The holiday season revolves largely around traditions like festive lights, Christmas trees, family dinners, holiday cards and Secret Santa gift exchanges. Even if you don't like all of these traditions, you will probably agree that none is as bad as one of the newest phenomena that characterizes this time of year: holiday cyber scams.

Holiday cyber scams come in different forms, but they all involve cybercriminal activity. They are most common from October through December, although recent research by Avira indicates that the scam season actually started earlier this year, and that the campaigns are escalating faster than in previous years. Between November 1 and November 20 of this year, researchers with ZeroFOX already spotted over 60,000 possible cyber scams linked to 26 brands. Let’s have a look at some common variants of these attacks.

Holiday-Themed Phishing

Phishing is a well-known social engineering attack involving manipulation and technological deception (spoofing). It occurs all year round and usually surges during the holiday season. The Avira report mentioned above found that in 2018, phishing attacks rose by 61% from September through November, while a recent F5 study[PDF] noted a 50% uptick in phishing from October through January over the 2016-2018 period.

In a typical phishing attack, threat actors distribute messages containing a malicious attachment or a URL leading to a fake website designed to trick you into providing sensitive information. Holiday-themed phishing works the same way, except that the attackers use lures related to common holiday traditions. For example, in the last quarter of 2018, the 10 most common phishing email subjects included two that were explicitly related to the holiday season, namely: “Announcement: Change in Holiday Schedule” and “Happy Holidays! Have a drink on us.” In addition to these holiday-themed lures, cybercriminals also use common phishing subjects that are are likely to have higher success rates during the holiday shopping season, such as those mentioning E-commerce orders and package deliveries. The scams discussed below all involve phishing as well, but they represent distinct threats that occur almost exclusively during the holiday season.

Malicious E-cards

While some people worry that the tradition of sending holiday cards by post is dying, the growing popularity of E-cards seems to be countering this trend. Many of us still love getting holiday cards, a fact not lost on cybercriminals who are increasingly using it to their advantage by sending out scam emails claiming to contain a digital greeting card. In reality, the attached file contains malicious code that will start installing malware on your system when you interact with the attachment. E-card lures are also used in phishing campaigns. In this case, you will be told that someone has sent you a card, which you can receive only by visiting a certain website and filling out a form with your personal information.

Fraudulent Charities

The holiday season tends to bring out people’s generous side. This is a wonderful thing, but unfortunately cybercriminals are trying to take advantage of our holiday spirit by setting up fake charity websites and sending out phishing messages with donation requests. Some of those charities are nonexistent, but scammers also impersonate police and firefighter funds, and well-known organizations like the Salvation Army. Not only will scammers keep all funds they receive for themselves, but they may also add skimming malware to their bogus websites in order to harvest your payment card data if you make a donation.

Fake Discounts/Coupons

One reason many of us like shopping during the holiday season is that retailers offer impressive discounts on almost anything. The overwhelming amount of discounts and coupons that get advertised and sent around this time of year provides threat actors with another opportunity to get their hands on your money and data. In recent years, many of these campaigns have evolved from traditional phishing emails to social media scams. Taking advantage of popular hashtags like #giveaway #discount and#christmas, scammers advertise fraudulent and spoofed websites on popular social media platforms. Some of those websites are designed to trick you into making online payments, while others urge you to download coupons or coupon apps that come with banking Trojans, information stealers, adware, or other malware.

BEC Gift Card Fraud

Business email compromise (BEC) scams typically involve attempts by criminals to trick employees or executives into transferring them money. They do this by compromising or spoofing the professional email account of someone in the same organization as the victim, or of a trusted third party, such as a business client. BEC gift card fraud is a variation of this scam that is particularly common during the holiday season. A scammer will contact an employee by email or SMS while impersonating their manager or someone in the C-suite. They will tell the victim to buy a certain number of gift cards, explaining that the cards will be given to employees or to a charity as a holiday gesture, or that they will be used to purchase items for a holiday office party or another special occasion. Of course, the employee is also instructed to send over the gift card number and pin. If the victim complies, the attacker will use the gift card information to cash out all cards.

What Can You Do to Protect Your Organization from Holiday Cyber Scams?

  • Implement cybersecurity best practices. For more information on this, see our White Paper for small to mid-sized businesses (SMBs). It contains plenty of information that is relevant for larger firms as well.
  • Knowledge is power, also when it comes to fighting cyber threats, so your organization can greatly benefit from providing cybersecurity awareness training sessions that specifically focus on holiday cyber scams. It is important that these sessions are interactive; that they cover different attack vectors, including email, SMS and social media; and that they take into account both desktop and mobile environments.
  • Training should be supplemented with attack simulations to check if employees are actually applying what they have learned about spotting suspicious emails. It is crucial that the results of these tests are carefully analyzed and used to maximize the effectiveness of the security awareness program. This is why Vonahi’s proprietary phishing platform vPhish not only allows organizations to carry out phishing simulations, but also provides detailed information showing what employees interacted with phishing messages, when, and in what way. In addition, vPhish shows statistics on the impact of tests and identifies users that keep falling for simulated scams. This enables companies to optimize their training content and prioritize users or departments that represent the biggest risk.

About Vonahi Security
Vonahi Security is building the future of offensive cybersecurity consulting services through automation. We provide the world's first and only automated penetration test that replicates full attack simulations with zero configuration. With over 30 years of combined industry experience in both offensive and defensive security operations, our team of certified consultants have experience working with a significant number of organizations, industries, networks, and technologies. Our service expertise includes Managed Security, Adversary Simulations, Strategy & Review, and User Education & Awareness. Vonahi Security is headquartered in Atlanta, GA. To learn more, visit

Stay Informed

  • Connect with us on Linkedin for Professional Security Tips
  • Like us on Facebook for Personal Security Tips
  • Follow us on Twitter for News & Threat Updates