This festive season is filled with celebrations and numerous activities, but it also presents one of the most attractive windows of opportunity for cybercriminals.

People tend to relax their guard, teams operate with reduced capacity, and both consumers and businesses move faster than usual in an effort to keep up. This creates conditions in which attention is divided, making it easier to make small mistakes.

Attackers understand this and the pattern shows in the data each year, with phishing attempts, fraudulent shopping sites, and account takeover attacks consistently increasing around major retail events, such as Black Friday and the end-of-year sales.

McAfee’s Global Holiday Shopping Scams Study in 2024 found that unsolicited Black Friday-themed scam emails surged by 495% between October and early November. Then, it was followed by a more than 300% increase in EOY-related scam emails, illustrating how attackers scale their activity precisely during these periods.

These attacks rarely depend on sophisticated techniques. Instead, they succeed because of timing, arriving when people feel rushed, overloaded, or eager to clear their inboxes. Recognising how these seasonal dynamics shape behaviour is important for staying secure throughout the holiday period.

Why cyberattacks spike during the holiday season

The holiday season brings urgency and distraction, which makes people more likely to act first and question later. For example, when a shopper is faced with a limited-time offer or a business is processing a last-minute payment, speed often takes priority over scrutiny, allowing routine caution to slip. Attackers take advantage of it, knowing that teams are stretched thin, IT changes are often frozen, and unusual activity is less likely to be noticed. Combined with record levels of online spending, this creates an ideal window for fraud.

For people, the fear of missing out can easily override good judgment. For businesses, the risk is operational, as activity that would stand out earlier in the year can blend into the background noise of December. If you recognise these seasonal patterns, it’s easier to spot risks before they turn into real incidents.

‍

The consumer threat landscape

According to a Norton study, nearly half of consumers say they are willing to share personal information if it means receiving a discount, a behaviour that creates a wide opening for fraud during peak shopping periods.

Here are the most common holiday scenarios and how they typically unfold:

1. The "Too Good to Be True" Deal

If an offer looks too good to be true, it usually is. Late at night, while scrolling on your phone, you may suddenly find a sold-out item available at half price, complete with a countdown timer urging you to act fast. These offers often come from fraudulent websites built specifically for the holiday rush, designed to closely mimic legitimate retailers. Once you enter your payment details, fraudsters harvest your information and the site disappears shortly after.

Slowing down can make all the difference. Check the website address carefully and navigate directly to the retailer’s official site instead of clicking ads or promotional links reduces risk. Legitimate retailers don’t rely on panic to close a sale, so if you’re being pressured into a purchase, it is often the first sign that something is wrong.

2. The package delivery anxiety

During the holidays, delivery notifications multiply, and attackers know people are eager for reassurance that their purchases are on the way. A text message claiming a delivery failure or asking for a small rescheduling fee can feel believable, especially when several packages are already in transit. These messages often lead to credential-stealing pages designed to closely resemble well-known courier services, making them easy to trust at a glance.

In the rush of the season, even tech-savvy users may click simply to clear the notification and move on. A safer approach is to ignore the link altogether and open the courier’s official app or the retailer’s website directly. Small habits like verifying delivery updates through trusted channels can prevent account exposure at a time when distractions are at their highest.

3. Weaponising your goodwill

The season of giving is also the season of taking. December is the busiest month of the year for charitable donations, which makes it an attractive time for fraudsters. Attackers often create near-identical versions of legitimate nonprofit websites and pair them with emotional stories designed to encourage quick, impulsive donations. When generosity is combined with urgency, most people often skip verification. 

Before donating, confirm the charity through a trusted directory or contact the organization directly. Giving through official websites helps ensure your money reaches the right place and keeps your financial information secure.

4. Phishing emails & impersonation

‍December is a peak period for account takeover attempts as people log in from new devices, travel more frequently, and connect through unfamiliar networks. In this context, an email from a bank or retailer asking you to verify your account can easily feel routine, especially after recent holiday purchases. Attackers carefully design these messages to mirror trusted institutions, relying on familiarity and distraction to prompt clicks.

Checking the sender address closely often reveals subtle inconsistencies. If anything seems off, open a new browser window and visit the institution’s website directly instead of clicking the link. Enabling multifactor authentication adds a critical layer of protection, preventing access even if login details are compromised.

5. Social engineering via phone or SMS

Calls and text messages claiming to be from banks, delivery companies, or customer support teams become are common toward the end of the year. A caller may cite increased holiday fraud and ask you to confirm personal details, using authority and urgency to pressure a response.

A safer approach is to disengage and contact the institution using an official phone number listed on its website. Legitimate organisations will not ask for sensitive information through unsolicited calls or messages.

6. Using unsecured or public networks

Holiday travel often means relying on public Wi-Fi in airports, cafés, and hotels, environments that attackers actively target. Fake networks with names like Free Airport WiFi are designed to look trustworthy, encouraging travelers to connect without thinking. Once connected, unencrypted traffic can be intercepted and credentials harvested.

