“Where there’s money and momentum online, cybercriminals invariably follow — Black Friday and Cyber Monday deliver both in abundance,” says Anne Cutler, Cybersecurity Evangelist at Keeper Security. 

The closer the holidays, the greater the threats — according to a report from Zimperium zLabs, mobile phishing (mishing) and malware attacks quadrupled during 2024’s holiday season. With cyber threats only growing in sophistication and speed, it’s likely that retailers and shoppers alike will be facing another increase in attacks and scams this year. 

“This year we’re guaranteed to see ever more sophisticated scams, primarily fueled by artificial intelligence, whether that be convincingly forged order confirmations, spoofed retailer sites, and even AI-generated customer service messages designed to steal login details or payment information,” Cutler asserts. “Cybercriminals’ tactics are quickly evolving, but the target ultimately remains the same: your personal information.” 

This year, retailers have already been the focus of several major cyberattacks, so it stands to reason that threat actors may resume these targeted attacks as the holidays approach. The consequences of a successful attack could include data loss, financial repercussions, reputational damage and more. 

Chief Technology Officer at Sectigo Nick France elaborates, “From a business standpoint, the stakes are extremely high during Black Friday and Cyber Monday. This short window represents a critical revenue opportunity, and any website security hiccup — like an expired or misconfigured certificate causing browser warnings — can result in thousands of dollars in lost sales as shoppers quickly abandon sites that seem untrustworthy.” 

Why Are Holiday Scams So Prevalent? 

Mr. Mika Aalto, Co-Founder and CEO at Hoxhunt, explains, “Holiday scams continue to exist because they’re extremely successful. Cybersecurity leaders should take steps to bulk up defenses during the holiday season, when there is heightened email activity and emotions that cyber criminals can manipulate. Many employees use the same mobile devices for work as they do for personal use, therefore, opening a malicious link in a seemingly personal message could have disastrous consequences for the company.

“The holidays contain more travel and gift-buying activity, along with heightened emotions, so there are a lot more psychological buttons available to cyber criminals during this season of giving. Package delivery-themed phishing campaigns are common, and we see a number of spoofed sites which lead to credential harvesters. Travel-themed phishing campaigns might alert a victim that their flight has been canceled, so in a panic, someone might click something they otherwise wouldn’t and download malware that could compromise your system.” 

According to the report from Zimperium zLabs, more than 120,000 fraudulent retail apps were identified in 2025. Among these fake apps, 65% impersonated legitimate brands. 

Ms. Nivedita Murthy, Senior Staff Consultant at Black Duck, comments, “The online shopping experience has changed in recent years, and many users are now relying on the quick-click shopping experience on their mobile device. Users often also look out for the best deal, monitoring and tracking prices before they purchase, and Black Friday sales happen to be just the right time for many to make their move. With the number of users searching for sites that offer great deals they are also prime targets for scammers. Users are more likely to download an unknown app knowing they will get a good deal which makes mishing very common. App stores tend not to verify the authenticity or security of mobile applications due to the sheer volume of applications being hosted. There might be a base-level automated check, but malicious apps cannot be tested using automated scans.” 

Holiday Shopping in 2025: Evolving Technologies, Evolving Threats

The introduction of agentic AI into the retail space has come with beneficial developments as well as new risks and exposures. As some retailers have struggled to secure against the wave of cyberattacks that hit the sector this year, the introduction of agentic AI could leave an organization even more vulnerable than before if it is not prepared to provide proper protections. 

Will Glazier, Head of CQ Prime Threat Research Team at Cequence Security, states, “Many retailers are looking to see how ‘agentic commerce’ will truly look in the burgeoning era of AI. As we humans begin to let agents shop on our behalf, it will leave retailers one step removed from their human customers. The applications and agentic frameworks humans will delegate their shopping experience to will be vulnerable to the same type of spoofing that we see currently where malicious actors impersonate trusted brands or applications.” 

While impossible to say for certain, it’s not outside the realm of possibility that a wave of holiday attacks will target the retail space yet again. As the world of online shopping grows more and more mobile, enterprises and consumers alike should be on the lookout for phishing, social engineering, or other scams. 

France concludes, “Ultimately, security is a shared responsibility. Consumers can benefit by staying vigilant and shopping wisely, while businesses must maintain their security posture to promote trust and confidence. Together, these efforts help create a safer online shopping experience during the holiday season and beyond.”