.svg)
Featured Posts
Shopping reaches its peak during the holiday season, in particular online shopping.
Unfortunately, that means it’s the ideal time for cyber criminals to take advantage of consumers and businesses. Whether it’s Cyber Monday, Christmas, or Boxing Day, fraud attempts have historically increased during the holiday season.
Australians lost more than $2.03 billion to scams in 2024, with around 494,732 reports recorded through ScamWatch.
To help keep your organisation and their family members cyber safe, here are the 4 most common holiday scams that can negatively affect companies during the holiday season.
Phishing-as-a-service (PhaaS)
Phishing-as-a-Service (PhaaS) continues to be a major threat to businesses, especially during the holiday season. Criminals can easily purchase phishing kits on the dark web, complete with templates and software, often operating like a legitimate SaaS model. These kits allow attackers to impersonate trusted brands and target customer payment details.
Increasingly, these attacks are paired with social engineering tactics—manipulating individuals into divulging sensitive information by exploiting trust, urgency, or curiosity. For example, a fake email may appear to come from a known delivery service or retailer, prompting users to click malicious links or share personal data.
To protect your organisation, consider:
- Phishing simulation training for staff
- Monitoring for bot traffic spikes
- Keeping antivirus software up to date
- Email authentication protocols
Fraudulent Delivery Alerts
The holiday season brings a surge in package deliveries, which scammers exploit by sending fake delivery failure notifications. These alerts often look legitimate and prompt recipients to click links or provide personal information to "reschedule" or "verify" a delivery.
While your business may not be directly responsible for these scams, they can damage customer trust if your brand is impersonated. A robust delivery notification system that keeps customers informed at every stage can help reduce confusion and prevent exploitation.
Encourage customers to:
- Verify delivery alerts through official channels
- Avoid clicking on unexpected or suspicious links
- Report any unusual communications to your support team
Grinch Bots
Grinch Bots are automated programs that scour retail websites to purchase items in bulk the moment they become available. Named after the famous Dr. Seuss character, these bots don’t just steal Christmas—they hijack the joy of shopping by hoarding popular items, which can then resold at exorbitant prices on secondary marketplaces, or even drive traffic to a scam website. They’re often used to target high-demand products like gaming consoles, sneakers, or exclusive collectibles and event tickets.
These bots work faster than any human could, bypassing CAPTCHAs and other security measures to complete purchases in minutes. As a result, many genuine shoppers find "out of stock" notices almost immediately.
This often leads shoppers to seek alternative retailers to purchase from. Scammers exploit this by sending phishing emails, or ads in social media with fake deals or counterfeit products - in effect double-dipping on this retail scam. Always verify URLs and avoid clicking on unfamiliar links, especially those promising "unbeatable" prices.
Malicious E-Cards
E-cards have made a strong comeback in recent years, becoming a popular way to spread holiday cheer across the globe. However, their convenience and reach also make them a favourite tool for cyber criminals.
Malicious e-cards are often disguised as festive greetings but can contain hidden malware or data-leaching programs that silently compromise devices. These threats are especially concerning for businesses, where employees may receive holiday messages from unfamiliar senders—clients, suppliers, or even internal contacts—making it easy for a fraudulent email to slip through unnoticed.
An unsuspecting employee opening a malicious e-card could unintentionally trigger a data breach, especially if they’re unaware of the risks or unfamiliar with the sender.
Offering mandatory cyber security training programs that focus on holiday scams can be a great exercise in ensuring that your employees can identify and take the proper precautions to prevent data breaches. Training should include how to spot suspicious emails, avoid clicking unknown links, and report anything unusual to your IT department.
Mobile device scams
Businesses often provide employees with company-maintained devices like laptops, mobile phones, and tablets that help them perform their jobs from remote locations around the world.
One of the biggest ways that holiday scams can impact you is through mobile games or apps. Imagine you’re waiting to take a flight home for the holidays and while you’re waiting for your flight to board you open your device and install a game or app to pass time. Mobile games can steal your password and other data from your device. Doing a quick search about the validity of the app can give you a good idea about whether it’s safe to download.
Be sure to read the permissions on the app carefully. Some apps may include a request that asks your permission to send your data to a third party – a step that might not be essential for the apps useability.
With most people using their official mobile devices for personal use as well as business, the risk of this happening is quite large, especially during the holidays when employees tend to browse the web and try out different apps. Protect your employees by putting the education in the palm of their hands with our mobile phone and tablet education course as part of our cyber security awareness training.
Preventing holiday scams starts with the individual
Let's make the strongest link in any organisation human behaviour. The best way to prevent holiday scams from sailing away with your sensitive information is through awareness and education.
If you would like a confidential in-depth chat about how we can help you, please reach out to our team today on 1300 407 682 or info@phriendlyphishing.com.au
