12/04/2019: Holiday Social Engineering Scams

Holiday Social Engineering Scams


It’s the time of year for holiday fun and merriment, but with the hustle and bustle of the season, it’s very important to stay alert.  December is prime time for thieves and scammers.  People are often pre-occupied with holiday shopping, events and preparations that criminals see an opportunity to take advantage.


What is Social Engineering?

Social engineering is the art of manipulating people so they give up confidential information. The criminals are trying to trick you into giving them passwords or bank information, or access your computer to secretly install malicious software that will give them access to your passwords and bank information as well as giving them control over your computer.

Types of Social Engineering Scams


Phishing scams might be the most common types of social engineering attacks used today.

Most demonstrate the following characteristics:

  • Seek to obtain personal information, such as names, addresses and social security numbers.
  • Use embedded links that redirect users to suspicious websites in URL’s that appear legitimate.
  • Incorporate threats, fear and a sense of urgency in an attempt to manipulate the user into acting promptly.

Some phishing emails are more poorly crafted than others to the extent that their messages oftentimes exhibit spelling and grammar errors. These emails are focused on directing victims to a fake website where they can steal user login credentials and other personal information.

Keep an eye out for those poorly written emails or URLs that look a little off, especially when you’re on a retail shopping site.  For example, Hobby Lobby’s website is “hobbylobby.com”, not “hobbyloby.com” or “hobbylobby.holidaydeals.com”.



Pretexting is another form of social engineering where attackers focus on creating good pretext, or a fabricated scenario, that they can use to try and steal their victims’ personal information. These type of attacks commonly take the form of a scammer who pretends that they need certain bits of information from their target in order to conform their identity.

Unlike phishing emails, which uses deception and urgency to their advantage, pretexting attacks rely on building a false sense of trust with the victim. This requires the attacker to build a credible story that leaves little room for doubt on the part of their target.



This involves promise of an item or service that hackers use to entice victims. Baiters may offer users free music or movie downloads, if they surrender their login credentials to a certain site.



Also known as “piggybacking.” This attack involves someone who lacks the proper authorization, then follows an employee into a restricted area. A common type of this, is a person who impersonates a delivery driver and waits outside the building. When the employee gains security’s approval and opens their door, the attacker holds the door, thereby gaining access off of someone who is authorized to enter the company.


Quid Pro Quo.

This attack promises a benefit for information. This benefit usually assumes the form of a service, whereas baiting frequently takes the form of a good. A common type involves fraudsters who impersonate IT service technicians and spam call as many direct numbers of a company as they can find. The fraudster will promise a quick fix in exchange for the employee disabling their anti-virus program for installing malware on their computers that assumes the guise of software updates.

This affects individuals as well as companies. The victim is contacted by a phone call from a scammer claiming to be a representative of a high-tech computer firm. The call is warning the victim that their computer has been infected or could be under a threat of being infected by a virus that will severely damage their internal operating system. The alleged “representative” encourages the victim to go online and allow them to trouble shoot the computer and fix the issue. The scammer uses this time to infect the computer with a malware virus that will do damage and force the owner to go to a third-party website to confirm the damage. The goal is to force the computer owner to immediately pay for unnecessary repair work over the phone by using a credit card. Never give anyone remote access to your computer; hire a local repair service whenever possible. Many individuals have fallen for this scam and often report their personal identity has been stolen soon after the phone encounter.


Be Alert and Let Us Help

If you receive a suspicious or unexpected phone call or email asking for confidential information or login credentials, beware!  Think twice about whether the request or offer seems legitimate.  Often scammers tempt victims with something too good to be true.  If you are unsure of the legitimacy of a request, talk with someone you trust about it before you give out any information.

Sometimes scammers request that funds be wired to them.  Our bankers are trained to look closely at these requests and will ask questions to make sure our customers aren’t being taken advantage of.  Please know that your banker is simply trying to protect you, your information and your bank accounts from being compromised, so try to be open and honest when your banker asks questions before sending a wire to an unknown recipient.

If you think you have been a target or a victim of social engineering, please contact your financial institution and alert the authorities immediately.

Information courtesy of the Wisconsin Bankers Assoc.