Keep Your Guard Up Against 10 Common Holiday Threats

The holiday season can be filled with gratitude, joy, and celebration, but it's also brimming with opportunity for cybercriminals.

Risks affect employees at home and at work — and put SMBs at risk on several fronts. How big a problem is this?  According to AARP's 2024 Holiday Threats and Fraud report, 82% of U.S. consumers say they've been targeted by at least one holiday-themed fraud (charity scams, bogus retail deals, phantom delivery notices) in the past year.  A breakdown from cybersecurity vendor Norton shows that fraud is fairly evenly spread between online shopping scams, phishing tricks, delivery notification scams, and gift card scams.

Key Takeaways

• Cyber threats surge during holidays: Attackers exploit increased online shopping, delivery notifications, and distractions to launch phishing, fake websites, and gift card scams.
• Mixed personal and work use increases risk: Employees accessing personal services on work or shared devices expose business networks to attacks; separation and safe practices are essential.
• Prevention is about awareness + infrastructure: Educating staff, enforcing security policies (VPN/SASE, safe browsing), and leveraging managed services or security tools can substantially reduce holiday exposure.

Keep in mind that consumer research completed in 2025 by Pew Research shows 73% of U.S. adults say they've experienced at least one type of online scam or attack. That number is likely to skyrocket during the holidays since sign-up attacks (fraudulent account creation, credential stuffing, etc.) spiked by 309% relative to baseline periods in Q4 2024, showing how attackers capitalize on high-traffic holiday time.

Because employees often use work devices or shared devices for email and online shopping, a misstep by someone in your company can derail operations during this critical time. Here are 10 holiday cyber threats to keep in mind (and share with your team) this holiday season.

First: Online Shopping Risks

1. Employees may use work devices for personal shopping. That means if they click the wrong link, it could expose your network to a cyber threat. Be sure to remind your team about the need for heightened awareness during the holidays, especially if they work remotely or your company allows BYOD. Best practices include typing URLs into the browser vs. clicking on any URL, and separating work from personal by using a SASE or VPN connection for protection.
2. Fake retail websites, fraudulent deals, and malicious ads. Let's be honest, AI works for the bad actors just as well as it works for the good guys. AI has emboldened cyber criminals and allowed them to create highly detailed fake websites, ads, and imagery. With so many ads on social media, it can be easy to fall for what looks like a reputable business and end up being duped.
3. Fake apps. Did you know this was a thing? Built to look and act like a trusted app, these counterfeits can wreak havoc once downloaded onto your employee's phone. Remember to only download apps from trusted app stores, check for high numbers of downloads (5000+), and look for any discrepancies or misspellings in the name or app icon.

Best online shopping security practices: Stick to secure (HTTPS) sites, avoid storing card info in an app or website, separate personal/work devices, and always type in the URL of an interesting new shop or offer vs. clicking a link or an ad.

Want to learn more about protecting yourself from fake apps, QR codes, and websites? Check out this blog with tips from SonicWALL.

Warning: Phishing and Other Holiday Cybersecurity Risks

4. Fake package tracking email smishing scams. More than half of respondents in the AARP study revealed they had received a notification about a shipment from the post office, FedEx, or UPS, only to find out that it was a fraud. We get it, in today's online shopping world, it can be easy to lose track of orders and shipments. But don't be fooled—if you receive an alert from a shipping company via email or SMS text (smishing), do not click on any links in the notice. Rather, go to the official website and check any tracking numbers there.
5. "Urgent holiday deal" phishing scams. If your inbox looks like mine during the holidays, it's overflowing with deals, sales, limited offers, BOGO – the list goes on and on. With all that traffic, it's so easy for a detailed holiday phishing scam to slip right through even the most careful checks. To protect yourself and your employees from seasonal phishing scams, remember to double-check the "from" and "reply to" emails for discrepancies and visit the website directly rather than scanning any QR code or link.
6. Charity scams and gift card requests. Sneaky bad actors often use holiday goodwill to trick nice people into these scams. By posing as legitimate organizations, they lure unsuspecting targets into sending money or buying gift cards to benefit others, only to disappear with the funds. To stay safe, donate directly through official websites, use credit cards for payments, verify a charity's legitimacy using online tools, and never provide personal or payment information to unverified sources. 

Caution: Travel and Remote Work Security

Business and personal travel during holidays increases the risk of a cyber breach. Whenever your team hits the road, either for work or holiday travel, remind them to take these proactive security steps:

7. Avoid public Wi-Fi. Saying it loud for those in the back. DO NOT use public Wi-Fi. Rather, invest in a travel hotspot or leverage your cell phone capabilities. Cyber criminals can easily breach Wi-Fi and sneak onto your phone, laptop, or other mobile device – and straight into your work network. 

8. Don't access your network without SASE/VPN. For remote workers who routinely access your business IT environment, invest in either SASE or VPN technology. This private "pipeline" into your corporate network protects against infected devices as well as safeguards data in motion through encryption. Learn more in our blog

9. Lock devices in transit. Sometimes good security hygiene is as simple as locking your devices anytime you step away. That protects someone from accessing the device—simple and easy

10. Beware of juice jacking. Is it a silly name? Yes. Is it a serious threat? Also, yes. Juice jacking describes a cyber attack through a public USB or other mobile device charging station. That's why, while those handy charging stations in airports and hotels can look like the perfect solution to your low battery alert, they often are infected with malware or other malicious software designed to sneak onto your device and steal data or lock it down. What are the best tips for staying secure while traveling with work devices? Use those old-fashioned wall outlets to charge your devices or carry an auxiliary charging block you know is safe.

Creating a Culture of Cyber Awareness During the Holidays

While it might seem as if seasonal cyber risks are more personal in nature, in today's world of remote work, BYOD, and shared devices, personal threats often lead straight to your organization's company network. So, how can SMBs protect employees (and their IT network) from holiday scams?

Use seasonal reminders to raise awareness with your team, highlighting the right steps to take and reminding them of your process for reporting suspected threats or breaches. As always, positive reinforcement works better than scare tactics and threats. The best way to engage your team is through inclusion—reminding them that they play a critical role in protecting your organization, its data, and your customers.

How Managed Services Safeguard Your Team

If your organization hasn't invested in and launched security awareness training, consider this your sign to start. Nothing is as impactful as educating and training your employees to be the best cybersecurity protection you have in place. With human error the leading cause of most cyber breaches, having an engaged, responsible team goes a long way in shoring up your defenses.

Want more tips? Read our blog on 10 security awareness best practices

Critical to the success of your SAT are well-documented policies that address safe browsing, personal or shared device use, and travel and remote work best practices. No employee intends to open the door to a cyber attack, but simple, everyday work tasks can be risky if they don't have guidance from experts.

Working with a managed services provider such as Exigent can also improve your cybersecurity stance for several reasons. Managed services provide proactive patching and maintenance, 24x7 automated monitoring, access to IT experts, and guidance on advanced cybersecurity solutions, such as endpoint protection with SOC monitoring and firewall-as-a-service can greatly improve your security posture.

The holiday season should be about celebrations and business success, not security incidents.

Contact Exigent to keep your business protected year-round.

Learn more tips on using security awareness training to protect your team from our ebook

You may also be interested in these related blogs:

• Juice Jacking: Wait! Don't Plug That In
• VPN vs. SASE for Secure Remote Access  
• Protecting Your Remote Workers  
• Check washing is on the Rise
• Don't Fall Victim to Vishing