How to Avoid Holiday Scams & Social Engineering Tricks at Work

While you’re out looking for incredible shopping deals this holiday season, cyberattackers are hunting for clever ways to trick unsuspecting users. 

These bad attackers know that the holidays are a busy time for corporations— and while some tech-savvy breachers leverage the chaos to target a company’s technical vulnerabilities, many capitalize on human security weaknesses. 

Tricking your employees— and even your C-suite— may not be as hard as you think… but luckily, with the right awareness of attack vectors and methods, you can better prepare.

Here are a few ways to avoid common holiday scams at work:

Standardize your out-of-office message.

During the holiday season, many companies offer their employees paid time off to celebrate with loved ones. Some employees may even take extra time between November and January to travel or prepare for festivities. 

During these three months, bad actors send out purposeful scam emails to see if they receive automatic out-of-office replies. Why? These well-intended messages can give cybercriminals clues to use against you...

Here’s an example of a typical OOO message you may see your employee set:

Merry Christmas! ‘Tis the season for spreading holiday cheer— and I’ll be out from now until the end of the year. I’ll be sure to get back to you once I return from a merry getaway with family in Vermont.

If you need immediate assistance, please content Janet at!

This OOO message gives bad actors a few major advantages. First, they’ll know when exactly your employee will be out of the office. They’ll also know where he’ll be to weave a clever story. And the cherry on top: they’ll know who his boss or a readily trusted associate employee is. 

Holiday Scam Example


Let’s say the bad actor hops on LinkedIn and discovers that Janet is your employee’s equal-tier coworker and discovers him and her work directly under a boss named Paul. From this profile, the social engineer can also see some clients he works with and a few accounts he manages.


With this context, a cyberattacker may craft a phishing email, using a carefully spoofed email address that looks a lot like your OOO employee and send it to Janet:


Hey, Janet. Sorry to bug you. I have terrible service in Vermont right now and I can’t connect! Paul’s wrapped up and asked me to transfer $10,000 from the California account to this routing address. Ugh, he should know I’m with the family. Can you take care of this quickly?

You’re a lifesaver! Coffee on me when I’m back :) 
If I don’t get back to you right away, it’s because we’re hitting the slopes today. 

Thanks again! See you after New Years!

Because the message looks like it came from his email address, and that a few items line up— the fact that he’s in Vermont and that their same boss requested an action on an account he clearly manages— Janet may be inclined to trust it’s a legit request and transfer the funds. Little does anyone know, this is a classic holiday email scam! 

By regulating a pre-approved, IT-cleared out-of-office message, you can ensure you’re not giving a bad actor a foothold into your organization. Be sure to keep it professional and warn employees to be suspicious of holiday email requests— especially when they’re asking an urgent action. 

Ask employees to check permissions on social media pages.

We’re all on some social media platforms, and many of us post pictures of us with family and friends around the holidays. 

Just like in the phishing email example above where we saw a bad actor use LinkedIn to their advantage, so too can they leverage your Facebook, Twitter, Instagram, or other accounts to weave a convincing narrative.

Holiday Scam Example

Let’s say that you haven’t looked at your Facebook profile privacy settings in a few years and don’t realize that while your status updates are Private, your uploaded photos are Public. This means, anyone could manually search your profile and see what images you’re posting. 

A cybercriminal may have chosen you as a prime target for your elevated managerial permissions, and noticed that you’re out-of-office with the family in South Carolina, baking Christmas cookies in your Facebook photo. In fact, you just posted the picture two hours ago. Bingo. 

The bad actor decides to immediately capitalize on this information, researching your lower-tier employees and watching the clock, waiting until 15 minutes before your staff are about to clock-out to strike. Then, they send an email, looking like it came from you:

Hey, Emily. I’m in SC with the family right now. Just wrapped up baking and came back to a message. I need to log into the Drive from my phone since I left my laptop at home. Can you send me the login credentials? I have to take care of something for Donavan. Thanks.

Because this message looks like it came from a manager and was sent to an employee, the recipient is more likely to do what their boss requests without questioning it. 

This social engineering phishing scam could easily be avoided by requiring all staff to to update their privacy settings on social media. While this can be difficult to reinforce, explaining the possible repercussions of open-source intelligence (OSIT) can have on your business may be enough to inspire employees to better safeguard their private information online.

Be on the lookout for “boss” phishing scams.

In the social engineering attempt detailed above, we showed how a cybercriminal might try to gain access to a corporate database by impersonating an authority figure. This is such a common attack vector around the holiday season, we wanted to single out this highly-targeted exploit. 

When managerial staff is out-of-office, bad actors often use their absence as the perfect opportunity to strike. They impersonate CEOs and high-level executives, asking lower-tiered employees to perform an action while their boss is away, such as transferring money, sharing login credentials, etc.

