could be real – It’s more plausible that charities would be asking for money than the Exchequer of some far off land. Also, watch out for websites that pose as charities. These sites can be hard to distinguish from real charity sites so the best thing to do is stick with charities you know and trust to give your money to.

Social media scams:

Social media is always a hotbed for scams and tricks but it’s particularly rotten at this time of year. Just last week the Better Business Bureau reported that scammers were raking it in using a Facebook and Instagram scam called “Secret Sister” in which they convince people to become part of a holiday gift exchange. Newbies to the ploy send gifts to the person listed on top of the list, thinking that the top person was also once a gift-giver. They assume that the more people they can get in on it, the closer they get to the top of the list to eventually become the “gift-getter”. In reality, it’s just one large scale pyramid scheme.

Then there is the free airline ticket scam. In November security guru Graham Cluley reported that a scam was circulating on Facebook that claimed to be a vacation-seekers’ dream come true – Just in time for the holiday season British Air was giving away first class tickets to anywhere in the world! All a hopeful winner had to do was like the page, comment and share it.

Not surprisingly, thousands of people entered the bogus contest. Clearly, there were no first class tickets at stake but hopefuls might have ended up with a device full of malware. The links on the page led to spam-filled websites aimed at spreading malware, with the ultimate goal of stealing user information.

Before you enter any social media contest or giveaway, give it an extra pause for thought. Things that seem too good to be true, usually are, especially on social media. If the returns appear to be too high, stay away from it and always read through the terms of service carefully.

Fake e-commerce websites and emails

And so the shopping frenzy continues. Did you think e-commerce scams were reserved for Cyber Monday? Not a chance. Once again, this time of year brings shoppers in search of the deal of the century lots of offerings but only some are legit. Scammers set up fake websites and send out spam emails displaying rock-bottom prices on the season’s hottest gift items (more about that next week!) in hopes of luring in less-judicious shoppers. When a target takes the bait, the scammers scrape their credit card information and more. In some cases, clicking on links from fake emails and websites can install a trojan virus or some other back door to your computer or device that criminals can use to set up high level banking malware or worse.

Wasting time and money on fake sites is a sure-fire way to make sure you don’t get your holiday gifts on time. Or ever. Keep away from sites you don’t know and if you can’t find what you want any place other than a site you don’t recognize, research it well. Go to and google customer reviews of the site before you give over your credit card information.

On the topic of emails, stay away from all e-cards and e-giftcards regardless of whether or not you know the sender. Chances are they are filled with malware. The sender’s computer may have been hacked to send out malware-filled emails or the sender might just be forwarding something he or she got and figured it was okay. At least you know better (hopefully).

If you get an email from delivery services like DHL and FedEx, read them because they might be legit, but don’t click on links, because well, they might not be.

It’s all about using your brain

Social engineering is in full gear this time of year but that doesn’t mean you have to be a victim. Use your brain, not your heart when making decisions that affect your digital identity. They say that there’s a sucker born every minute – just don’t be one of them, okay?

Leave a Reply