016: Happy Holidays!

Spies, Lies and Cybercrime by Eric O'Neill

Peace on Earth and Good Will to All

As Christmas draws near, I’m reminded of the joy and renewal this season brings. For me, it’s a time to reflect, to cherish moments with family and friends, and to watch the quiet snow blanket my neighborhood—a stillness that feels like peace itself as the minutes tick toward Christmas Day.

However you celebrate—be it with twinkling lights, the warmth of loved ones, or simply a moment of calm amidst the noise—I wish you the same joy and hope this season offers.

May we all find our guiding star in the year ahead, that beacon leading us closer to our dreams, our purpose, and the people who matter most. As this year comes to a close, let’s carry with us the promise of brighter days and a world filled with renewed hope, love, and peace.

This is my last Newsletter of 2024! I’ll be taking a break next week to relax, unwind and disconnect from technology to better spend time with my family. Look for the newsletter’s return after the new year!

From my family to yours, Merry Christmas, Happy Hanukkah, Happy Holidays, and warmest wishes for a joyous season.

But you know me—why stop at warm and fuzzy? It might be nearly Christmas, but there’s always time for a good old-fashioned spy story! So, gather ’round, pour some eggnog (or mulled wine, no judgment), and let me introduce you to Emily Williams, whose story is equal parts intrigue, mystery, and the kind of plot twists that make the holiday season even more exciting.

Weekly Story: The Strange Case of Emily Williams

In the week before Christmas, the office was abuzz. Decorations sparkled, end-of-year projects wrapped up, and holiday cheer lingered in the air. Then, Emily Williams appeared.

“Hey, are you going to the holiday party?” The message popped up in Brian’s work chat.

Brian, a cybersecurity analyst, paused. Emily’s profile picture was striking: an elegant smile framed by dark hair, set against a university graduation backdrop. She had a warm, approachable vibe—the kind of person you’d instantly like. But Brian didn’t recall meeting her.

“Sorry, do I know you?” he typed back.

“Oh, I just joined the team! I’m Emily. IT engineer.”

Brian shrugged it off. Onboarding was chaotic this time of year, and remote work meant new hires often remained faceless names for weeks. Still, something about her rapid familiarity lingered in his mind.

By Wednesday, Emily Williams was everywhere. Her congratulatory posts about her new role garnered dozens of likes on the company’s internal social media. “Welcome aboard, Emily!” her supposed colleagues commented. She reciprocated with friendly banter and tagged team leads in her posts about recent training sessions.

Do you know Emily?

“Did you hear about Emily?” Sandra from HR asked over coffee. “She’s a real go-getter! Already offered to help streamline some processes. Very proactive.”

Emily’s charm seemed boundless. She even shared personalized holiday e-cards—cheerful designs linked to a holiday greeting website. Most employees clicked without hesitation. The cards had been a small but welcome delight during a busy season.

Friday came, and the office buzz turned uneasy. IT logs flagged unusual activity: repeated failed login attempts, new devices connecting to the VPN, and strange traffic patterns from internal accounts. Sandra’s HR system credentials had been used to authorize Emily’s hiring documents, yet no one could recall conducting her interview.

Brian connected the dots during a routine systems audit. He reached out to IT support.

“Hey, do we have a profile for Emily Williams?”

“We do. She started last week. Why?”

“Have you seen her in person?”

The line went quiet. “No, but…she’s remote, right? From Austin?”

Brian’s stomach tightened. “Send me her onboarding forms.”

The forms were impeccable—but overly so. A fake Social Security number, residence records that didn’t quite check out, and an employment history crafted with meticulous precision. Brian felt the chill before he knew the full scope.

The next morning, Emily’s account went silent. IT discovered she had requested and been granted a work laptop. A courier had even delivered it to her “Austin” address. Brian’s worst fears materialized when they discovered Emily’s holiday e-cards contained a malicious JavaScript payload, compromising any computer that clicked on them.

Files began disappearing. Sensitive credentials were compromised, including SalesForce accounts and encrypted government communications. The breach extended far beyond the office walls, reaching contractors and external agencies.

By the time the truth emerged, it was almost too strange to believe: Emily Williams wasn’t real. She was the creation of two security researchers, Aamir Lakhani and Joseph Muniz, who had launched a penetration test against the organization to expose its vulnerabilities.

Using photos volunteered by a waitress and social media profiles stitched together with threads of truth, the duo constructed Emily Williams with terrifying realism. They gave her an IT background, built her professional network, and strategically deployed her charm to exploit human trust.

“Emily’s holiday cards alone gave us administrative rights,” Lakhani later explained in a talk titled Social Media Deception at RSA Europe. “From there, we gained VPN access, installed apps, and exfiltrated sensitive data—all with social engineering, no zero-day exploits necessary.”

As we gather with loved ones this holiday season, let the strange case of Emily Williams be a reminder: not all that glitters is gold, and not all colleagues are who they claim to be. Stay vigilant, question what seems too perfect, and remember—in the digital age, trust is the ultimate vulnerability.

Merry Christmas, Happy Holidays, and here’s to a spectacular New Year!

Eric 

P.S. To the researchers behind this tale: Bravo for teaching us how easily deception slips through the cracks. Let’s resolve to close those gaps in the year ahead.

Like What You're Reading?

Sign up for Spies, Lies & Cybercrime newsletter for our top espionage, cybercrime and security stories delivered right to your inbox. Always weekly, never intrusive!

Are you protected?

Recently nearly 3 billion records containing all our sensitive data was exposed on the dark web for criminals, fraudsters and scammers to data mine for identity fraud. Was your social security number and birthdate exposed? Identity threat monitoring is now a must to protect yourself? Use this link to get up to 60% off of Aura’s threat monitoring service.

What do YOU want to learn about in my next newsletter? Reply to this email or comment on the web version, and I’ll include your question in next month’s issue!

Thank you for subscribing to Spies, Lies and Cybercrime. Please comment and share the newsletter. I look forward to helping you stay safe in the digital world.

Let's make sure my emails land straight in your inbox.

Gmail users: Move this email to your primary inbox

On your phone? Hit the 3 dots at top right corner, click "Move to" then "Primary."

On desktop? Close this email then drag and drop this email into the "Primary" tab near the top left of your screen

Apple mail users: Tap on our email address at the top of this email (next to "From:" on mobile) and click “Add to VIPs”

For everyone else: follow these instructions

Reply

or to participate.