The Grinchy email scams to watch out for this holiday season

· 9 MIN READ · RAY PUGH · NOV 22, 2021 · TAGS: MDR

As the holidays near, there’s so much to excite!
It’s that time of year, with sales left and right.
Cheer fills the air and there’s no time to wait
For holiday shopping – don’t want to be late!

But as you shop online and check email this season,
Watch out for these scams – with very good reason.
With celebrations and work and no spare time to mention,
Don’t let Grinches in while not paying attention.

They want to steal info and data galore,
Gift cards, credentials, and so much more.
So here’s what to know to avoid falling prey —
Keep your inbox secure through these holidays.

Who ordered all that Who Hash?!?!

Aka: Fake shipping notifications

Our security operations center (SOC) saw several of these scams, and we expect them to ramp up around the holidays. Holiday Grinches (aka attackers) send fake shipping notifications, often posing as legitimate retailers, hoping to trick recipients into providing personal information like card numbers, login credentials, or other details.

For example, we investigated this fake Amazon notification earlier this year, which claimed an order was on its way to the recipient.

Fake Amazon shipping notification email

The attacker’s goal is to make the recipient think this is an actual order incorrectly placed through their account (or that maybe their account was hacked), with the large dollar amount (over $1,400 in this case) causing concern that the recipient will be stuck with the bill for an item they didn’t order.

There are no clickable links in the email, which steers the reader to the Support Desk phone number listed in bright red at the bottom.

Our Grinchy sender hopes recipients will call that number to dispute the order, then poses as customer service on the phone to ask for “necessary account information” to help the recipient sort out the issue. If successful, this type of scam would result in the attacker obtaining account credentials, credit card numbers, or other sensitive personal information from the concerned recipient.

These fake shipping notices are a common attacker tactic — see another example below where a fake shipping notice prompted the recipient to click a link and provide personal information to reschedule a “canceled” delivery.

Fake shipping notification email

The holiday season is a perfect time for would-be Grinches to raise their odds for success with these tactics as online shopping reaches peak levels for the year.

A Who’s to-dos:

Got an email about an order or delivery you didn’t place? Shipping confirmation that looks kind of sketchy?

Here are some things you can do to avoid falling prey to this Grinchy scam:

  • Double check the email address the shipping/delivery notice came from. Does it look legitimate? Does it match other shipping confirmation emails you’ve previously received from the same company for orders you placed? If not – it’s likely a scam.
  • Check the email for errors – is the company’s name or other text misspelled? Is the language odd or stilted? These could be signs that the email isn’t legitimate since companies go to great lengths to make sure their emails are largely error-free.
  • If you have any suspicions that an email might not be legit, don’t click any links or call the phone number provided in the email – and definitely don’t give them any of your personal information! Instead, look up the verified customer service number for that company online and go through their legitimate support center to look into the order or delivery. If they can’t find it, it’s a good sign it was a scam.

That’s not Santa – that’s the Grinch!

Aka: CEO impersonation

The TL;DR for this one: unless it’s a regular part of your job, it’s probably safe to assume your boss wouldn’t ask you to do her holiday shopping.

We see a number of campaigns come through our SOC every year where Grinches dress up like Santa and try to rope employees into helping them steal all the gifts (or gift cards, in this case).

For example, in the email below, our Grinch created an email address imitating that of the company’s CEO and targeted a company employee, asking to speak offline about a “personal errand.”

CEO impersonation email request

Attackers often like to move the conversation away from email to lower the chance of being discovered. Asking for cell phone numbers allows them to use calls or texting for further interactions.

We’ve seen similar emails with language like:

“Send me your cell phone number for an urgent task”

“Kindly reconfirm your cell phone #, I need a task done immediately”

“Please kindly resend your cell phone number to me”

Our gift-stealing Grinches then usually ask their victims to purchase gift cards and send pictures of the redemption codes. Communicating by text/smartphone makes receiving that info quick, easy, accessible, and fairly anonymous. And the victim is then out the money they spent on the gift cards with little recourse to get it back.

Attackers often use publicly-available information like org charts on a company’s website or networking sites like LinkedIn to perform reconnaissance and target individuals who are newer to the company and likely eager to impress their boss.

Which means, historically, we’ve seen interns, new graduates, and other new hires frequently targeted in these scams.

So what can you do to keep the cyber Grinches from looking like this?

A Who’s to-dos:

  • If you receive an unexpected email from “your boss” asking you to contact them offline or purchase things for them that aren’t part of your regular responsibilities, first: don’t respond or give them your number!
  • Second, contact your boss through another channel of communication like your company’s instant messaging app, a new email to their verified company email address, or a phone call if you have their number. Confirm whether they sent the request. If not, it was likely a scam and you should report it to your company’s IT/security team.
    • If the person reaching out isn’t someone you normally talk to, find someone in your network who can reach them through legitimate channels.

Click this link to see your Whobilation invite!

Aka: Credential harvesting through phishing

The hustle and bustle of the holiday season is perfect timing for another Grinchy favorite – catching busy Whos off-guard with phishing emails posing as legitimate business activities to harvest recipients’ login credentials.

A common tactic is for attackers to send an email pretending to share a legit business document (an invoice that needs signing, a contract, etc.) through a file-sharing application like DocuSign, Microsoft OneDrive, or Microsoft Office365.

The link in the phishing email then takes the recipient to a credential harvesting portal posing as a login page for one of those file-sharing services. When the recipient enters their login info to access the document, the attacker captures that information and can then use it to access that recipient’s inbox (and potentially other parts of an org’s systems and applications if business email credentials are captured).

