Is your sensitive data at risk? Request a free scan to learn more.


Download free DLP for AI whitepaper


  • Malicious actors ramp up their phishing efforts over the holidays.
  • Hackers are counting on the fact that your employees are busy and preoccupied with the holidays, meaning they won’t thoroughly check the emails they receive. 
  • Seasonal awareness training is a vital defense in the fight against holiday phishing but it’s far from the be all and end all.
  • Complement your seasonal awareness initiatives with more in-depth, frequent training like in-app prompts that nudge your users towards making security-conscious decisions 365 days of the year.

It’s October: the start of fall, the impending holiday season and, of course, cybersecurity awareness month. While you might not initially think thanksgiving, Black Friday and cybersecurity have much in common, there’s actually a lot to know about, especially when it comes to phishing.

You see, there’s been a general trend in recent years of malicious actors ramping up their phishing efforts over the holidays. In line with this, research shows phishing attacks increased by 400% between the first week of October and first of November 2021.

Because cybersecurity threats explode over the holiday period, we think cybersecurity awareness month is the perfect time to ramp up your employee education efforts. Human error, after all, is linked to over 90% of data breaches. If you empower your employees with the right knowledge and tools to spot cyber threats, you’re much less likely to suffer a cyber-attack.

With that in mind, we’ve created this handy resource to help your people spot the most common holiday phishing scams.  

Hybrid work & the holidays: a hacker’s dream 

Before we get to the list, it’s helpful to understand why the holidays are a cyber criminals favorite season in recent years. There are a few factors at play.

Firstly, McKinsey research shows that most organizations are embracing hybrid working to some extent. We all know that this work model is favored by employees, and can be great for overhead costs too. However, creating a culture of security from a distance is by no means easy.

Away from the office, employees are more vulnerable to phishing scams and other types of online fraud. They may click on a malicious email by accident, thinking it’s from a trusted source, for example. 

The holiday period exacerbates this issue. Christmas parties, gift receipts, Black Friday offers and much more means that your employees’ personal and professional inboxes will receive a flurry of communications. Some will be genuine, some will be malicious.

It’s up to you to arm your people with the knowledge to spot these scams, which often look a little like the examples below…   

The most common holiday phishing scams to watch out for 

Black Friday, seasonal sales and holiday celebrations mean that many of your employees will spend a lot of time surfing the web over the coming months, looking for the perfect gifts, clothes and food items to mark this festive time of year. 

Research shows that around half of employees use their work devices for these kinds of activities – and that’s just the ones who admit to it!  As your employees receive more emails relating to holiday promotions, receipts, delivery updates and events, they need to beware of holiday scams.

Hackers are counting on the fact that your employees are busy and preoccupied with the holidays, meaning they won’t thoroughly check the emails they receive. This is exactly how successful holiday phishing attacks happen. 

Here’s what to look out for. 

Fake order receipts

A fake order receipt is a common scam sent out by hackers in the holidays. The email typically imitates an order confirmation from a well-known, trusted brand, thanking the recipient for their order and showing the amount spent. 

The email will usually contain a link, which the victim can click to ‘view their order’ or ‘track their delivery’. This link takes the victim to a fake log-in page, designed to harvest the individual’s login details or install malware on their device. 

In the mad rush of holiday shopping, many people find it hard to keep track of what they have and haven’t ordered. They may click this link simply because they can’t remember what they’ve ordered or because they’re frustrated that a company has got their order wrong. 

Delivery update hoaxes 

For holiday events and family meetups, ensuring your parcel arrives on time and in good decision is a high priority for many of us. Again, hackers often take advantage of this during the holiday season, especially as people are ordering more things online than usual. 

It’s common for malicious actors to send spoofed delivery updates from well-known couriers like Amazon, FedEx and UPS. Like the fake order receipt scams, these emails will again contain malicious links that aim to exploit the receiver. 

Fraudulent charity requests

The holiday is well-known as the time of giving and many charities deliver festive campaigns in order to reach new audiences and increase donations. Unfortunately, though, not everyone has pure intent during the festive season.

Aware of charity fundraising efforts during the holidays, many hackers craft dupe emails that mimic well-known charities’ legitimate communications. These emails feature a link to a donation page, where the victim is instructed to share their personal information and credit card details.

When they do this, they inadvertently share these details with the criminal responsible, who can use the data to commit further fraud. 

The gift card scam 

A more targeted and sophisticated phishing attack employees must be aware of is the gift card scam. In this attack, a malicious actor will first research your company on the internet to gain an idea of your internal hierarchy. They’ll then create a fake email domain, pretending to be someone senior within the organization, such as a manager or executive. 

Then, they’ll send an email to a more junior employee, requesting that they purchase gift cards from a department store or other well-known brand like Apple, and send the codes over email. 

There will usually be a sense of urgency to this request. Sometimes, attackers will embellish the email slightly, stating the gift cards are for a client meeting happening in the afternoon. Other times, they’ll give no explanation at all and simply say they need the gift cards urgently. 

In these scenarios, cyber-criminals are using psychological manipulation, hoping that a junior team member’s desire to follow orders and please their bosses means that they’ll follow the order without questioning whether it’s strange or unusual. .

Counterfeit holiday promotions

Everyone loves a bargain but, during the holiday season, our desire to surf the sales can be used against us. Your employees need to be aware of phishing emails in which hackers pose as well-known retailers and online brands, offering fake deals in order to entice people into clicking on fraudulent links. 

How to avoid holiday phishing scams 

The first step in avoiding holiday phishing scams is knowing what to look out for. However, even with a foundational knowledge of phishing, it can sometimes be tricky to distinguish legitimate emails from fake ones. So, we recommend your employees keep these tips in mind to enhance security: 

  • Bolster your account security with multi-factor authentication: Use strong, unique passwords for all your accounts, and turn on multi-factor authentication for added protection. 
  • If it sounds too good to be true, urgent or strange, double check: if you receive a confirmation email you didn’t expect, or an email from your boss with an urgent, weird request, stop before you act and then find another way to assess the request. For example, go to the brand’s website and visit your account to check on your recent orders, or send your boss a message on Slack to confirm the message is authentic. .   
  • Be careful about where you shop: Only shop with websites and brands that you trust. If you find somewhere new you’d like to order from, research it online first to make sure it’s reputable.  
  • Use a credit card for online payments if possible: The  major credit card providers offer protection for online purchases, which is another bolster against online fraud. 

Build a culture of security awareness in your organization 

Seasonal awareness training is a vital defense in the fight against holiday phishing but it’s far from the be all and end all. While October is cybersecurity awareness month, cybersecurity education and knowledge should be embedded into the culture of your organization year in, year out, 365 days a year. 

To that end, you should complement your seasonal awareness initiatives with more in-depth, frequent training. While away days and eLearning have their place, the most effective form of training is on-the-job and dynamic.

Polymer data loss prevention (DLP) uses in-app prompts to nudge your users towards making security-conscious decisions, empowering you to build a culture of security awareness and improve security outcomes without hindering employee productivity.

Polymer is a human-centric data loss prevention (DLP) platform that holistically reduces the risk of data exposure in your SaaS apps and AI tools. In addition to automatically detecting and remediating violations, Polymer coaches your employees to become better data stewards. Try Polymer for free.


Get Polymer blog posts delivered to your inbox.