The breach that nearly cost a mid-sized manufacturer $2.3 million didn’t involve sophisticated malware or a nation-state actor. It started with a procurement manager approving a vendor invoice on December 22nd. The invoice looked legitimate. The vendor was real. The only problem: the bank routing number had been changed by an attacker who’d been watching email traffic for weeks, waiting for the exact moment when distraction would override verification.

That moment arrives every year between Thanksgiving and New Year’s.

When Routine Becomes Vulnerability

Security programs are built around predictable patterns. Your tools learn what normal access looks like. Your team develops instincts for what requests feel legitimate. Your processes assume a baseline level of attention from employees.

The holiday period disrupts all three simultaneously.

Employees aren’t thinking about security. They’re thinking about travel logistics, gift purchases, family obligations, and closing whatever work needs to close before the calendar flips. Cognitive bandwidth that normally catches suspicious details gets redirected to personal planning. That slightly-off domain name in a shipping notification? It doesn’t register when you’re also tracking four packages and a flight confirmation.

Meanwhile, the legitimate transaction volume explodes. Finance teams push to finalize deals before year-end. Procurement processes accelerate. Vendor communications multiply. For attackers, this creates ideal cover — their fraudulent requests blend into a flood of real ones.

The Detection Problem

Your security infrastructure faces an impossible challenge during these weeks: distinguishing between legitimate holiday behavior and active compromise.

Consider access patterns. Throughout the year, your systems learn that your controller logs in from the Chicago office during business hours. Now she’s approving wire transfers from her sister’s house in Phoenix at 9 PM on a Saturday. Is that a breach or someone finishing work before a family dinner?

Multiply that ambiguity across your entire organization. Executives traveling internationally. Remote workers connecting from unfamiliar networks. Devices being used by family members who don’t understand corporate security policies. Every unusual pattern that would normally trigger investigation becomes background noise.

Attackers understand this timing intimately. They know that a suspicious login on December 26th gets less scrutiny than the same login on October 15th. They know that an urgent wire request on the last business day before New Year’s faces deadline pressure that overrides normal verification. They plan their campaigns around your calendar.

The Staffing Reality

While attack surface expands, defensive capacity contracts.

Security teams operate with reduced headcount during the holidays. The analysts who would normally investigate alerts are taking earned time off. The institutional knowledge that spots subtle anomalies isn’t sitting at the console. Response times slow precisely when they need to accelerate.

This creates a compounding effect. Higher alert volume meets lower analyst availability. Triage gets rushed. Legitimate threats get lost in the noise of false positives. By the time someone recognizes an actual incident, attackers have had additional dwell time to establish persistence or exfiltrate data.

I’ve watched organizations discover January breaches that trace back to December intrusions — weeks of access that went unnoticed because the right people weren’t watching at the right time.

What Changes the Outcome

The organizations that navigate this period successfully don’t rely on technology alone. They recognize that human factors drive holiday risk and address them directly.

Before the season starts, they document expected anomalies. If executives will travel, that gets logged in advance so security teams can distinguish pre-approved unusual access from potential compromise. If finance will process high-value transactions, verification protocols get explicit, what channel confirms legitimacy, who has authority, what documentation is required regardless of deadline pressure.

They communicate specific threats rather than generic warnings. Employees hear about the exact scams circulating, not “be careful of phishing” but “we’re seeing fake shipping notifications from carriers, always go directly to the tracking site rather than clicking email links.” Concrete guidance produces concrete behavior change.

They acknowledge staffing constraints honestly. If coverage will be reduced, they identify which alerts demand immediate escalation versus what can wait. They pre-authorize certain response actions so skeleton crews aren’t waiting for approvals that won’t come until January.

And they build verification friction into processes that matter most. Financial transactions above certain thresholds require out-of-band confirmation regardless of urgency. Credential resets follow established protocols even when the request seems legitimate. The inconvenience of an extra phone call is trivial compared to the cost of a successful attack.

The Persistence of Human Judgment

Every security vendor promises technology that will solve these problems. Detection capabilities improve constantly. But the fundamental challenge remains: attackers design their campaigns around human behavior, and human behavior becomes less reliable when attention scatters.

The six weeks ahead will test whether your organization has built security into its culture or merely purchased security tools. The difference shows up in whether employees pause before clicking, verify before approving, and question before acting, even when deadlines loom and vacation beckons.

Attackers are planning around your holidays. The question is whether you’ve done the same.