Below is an example of a fake login portal we’ve seen. There are often subtle differences (like typos, missing or different images, abnormal language) between these fake portals and the real login pages, but attackers hope busy employees won’t stop and notice these abnormalities.

Credential harvesting page posing as a Microsoft login page

This page may look legit at first glance, but the URL in the browser shows that this is definitely not a Microsoft-owned page.

Another common tactic Grinches use to collect credentials is sending recipients a PDF file to download (again posing as a legitimate business document like an invoice or contract).

Sometimes PDF, ZIP, and other files attached to phishing emails are password protected to circumvent companies’ security tech. The attacker then includes the password in the body of the email, allowing their victims to open the document and interact with whatever‘s inside (this is also a common method for attackers to insert malware onto targets’ computers).

Within the PDF, attackers will instruct recipients to access a link in the document. The link often redirects multiple times before ultimately landing on the attacker’s credential harvesting page, again usually imitating a legitimate login page to trick potential victims into entering their credentials.

Once a Grinch has stolen a recipient’s credentials and gained access to their inbox, they typically look for emails about invoices or other financial information to insert themselves into the conversation and attempt to divert payments to a different account they’ve set up.

In one example, we saw an attacker successfully divert payment for a person’s African safari vacation into the attacker’s account.

These phishing emails target our inclination to respond promptly to communications from co-workers, vendors, or clients if we think action is required, like returning an invoice. Subject line keywords that promote action or a sense of urgency are favorites for attackers because they prompt people to click without taking as much time to think.

A Who’s to-dos:

  • If you receive an email link to access a file, or an attached file that you aren’t anticipating, don’t click any links or open any files right away. First double-check the sender – is this someone you know? Is their email address legitimate? If not, it could be a phishing email.
  • If you find yourself on the login page for a file-sharing service, check if there’s anything off. Are there any typos? Images that won’t load? Oddly-written text or descriptions? Look at the URL – does it seem right? If you regularly use this service for work or personal file sharing, does this login page match what you usually see? If the answer to any of these questions is no, don’t put your information in – it could be a credential harvesting site posing as a login page.
  • If a suspected malicious email is sent to your work account, report it to your company security/IT team so they can check if other employees at your company were targeted by the same phishing campaign and if any accounts were compromised.

While you order your Roast Beast delivery…

Aka: The most important thing to do while online shopping this season

We’ve covered some of the top scams you should keep an eye out for in your inbox this holiday season. But what about while you’re hunkered down in front of your internet browser with a double espresso, noise-cancelling headphones, and your credit cards at 12 am this Black Friday and Cyber Monday?

Our most important tip – don’t reuse passwords! This will help protect you from credential stuffing attacks.

Credential stuffing is a type of cyberattack where cyber Grinches take one set of stolen login credentials (for example, if your username and password to a site were leaked in a data breach and can now be found on the illicit web), then use automation to try them across a variety of sites or applications.

It’s possible attackers will try to compromise online retailers’ systems this holiday season to access credentials for their users’ accounts, either by taking advantage of vulnerabilities in a retail site’s security or, more commonly, through credential harvesting like we discussed above.

If successful, it’s easy for the attackers to then use the same credentials they obtained at other retailers or institutions, like financial providers. This can allow them to place fraudulent orders, steal credit card information stored on retailers’ sites, or access their victims’ financial and email accounts (where wire fraud and other financial crimes are their targets).

As you register for accounts while online shopping this season, use unique, strong passwords (or better yet, passphrases!) for each site. This helps mitigate the impact if one of your accounts is compromised by keeping your other accounts secure.

A Who’s to-dos:

  • Use different passwords for each of your accounts, particularly accounts that provide access to sensitive or personal information (like financial accounts, credit card information, or your address).
  • Using a centralized password manager allows you to store unique, complex passwords for all of your accounts in a secure but easily accessible way.
  • Use multi-factor authentication (MFA) on all of your accounts. MFA requires a second verification step beyond your login info (for example, providing a code sent to your phone number on file) to access your account. So even if an attacker gets your credentials, MFA will help prevent unauthorized access to your account until you can reset the password. Most sites and apps have an option to enable MFA for logins to your account, often with customizable preferences.

Wrapping it all up

Cyber Grinches are out there, hoping and wishing
To steal all your cheer with some holiday phishing.
So have your guard up and pay close attention
To emails and websites for scam prevention!

Keep your inbox secure and logins protected,
And don’t click on anything that’s unexpected.
Our top tips are below for your peace of mind
To avoid cyber trouble this holiday time!


  • Check senders’ email addresses if an email is remotely suspicious or unexpected.
  • Don’t click links or open attachments from senders you don’t recognize or aren’t expecting.
  • If you click a link in an email, check the URL it brings you to – does that URL look legitimate for that company? If not, don’t put in any personal information.
  • Look for abnormalities in emails or login pages that might indicate they’re fake (for example: typos, missing or unloaded images, oddly-written language or anything else that differs from your typical experience with that site/provider).
  • Don’t provide personal information to anyone claiming to be customer service over the phone unless you personally called that company’s verified customer service number.
  • Double check unusual requests from your boss through another communication channel – not just by hitting reply.
  • Report anything suspicious in your work accounts to your company’s security/IT team so they can investigate and look for other instances at your org.
  • Use unique passwords for each account you create.

And a last parting thought if your org needs support
For monitoring and response when there’s phishing to thwart –
Reach out to our team about our contribution,
Expel Managed Phishing could be your solution!

Have a safe and happy holiday season from all of us at Expel!