Why Scammers Love the Holidays, and How to Stop Holiday Phishing Risks

For phishing scammers, the holidays are the most wonderful time of the year – or so holiday phishing trends would suggest.

Cyberint research shows that phishing alerts surged by 46 percent last December compared to the monthly average observed throughout the year. Similarly, an Akamai study found a 150 percent increase in phishing victims between mid-October and late November 2021.

Consumers tend to take more risks online during the frenzy of the holiday shopping season, helping to explain why 36 percent of Americans fall victim to online shopping scams during that time of year. As the FBI warned during the holidays last year, “‘Tis the season for holiday scams.”

Businesses – 89 percent of which report being specifically concerned about cyberattacks during the holidays – are rightly worried about holiday phishing. 

It is not only phishing attacks that organizations need to be aware of, in general threat actors capitalize on lower staff numbers and ease of entry over the holidays.

Recent Holiday Cyber Attacks

• Downfall Game Christmas Day Breach: The fan expansion “Downfall” for the indie game “Slay the Spire” fell victim to a security breach on Christmas Day, resulting in the Epsilon information stealer malware being distributed via Steam’s update system.
• Lockbit Ransomware disrupted German Hospital Network KHO On December 24, 2023, the Katholische Hospitalvereinigung Ostwes tfalen (KHO) in Germany faced a severe disruption due to a Lockbit 3.0 ransomware attack, impacting three major hospitals in Bielefeld, RhedaWiedenbrück, and Herford. 
• The Ohio Lottery faced a significant cyberattack on Christmas Eve, 2023, leading to the shutdown of key internal applications. Despite the gaming system remaining operational, services like mobile cashing and high-value prize claims were disrupted. 

Recent Holiday Phishing Attacks

In December 2023, Europol notified 400+ e-commerce websites that they were hacked with malicious scripts, enabling debit and credit cards to be stolen from customers making purchases.

In December 2022, there was attack against the Guardian, in which a phishing incident enabled threat actors to plant ransomware. It disrupted mission-critical systems like payroll and print production at the media company. 

Also in December 2022, threat actors targeted university employees and distributed phishing emails that promised Christmas bonuses. The emails contained a malicious HTML attachment designed to steal access credentials from workers.

Effective phishing protections are needed to mitigate the risk of these types of attacks. This article unpacks steps that businesses should take to defend against phishing at any time of year, but especially during the high-risk holiday period.

The causes of holiday phishing scams 

Before diving into phishing protection strategies, let’s talk about why security leaders should be extra vigilant about phishing during the holiday season. It all boils down to the holidays presenting something of a perfect storm for phishing.

1. For starters, more and more purchases are made online, an estimated 63% of holiday purchases were made online in 2021 & 2022. Higher sales means higher potential losses from phishing attacks.
2. Meanwhile, the fact that retailers tend to offer great deals during the holidays – and that inflation-weary consumers are eager for them – helps holiday phishing scammers lure in shoppers with offers that might appear too good to be true under other circumstances, but seem believable during the holidays. If consumers fall for the ruse, the legitimate businesses that scammers impersonate to launch phishing schemes may suffer a loss of revenue and reputational damage.
3. Couple this with the flood of promotional emails, shopping notices, order receipts, charitable donation requests and other communications that flow during the holidays, and scammers get an easy opportunity for sending phishing messages that go undetected.
4. On top of all of the above, more employees take time off during the holidays. Those who remain online become easier prey for phishing scams because the cybersecurity departments that would normally help protect them may not be operating at full capacity.

In short, for threat actors seeking to launch phishing or ransomware campaigns, there is no better time than the holidays. By extension, for cybersecurity leaders, there is no time that requires more attention to threats and potential attacks than the holidays, given the increased activity of threat actors and the distractions that many organizations face at this time of year. 

