Holiday scam season.
Attackers exploit holidays — shorter staffing, distracted people, out-of-office replies. Here's what to expect and how to brace for it.
Attackers work when everyone else doesn't. Black Friday, Christmas week, end-of-year, summer holidays — any time your team is stretched, distracted, or operating with skeleton staff, the phishing spikes. Planning for it in advance turns the spike into a non-event.
Why holidays favor the attacker
Your IT team is short-staffed. Your owner and senior leaders are on flights or with family. Out-of-office replies tell attackers exactly who's away and for how long. Finance teams are racing to close books. All of that adds up to "easier to trick, harder to respond." The phishing volume we track always spikes in late November, late December, and the week of Thanksgiving.
Common holiday scams
“A text claiming "Your package is delayed in customs — tap here to pay a small fee for release."”
Red flag: Shippers don't demand fees via text. Classic holiday-season smishing volume.
“A "year-end bonus" email to employees asking them to confirm banking details for direct deposit.”
Red flag: Classic BEC. Direct deposit changes should never happen via email form.
“A charitable donation match request that appears to come from the owner while they're on vacation.”
Red flag: Timed to the out-of-office. Attackers watched calendars and sent it the day she left for Mexico.
How to brace for it
- Remind staff about phishing the week before the holidays — a 5-minute team huddle works.
- Skeleton-staff coverage plans — clear who handles security alerts when the usual people are away.
- Out-of-office replies should NOT disclose exact travel dates or whereabouts.
- All year-end bonuses, direct deposit changes, and wire transfers pause for verbal verification during holiday periods.
- Watch the sign-in logs more carefully that week.
We brief teams pre-holiday.
A 15-minute pre-holiday awareness session is something we run for clients every Thanksgiving and Christmas week.
- 1Add a pre-holiday phishing reminder to your team calendar for every major break.
- 2Rewrite out-of-office replies to leave out specific travel dates and locations.
- 3Pause financial changes during holiday periods unless verbally verified.
- 4Ensure at least one IT lead is reachable during holiday weeks.
- 5Check sign-in logs daily during skeleton-staff periods.
Want help securing your business?
Schedule a quick security review with our team. 15 minutes, no sales pressure — walk away knowing exactly where your gaps are.
Schedule a quick security reviewKeep reading
Stop clicking links in emails.
Most cyberattacks start with a simple click. Here's why the click matters more than the email, and the one habit that stops most of them.
ReadTip #3 · PhishingSpot the urgency trick in phishing emails.
If an email is pressuring you to act right now, slow down. Urgency is the most common phishing tactic because it bypasses the part of your brain that thinks critically.
Read