The Great Christmas Voucher Scam (That Never Was)

Like many workplaces in Ireland, ours gives a small Christmas voucher to staff. It’s a nice gesture—and as it turns out, the perfect setup for a phishing test.

A colleague once joked, “You should phish people with fake Christmas vouchers.” It felt a bit mean, especially that time of year. But it sparked an idea.

The Setup

I’d noticed how people regularly get emails from our mail filter system—“You’ve got quarantined messages,” or “Click here to release.” Sometimes they’re legit, sometimes they’re spam, and sometimes you need IT to step in.

So here was the angle:

Designed to Pressure

The email said:

• A spammy-looking message was queued from their account.

• The subject? “Christmas Staff Vouchers”.

• They had to act quickly: Release or Quarantine the message. (Double Jeopardy as is my style everything clickable is trip wired)

I sent it just before lunch—a busy time with lots of distractions. The design mimicked our actual system emails. The links led to a credential harvesting page, and we even simulated a drive-by download.

What made it worse? It worked best on mobile.

Mobile Users Were Most at Risk

Post-campaign, it turned out most of the people who clicked were using their phones—often in meetings or on the go. On mobile, you can’t hover over links. There’s less context, fewer warnings, and you’re more likely to tap first, think later.

Desktop users spotted issues: weird URLs, slightly off wording, or just got a gut feeling something wasn’t right.

What We Learned

This wasn’t about technical tricks. It worked because it:

• Felt urgent (“Act now!”)

• Seemed authentic (based on real systems)

• Played on embarrassment (thinking you’d just sent a dodgy email)

How to defend against it:

1. Mark external emails clearly – especially ones pretending to be internal.

2. Train for mobile – people use phones more than ever.

3. Encourage a “stop and think” pause – even under pressure.

4. Use other channels – don’t rely on email alone for serious alerts.

🔥 Tooling Roundup

Some interesting Tools to experiment and play with:

• Google Dorks

  • What it does: Uses advanced search operators to uncover specific, often sensitive, information indexed by Google.

  • Why it's useful: You can find exposed login pages, leaked documents, unsecured cameras, error logs, vulnerable servers, and even passwords written in plaintext—all just by crafting clever search queries.

  • Website: https://www.exploit-db.com/google-hacking-database

• IntelTechniques

  • What it does: Offers a wide range of OSINT tools and search utilities for investigating people, usernames, domains, and more.

  • Why it's useful: It's a one-stop hub for deep-dive investigations—track social media profiles, uncover hidden connections, search public records, and use custom-built tools designed by OSINT expert Michael Bazzell.

  • Website: https://inteltechniques.com/tools/

Did You Know? In 1999, a teenager from Montreal named Mafiaboy launched a series of cyberattacks that brought down Yahoo!, CNN, Amazon, and eBay—some of the biggest websites in the world at the time. The attacks exposed serious gaps in internet security and led to the first wave of national cybersecurity strategies, including the U.S. creating the first federal cybercrime task force.

Till next time,

John