Festive Frauds: Spotting Holiday Scams Before They Spoil Season

The holiday season is all about celebration and connection, but for scammers and cyber threat actors, it’s the perfect time to strike. As inboxes fill with end-of-year promotions, charity appeals, and e-cards, cybercriminals become more active with more sophisticated tactics.

Businesses and employees need to stay alert to new scams that can disrupt the season and cause long-lasting damage.​

Popular Holiday Scams Targeting Businesses

Over the years, threat actors (scammers!!) have honed their seasonal scams to target areas that are less obvious during the festive season. Here's a list of some of the most common holiday scams to be on the look-out for: 

• AI-Powered Phishing Emails: Scammers are sending emails that mimic those from trusted brands, using artificial intelligence to remove typical typos and grammatical errors, making them remarkably convincing. Expect "exclusive deals," fake order issues, or payment requests as lures.​
• Fake Delivery and Shipping Alerts: Fraudsters impersonate major courier companies, sending emails or texts with urgent requests about “missed deliveries.” These often contain links leading to malware or credential theft.​
• Holiday E-Card and Attachment Traps: Unsolicited digital holiday cards or party invites may conceal malicious attachments. Threat actors especially like to use files labeled as “Holiday_Schedule.pdf” or “Party_List.xls”. Opening these can deploy harmful code and be damaging to your device and/or wider network.​
• Bogus Charity Appeals: Fake charities or “company match” campaigns surge during the festive period, hoping to exploit seasonal goodwill. These sites or emails steal payment data or direct donations to criminals instead of genuine causes.​
• Deepfake Family and Executive Impersonation: Using AI-generated voice or video, attackers create convincing urgent messages appearing to be from executives or even a family member, pushing employees to urgently share information or transfer funds.​
• Fake Online Stores and “Too-Good-To-Be-True” Deals: Cloned retailer websites and social media ads offer hot holiday items at huge discounts but aim to harvest payment info or deliver nothing after purchase.​

How to Spot the Red Flags

Just because it's the holiday season and the scams are more specific, doesn't mean the red flags are any different to year-round threats. Remember to always be on the lookout for key features covered in the S.L.A.M acronym.

1. S - Sender

   • Check sender addresses and URLs carefully. Look for misspellings or odd domains. Don't just accept that the email has come from the person it purports to be from.

2. L - Links
   • Never click on links within the text of the email. If you're using a computer, hover your mouse over the link to see what pops up. Keep an eye out for random combinations of characters and misspelt names.
3. A - Attachments
   • Similarly to links, don't open attachments in unsolicited emails, texts, or social DMs, even if they appear seasonal or friendly. Check for what the attachment has been labelled as
4. ​ M - Message
   • Beware of urgent language. Phrases like “act now,” “your account will be locked,” or “missed delivery” are a scammer’s favorite hooks.
   • Don’t trust offers or discounts that sound too good to be true, especially from unfamiliar outlets or contacts.
   • Always double-check “urgent” requests from leadership or colleagues, especially for money transfers or sensitive data. When in doubt, confirm by phone (use one you already have for that contact, and not one listed in the email you received) or in person.

Alongside S.L.A.M. ensure you only use company approved charity lists and never donate via email or SMS links!  It's important to always verify via official channels.

If you're in a management position, it's always a good idea to take the time to teach employees about deepfakes, and prompt them to be cautious with unusual voice or video requests.  Make them aware of your company's procedures around particular requests, so they know to always double-check.​

Cyber Safety Precautions: Holiday Edition

• Enable multi-factor authentication on all accounts to prevent credential theft.
• Ensure anti-malware software is active and up to date across all devices.​
• Regularly review and update employee access permissions, especially for temporary holiday staff.​
• Encourage reporting of suspicious messages or website encounters to IT, even if they seem minor.
• Remind everyone to use official websites and search engines to access retailer or shipping platforms, not emailed links.​
• Share ongoing awareness tips. Consider short reminder emails or infographics throughout the holiday period.

Staying vigilant doesn’t mean you can’t enjoy the season. With awareness and simple precautions, you can protect your business, finances, and festive spirit from cyber Grinches, and ensure everyone returns to the office safe, sound, and scam-free.​