Holiday phishing scams to watch out for

Holiday phishing protection starts with understanding which types of phishing scams are most prevalent during the holidays. Here’s a roundup:

Phishing Scams Targeting Consumers

• Fake order receipts: At a time when shoppers are especially active, threat actors are primed to send fake order receipts via email or SMS in a bid to convince recipients to follow a link to a malicious site. Often the site will prompt a malware download or prompt the victim to enter data. 
• Track emails and texts: Along similar lines, attackers send emails or texts with purported tracking details for online orders. They can lead to phishing pages that steal PII or ask for payment. They can also be a means of opening up conversations designed to elicit personal information or steal funds. According to a 2022 report from the Internet Crime Complaint Center (IC3), non-payment or non-delivery scams cost consumers more than $281M in that year alone.
• Non-payment scams: In this type of scam, attackers convince victims to ship goods, but never pay for them. This attack is also especially easy to execute during the shopping-intense holiday period.
• Fraudulent social profiles: Scammers create social profiles priming false bargains in a bid to get victims to engage.
• Holiday travel scams: Fake promises of free or reduced-price travel or accommodations are especially appealing at a time of year when travel peaks.
• Gift card fraud: When a threat actor either steals many legitemite gift cards or discount codes and then resells them at a steep discounts. The other way a threat actor can manipulate gift cards is by determining how the legitamate gift cards and discount codes are generated, in order to create illegitimate gift cards that are indistinguishable from the authentic ones from the retailer’s point of view. As one U.S. bank warned its customers recently, “Buying gift cards through unsolicited emails or unfamiliar websites leaves you susceptible to fraud and theft.”
• Malicious advertising: Scammers use advertisements on search engines and other sites to lure potential victims to their pages. In holiday times they often use holiday related promotions in their ads.

Phishing Scams Targeting Employees

• Fraudulent job postings: Temporary hiring picks up during the holidays, making it a great time for attackers to create fake seasonal job postings – an example of a fake job posting.
• Targeting seasonal workers: Speaking of seasonal employees, attackers often target them for scams because they tend to be less familiar with company business practices and communication norms.
• False charitable contributions: Scammers can create websites or send emails or text messages soliciting charitable donations, taking advantage of people’s increased inclination to give during the holidays.
• Bonus scams: Because many companies offer bonuses at the end of the calendar year, scammers devise phishing campaigns that target employees with fake bonus offerings.

Any other type of phishing attacks can happen during the holidays, too, but the scams above focus on exploiting specific behaviors and activities that are prevalent during the season.

How holiday phishing harms businesses

Although some of the phishing scams described above target consumers rather than businesses, they all harm businesses in major ways.

For one, attacks such as gift card fraud, fake job postings and fake social media profiles can harm businesses’ reputation. If threat actors impersonate a legitimate business during such attacks, observers may gain a negative impression of the businesses, even if the companies weren’t directly involved. It’s unfair, but it’s the reality.

Attacks that redirect consumers from legitimate payment channels to fake outlets operated by scammers can also harm businesses by causing loss of revenue for them. The more money consumers hand over to threat actors, the less they spend on legitimate shopping.

And even in cases where attacks have no explicit link to a business, businesses suffer when their customers or potential customers experience financial losses. Less money in the hands of consumers translates to less money being spent to purchase goods and services from real businesses.

Phishing protection strategies for the holidays

How can businesses protect themselves against phishing risks during the holidays? The answer starts with implementing the standard phishing protections that businesses should have in place all year long.

But to tackle the increased phishing challenges that arise during the holidays, some extra steps are valuable. Consider developing a holiday phishing protection strategy that includes an emergency plan and a 24/7 response team that can handle phishing risks against your business rapidly.

In addition, be sure to scan and analyze the Deep and Dark Web for mentions of your brand. These scans can provide early detection of activity such as gift card fraud. At the same time, track domains similar to your own to identify efforts by scammers to set up websites that impersonate your company. Placing obfuscated scripts on your legitimate webpages to track cloned pages can help on this front, too.

You should also monitor social media channels for fake profiles and promotions. You don’t have direct control over those sites, but you’ll still want to detect fraudulent activity so you can request takedowns.

Employee education about phishing risks and prevention techniques is critical, too, and should include training about the attack types that are especially prevalent during the holidays.

Consider, as well, making your customer service team more accessible to address concerns quickly, reducing the chances that your customers will engage with scammers because they were unable to contact your company quickly enough to ask whether an offer is legitimate.

Finally, ensure that you have the tools, teams and people in place to take down phishing threats quickly. Wherever phishing happens – through email, text, social media, vishing or any other channel – stopping it within hours is essential for minimizing harm to your business.

Conquering holiday phishing risks with Cyberint

Cyberint can help protect your business against holiday phishing risks. From continuous Dark and Deep Web monitoring and threat intelligence, to rapid phishing takedown services, Cyberint offers a comprehensive suite of solutions for detecting and reacting to phishing challenges during the holidays and any other time of year.

Learn more by requesting a demo.