If public Wi-Fi is unavoidable, using a trusted VPN can help protect your connection. For sensitive activities such as banking or account logins, your mobile data remains the safer option, especially during busy travel periods.

The organizational threat landscape

For businesses, the stakes during the holiday season are significantly higher. What may start as a single fraudulent transaction can quickly escalate into data theft, ransomware, or long-term operational disruption. The risk is no longer just financial loss but potential damage to the business itself.

1. The skeleton crew risk

During December, many organisations operate with reduced IT and security staffing as employees take leave. Junior administrators may be left monitoring systems while senior engineers are unavailable, a pattern attackers recognise and exploit, knowing alerts may be slower to investigate.

To reduce risk, companies should tighten access controls before the holidays, limit administrative privileges to essential users, and ensure backups are current and stored offline or off-site. A clear incident response plan and an on-call contact with authority to act are also critical.

2. Social media oversharing & physical security risks

Social media oversharing creates a significant and often overlooked risk for businesses during the holidays. Employees often post photos or share travel plans publicly. If someone announces that the entire finance team is away for a retreat, attackers can infer that approvals will be slow and oversight limited. This creates openings for both digital and physical intrusion.

Hackers and physical burglars often monitor social media for such signals, revealing when buildings or networks may be vulnerable. A simple reminder not to share real-time travel or staffing details can reduce this risk. Businesses can also restrict access for employees in sensitive roles while they are out.

3. Business Email Compromise & impersonation scams

Business Email Compromise (BEC) attacks peak during the holiday season, driven by year-end purchases, budget closures, bonuses, and urgent payment requests. In this environment, invoice fraud and executive impersonation become particularly effective. An attacker may pose as a CEO or senior executive and request an urgent transfer before the year closes, relying on heavy workloads and time pressure to bypass verification.

Strong payment controls are essential. Never relying solely on email is a key rule. If a request involves money, verifying it through an internal phone call or a known contact channel can confirm legitimacy. Requiring dual approval for large transactions also reduces risk, as it is far harder for attackers to deceive multiple reviewers at once.

4. Ransomware and data theft during holidays

Attackers often gain access to networks quietly, then wait for periods of reduced monitoring to deploy ransomware or extract data. The holiday season provides ideal conditions, with fewer staff on duty and slower response times. A single unpatched system or weak remote access configuration can be enough to allow an attacker to lock critical systems or disrupt operations.

Regular patching, strong remote access policies, and offline backups remain some of the most effective defences. Many organisations reduce risk by scheduling mandatory vulnerability checks before staff go on leave, helping to shrink the attack surface during quieter periods.

5. Shadow IT and unauthorized workarounds

End-of-year pressure often leads employees to take shortcuts in an effort to meet deadlines. This can include using unapproved file-sharing services, personal email accounts, or unauthorized AI tools to speed up work. These shadow IT solutions typically lack the security controls and visibility of approved systems, creating blind spots for IT teams.

For example, an employee may send a large file through a personal email account because the official platform feels too slow. While convenient, this bypasses security safeguards and increases the risk of data exposure. Providing secure, easy-to-use alternatives and reminding staff that security policies still apply during busy periods helps reduce this behaviour.

6. Supply-chain & payment frauds

December is also a peak period for supply chain and payment fraud, as companies make last-minute purchases and close out procurement for the year. Attackers exploit this urgency by creating shell vendors or sending invoices that closely resemble those of legitimate partners. When finance teams are rushing, verification steps may be skipped.

Reducing this risk starts with independent vendor verification, such as checking official registries or calling confirmed contact numbers. Requiring multiple approvals for new vendors adds another layer of protection, while using secure payment methods that allow recourse is safer than relying on wire transfers whenever possible.

Holiday cyber-defence: Best practices 

Whether you’re an individual or a business leader, here’s a simple checklist to carry with you this holiday season:

For Individuals

• Pause before you click: Always double-check URLs before entering payment or personal details.
• Enable Multifactor Authentication (MFA): This adds extra layers to your banking, email, and social accounts. It's one of the most effective protections against account takeovers.
• Be cautious of emotional appeals: Whether shopping deals or charity requests, if it overly tugs at your emotions or seems rushed, pause and reflect before you act.
• Avoid unsecured networks: No matter how convenient, public or free Wi-Fi is a risk. Use VPN or mobile data for sensitive tasks.
• Verify before reacting: For delivery texts, suspicious emails, or unexpected calls, always check directly with the company or bank.

‍

For Businesses

• Review access controls: Limit administrative privileges, enforce multifactor authentication, and revoke access for staff on leave
• Backup everything securely: Ensure backups are complete, tested, and stored offline or off-site before the holidays.
• Establish a clear incident response plan: Ensure that some dedicated employees know how to react in the event of an incident.
• Enforce payment protocols: Require dual approvals for financial transactions and validate vendors thoroughly before payments.
• Educate staff: Train employees on phishing, social-media oversharing risks, and safe practices when traveling.
• Restrict remote work risks: Use VPNs, avoid public Wi-Fi, and only authorize secure connections for sensitive tasks.

‍