They Know If You've Been Bad or Good...

Eric Howes

Like most of the rest of us, malicious actors the world over love the holidays. It's a prime season to run social engineering schemes on users who are already of a mind to open their wallets for charities as well as online retailers.

Between Black Friday, Cyber Monday, and the deluge of holiday greetings, general good cheer, and Christmas shopping there are plenty of opportunities for the bad guys to use cleverly crafted malicious emails to separate fools from their money -- and persuade your employees to open the door to your organization's network, with all the riches contained therein. naughty-nice-santa

This year, though, the bad guys are bringing something new. This holiday season they've got their own Naughty-and-Nice list.

Don't worry -- they won't be spoofing Santa (even if every holiday season seems to bring a raft of stories about dodgy department store Santas behaving badly). No, they'll be spoofing the next best thing: your organization's HR and payroll departments.

Over the past year, bad guys have been ramping up their efforts to credibly spoof HR departments, leveraging the inherent authority of HR to motivate users to engage with malicious emails pushing malicious links, malware-laden attachments, and fraudulent demands for money and information. This isn't an accident.

As we noted a year ago in a piece on the noticeable increase in HR-themed phishing emails, HR is an attractive target for malicious actors looking to bamboozle cubicle-dwelling employees because of the inherent trust and authority enjoyed by HR in most organizations.

"Trust is a funny thing...While trust often develops organically over a period of time, trust can also be generated or backstopped with some element of compulsion and authority. When you don’t have much of a choice, trust can seem the easier path to take. And the best example of this dynamic is the relationship that employees enjoy with their organizations’ HR departments. Whether your company’s HR department is beloved, feared, or loathed, it is a center of power in most organizations that few employees can afford to ignore."

And, so, this holiday season many of your users will learn that Santa's local reps in your HR department are bringing them either a most welcome gift -- in the form of a generous annual bonus -- or a lump of coal -- in the form of a pink slip. And you better believe your users will be sitting up in their chairs, eager to learn whether Santa (HR) thinks they've been naughty or nice this past year.

As the holiday season ramps up, some users are already learning which of Santa's lists they're on. Let's take a look, courtesy of customers who have been reporting these phishing emails to us via the Phish Alert Button (PAB).


Naughty employees are most likely to receive an appropriately cold, bureaucratic email that looks something like this.


As social engineering schemes go, this is a rather effective one, as it teases recipients with the kind of inside dope they don't often get directly (but might have heard rumors about during hushed conversations in the break room.) It will be difficult for many employees to resist the urge to take peak and find out if they're on the list.

Some HR departments go out of their way, however, not to come across as so heavy-handed. Employees working for organizations with more enlightened HR departments might get a polite invitation to their own beheading.


Still other HR departments prefer to use SaaS proxies to deliver the bad news, complete with sterile, boilerplate graphics and colorful buttons.


Yeah, the closing to that one is a bit tone-deaf, isn't it?

However the news is delivered, no one wants to be on Santa's "naughty" list (but many will be understandably eager to find out if that jerk in accounting is).


You might think that news of annual bonuses would arrive with some amount of fanfare -- or at least a healthy dose of warm, holiday cheer.

Santa's HR elves are incredibly busy this time of year, however, so good news sometimes gets delivered in small, unassuming packages.


And sometimes the hint of good news comes wrapped in in bureaucratic prose so stilted it's difficult to tell whether you made Santa's "nice" list -- at least not without clicking that link.


Still other users may be surprised to learn that they have a secret Santa in payroll who mysteriously decided to share with them that most coveted of internal corporate files -- a payroll document summarizing upcoming salary increases.


When the holidays arrive and free money is in the offing, all too many of your users and employees will leap at the chance to find out where it's all going.

Surprise Gifts & a Lump of Coal

Even if you're employees don't happen to get the early word about where they stand on Santa's list, there is still hope. They just might be enlisted to become one of Santa's helpers.


Yeah, that's a standard gift card phish -- by now a common form of CEO fraud that's been going strong for well over a year at this point. The holiday season, though, offers malicious actors the perfect opportunity to breathe new life in what has become an all too familiar social engineering scheme.

Not all bad news can be blamed on mischievous elves, though, as the recipient of this email seemed to believe.


Though the user flagged it as a phish, that lump of the coal was, sad to say, the real thing. Pity the poor Help Desk employee who had to deliver that message.

So Be Good for Goodness Sake

The holiday season is supposed to be a time for hearty good cheer, fellowship with family and friends, and the opportunity to celebrate a year gone by. The holidays are also a time, though, when your employees will be understandably concerned about the stability of their jobs (haven't we all heard horror stories of layoffs and terminations just before Christmas?) as well as any holiday bonuses that could be coming their way.

Put another way, the holiday season is a time that offers malicious actors plenty of hopes and anxieties that can be exploited via social engineering schemes to make their own holiday season even merrier than yours.

Your users and employees are human. They're also your last line of defense when the bad guys try to gift themselves access to your network, your proprietary data, and your organization's finances. Now is the time to step your users through New-school Security Awareness Training so that the upcoming new year doesn't kick off with the much-dreaded hangover of a data breach or a ransomware infestation that brings your organization to its knees.


Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews