Holiday Cyber Scams: What Organizations Need to Know

Published December 2025

The holiday season brings reduced staffing, increased email traffic, and heightened vulnerability. Cybercriminals take advantage of this time, launching scams targeting employees, financial processes, and organizational systems. Below are common holiday-themed threats and steps your organization can take to stay protected.

1. Gift Card Scams

Attackers impersonate executives or supervisors, requesting gift card purchases for “holiday events” or “staff appreciation.”

How to prevent it:

• Remind employees that leadership will never request gift cards by email or text.
• Verify unusual requests by phone or direct communication.
• Watch for misspelled or slightly altered sender domains.

2. Fake Delivery Notices

Phishing emails disguise themselves as UPS, USPS, FedEx, or Amazon shipping updates.

Defense tips:

• Avoid clicking on links or downloading attachments from unknown senders.
• Use official carrier sites or internal systems for tracking.
• Use email filtering tools to catch spoofed domains.

3. Charity & Donation Scams

Fraudulent charities and cloned nonprofit websites increase during December.

Stay safe by:

• Donating only through verified, official websites.
• Checking URLs carefully for misspellings.
• Avoiding emotional, high-pressure donation requests.

4. Invoice & Vendor Fraud

Scammers send fake year-end invoices or request changes to vendor banking information.

Mitigation steps:

• Require dual approval for payment or account changes.
• Confirm invoice changes using known phone numbers—not email replies.
• Use email authentication tools (SPF, DKIM, DMARC).

5. Holiday-Themed Malware

Holiday e-cards, party invites, or seasonal attachments may contain malware.

Protection measures:

• Block executable attachments.
• Caution employees against opening unsolicited “holiday greetings.”
• Ensure antivirus and endpoint tools are fully updated.
• Secure the Season
• A few year-end actions can significantly reduce holiday-season cyber risk:
• Update and verify system backups
• Review incident response steps
• Enable MFA organization-wide
• Reduce access for unused accounts
• Communicate key cyber reminders to staff

Cybersecurity remains a strategic priority year-round. The Curtwill Group helps organizations strengthen their defenses, manage risk, and build resilience—during the holidays and beyond.