“The holiday season is filled with gifts, including the ones we unknowingly hand over to threat actors in the form of sharing personal information and other security mishaps that result in cyberattacks,” says Nathan Wenzler, Field CISO at Optiv. “This year, consumers across the U.S. plan to spend nearly $80 billion online and in-store during Black Friday and Cyber Monday, an increase of about $20 billion compared to last year, according to a new survey conducted by Omnisend.” 

Perhaps it goes without saying, but that increase in online shopping may also mean an increase in opportunities for cybercriminals. In 2024, mobile threats rose by four times during the holidays — with holiday shopping predicted to increase this year, it is likely that cyber threats will follow. 

Wenzler remarks, “Social engineering attacks impersonating brands, skimming attacks and fake updates have historically been observed during the Black Friday/Cyber Monday events. That trend will likely continue in 2025.”

This isn't just an issue for individual shoppers. If employees are targeted with these holiday scams, organizations could be at risk, too. 

“Security front liners, such as network security engineers or analysts, should be attentive to upticks in unusual activity in company environments,” says Wenzler. “Attacks on organizations during this time of the year are successful often due to teams’ guards being down, less staff, and laxed cyber hygiene. This can lead to a slow detect and respond time for attacks.”

Tips for Safe Online Shopping During the Holidays 

Wenzler states, “The tips and best practices to stay safe should be the same as the rest of the year for both individuals and organizations. To recap:

• Avoid clicking on links or opening attachments in unsolicited emails.
• Ensure domains you visit are accurate.
• Nothing is free. Avoid clicking on, promoting or entering information for ‘free’ products, services, etc.
• Avoid installing software or applying updates that are not downloaded from the legitimate, accurate site of the vendor.
• Prioritize patching for known vulnerabilities.
• Use MFA and a VPN to access remote and sensitive environments.
• Enforce strong and unique passwords across all accounts.

“Scammers are going to activate their plexus network of techniques to entice victims with fake promotions. Individuals are highly advised not to entertain any messages, surveys, or calls they receive which offer them direct holiday discounts. In the past, we have seen individuals fall for these traps frequently and the number is going to increase during the holiday season.

“Individuals must be aware of scammers and fake gift card offers. Often, these ‘offers’ come with the light lift of filling out a survey. Only, the survey is fake, and the sole result is your personal information is now in the hands of a bad actor. These have historically been quite successful tactics during the holiday months.”