Holiday Season Scams: Protect Yourself and Your Business

The holiday season is a time of celebration, generosity, and connection. Unfortunately, it’s also the time when cybercriminals are at their most organized and opportunistic. Darktrace recently reported that there has already been a 54% spike in phishing schemes this holiday season. To help you navigate these risks, Leapfrog’s own Chief Technology Officer Emmett “Trey” Hawkins shares his insights on why attackers thrive during this period and what you can do to stay protected:

“Cybercriminals know this is the moment when inboxes overflow, shipping notifications multiply, and employees rush to close out the year. They strike when people are clicking quickly and when the analysts who normally catch unusual behavior are not watching as closely.”

What scams should you watch out for during the holidays?

Fake Invitations and Holiday Event Messages

Phishing campaigns often mimic platforms like Evite, Punchbowl, Canva, and Google Calendar. For individuals, these fake invites may look like school events, office parties, or family gatherings. For businesses, they can appear to come from colleagues or leadership. In both cases, one careless click can expose personal accounts or corporate systems, especially when IT staff or family members who normally help with tech issues are unavailable.

Bogus Shipping Notifications and Delivery Issues

Fraudulent delivery notices disguised as UPS, FedEx, USPS, Amazon, or DHL alerts blend seamlessly with legitimate updates. Individuals risk giving away payment details or login credentials, while businesses face added exposure because administrative staff or facilities teams receive dozens of real alerts daily. Malicious ones can slip through unnoticed, especially during holiday breaks.

Gift Card Fraud and Urgent Executive Requests

Attackers impersonate trusted figures—CEOs, managers, pastors, or even family members—demanding gift card purchases under the guise of secrecy or appreciation. For individuals, this often looks like a relative or friend in need. For businesses, it’s a fake executive request targeting employees. Reduced verification during holiday travel makes this tactic highly effective across both personal and professional settings.

Fake Charity and Year-End Giving Schemes

Fraudulent donation requests exploit generosity during the holidays. Individuals may see appeals for disaster relief or local shelters, while businesses encounter fake invoices or donation requests that appear to come from reputable nonprofits. Rushed approvals and emotional appeals make even careful people and organizations vulnerable.

Too-Good-to-Be-True Deals

Polished scam sites advertise unbelievable discounts on luxury items or high-demand gifts and can even look like well known store fronts. Individuals risk losing money or exposing card details, while employees shopping from work devices risk credential compromise if they enter information on spoofed login screens. The merchandise never arrives, but the stolen data fuels further attacks.

Account Compromises and Fake Password Reset Notices

Attackers mimic legitimate password reset alerts from Microsoft 365, Google, Amazon, or Okta. Individuals may lose access to personal accounts, while businesses face attackers gaining footholds in corporate systems. Reduced monitoring during the holidays allows these compromises to go unnoticed longer than usual.

Travel-Related Scams and Fake Itinerary Updates

Fake airline confirmations, hotel updates, or car rental changes lure victims into fraudulent login portals. For individuals, this can mean stolen personal accounts. For businesses, reused passwords can open doors into corporate systems. During holiday change freezes, even minor anomalies may not be investigated promptly, giving attackers more time to exploit access.

Why do holiday scams work so effectively?

The end of the year brings urgency, emotion, and distraction. Employees juggle deadlines, shopping, and travel. IT teams operate with vacation schedules, reduced monitoring, and change freezes that limit patching. Cybercriminals thrive in this environment. According to Trey, “A distraction at home or a delayed alert in the SOC [Security Operations Center] can be enough for an attacker to gain a foothold and quietly escalate access.”

What should business leaders do to protect themselves now?

• Send seasonal reminders: Train employees to scrutinize holiday-themed messages.
• Reinforce verification protocols: Executives will never request gift cards via email or text.
• Promote secure password practices: Reset credentials only through known portals.
• Increase monitoring: Watch for account anomalies, failed MFA attempts, and unusual logins.
• Plan for holiday staffing gaps: Ensure alerts are routed to available personnel.

What should families and consumers keep in mind?

• Pause before clicking: Treat urgency, secrecy, or emotional appeals with caution.
• Verify requests: Confirm unexpected messages with a phone call or trusted contact.
• Gift Cards=Cash: Handle them with the same care.
• Skepticism saves: Be wary of unsolicited charity appeals and unbelievable deals.

Final Thought

Cybercrime surges every holiday season because the conditions make success more likely. With a little extra awareness and attention to verification, individuals and businesses can protect their employees, customers, and reputations. According to Trey, “The holidays should bring cheer, not compromise and cleanup. Smart habits and a brief pause before clicking can keep everyone safer.”

Happy Holidays, Friends. Stay cyber-safe out there!

Leapfrog is an IT managed service provider that prides itself on being a true IT partner to our clients. We have been providing IT and cybersecurity services to SMBs for over 25 years, with a 98% client satisfaction rate. If your organization needs IT and Cybersecurity support, reach out today to get the conversation started.