With COVID-19 phishing schemes running rampant into late 2020, not only could a criminal leverage the “CEO ruse,” they could also capitalize on empty offices during the pandemic— knowing that more employees are working from home.

Holiday Scam Example

Let’s say the social engineer discovers through OSINT that you’re out-of-office for the holiday. Not only are social engineering sending phishing messages via email, but some are also sending SMS messages, texting phones and showing up as a spoofed contact.

Knowing you as the manager are gone, your employee may get a text message from a contact with your name saying,

Hello, Tom. Can you do me a favor? I need an important file that I left in the office before I left for my X-mas break. I am so caught up today, I asked my nephew Mike to swing through and grab it, since I’m going to see him tomorrow on X-mas Eve. 

I know you’re working today; could you let him in to snag it? He said he could swing by around 3. Thank you!

Mike, unfortunately, is just a clever social engineer, who will walk right through your held-open door and waltz into your office. Here, he’ll plug a malware-injecting device into your computer, allowing him to remotely hack into corporate systems. The fake nephew will grab a stack of papers to make it appear as if he got what he needed, and walk right out with the keys to the digital kingdom.

Now, more than ever, it’s crucial to warn your employees to be suspicious of all forms of contact, from email and voicemails to text messages. When in doubt, ask them to call their manager to confirm an urgent request— even if the message says they’re busy.

Inspect shipping notices and watch out for delivery personnel.

For many businesses, sales are booming during the holiday season. Bad actors know that your business may be stocking up on inventory around this time of year, and are always looking for ways to exploit that.

If you get an email saying an important company shipment was delayed, think before clicking attachments. These social engineering attempts often work because bad actors know you’re eager to have items delivered on time and will download the attached information in haste— infecting you with malware before you have time to reflect. 

In addition to shipping alerts, be cautious of physical breaches as well. During this time of the year, it’s not uncommon for bad actors to impersonate mail personnel to gain access into a building. Think about it, who doesn’t hold the door open for the smiling delivery man juggling boxes a mile high? Once in, this cyber criminal could breach or steal computers or devices, servers, paperwork, and more.

Think before clicking into holiday deals.

Do you allow employees to access their personal emails on company-issued devices? Hackers know that people are scrambling to find gifts for loved ones around the holidays, and then send malicious holiday “deals” to infect your device with malware.

An employee who checks their personal email on a company device may click on an email offering an incredible sales price, exclusive coupon, etc. that takes them to a spoofed website or requires them to download something that could infect their computer. 

Even if your employees keep personal and work emails separate, social engineers may use holiday ecard gifts from your company or similar pretenses to bait employees.

Holiday Scam Example

In this image from KnowBe4, you can see a few red flags that an email may be a phishing attempt:

Educate your employees on some of these warning signs of a suspicious email and explore KnowBe4’s Holiday Scams Toolkit here.

Be suspicious of charity requests.

The holidays are a time for giving, and many are in need. Starting from November through New Years, you and your employees may receive a higher influx of charity-related requests, asking if you’d make a donation towards various causes. 

While you may be in the giving mood and your organization may have a designated fund for charitable involvement, be cautious of messages like these. Social engineers often take advantage of your generosity, creating spoofed donation pages that capture your credit card information.

If you receive a donation request, go to the website directly, without clicking on any links attached in promotional emails. If you receive a phone call saying donations are accepted over the phone, tell them you’re busy and you’ll make a note to visit their website to donate later. 

When you are ready to contribute, make sure the site has the secure “https://” at the beginning of the URL and use a secure “middle-man” tool like PayPal that encrypts your banking information. Holiday social engineering scam avoided!

Get a Few Steps Ahead

Prepping your users for the holidays means keeping security awareness sharp and providing more information about the holiday-specific schemes they should watch out for. 

Invest in security awareness training with some of the best in the industry here at Mitnick Security. 

Not quite ready for that kind of investment? Start by downloading our Steps to Avoid Cyber Threats ebook to make 5-½ high-impact, quick security improvements, today.

New call-to-action

Topics: Social Engineering, social engineering threats, social engineering attacks

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

PCI Testing: Everything You Need To Know

Penetration testing is crucial for businesses to help ensure that their security posture will stand against threat actors. For businesses that handle ..

Read more ›

The 4 Phases of Penetration Testing

So, you’ve done your research on penetration testing and are ready for the pentest engagement. But before you choose just any pentesting vendor, it’s ..

Read more ›

What is Web Application Penetration Testing?

Is your company in the process of developing a new application? There are a lot of moving parts involved in developing and deploying cutting-edge appl..

Read more ›