Stay Cyber-Safe This Holiday Shopping Season

By: Tom Gilmore

The holiday season brings joy, connection, and for many businesses, a surge in online activity. But as shopping carts fill and transactions multiply, cybercriminals are working overtime too. Black Friday through Cyber Monday and the weeks beyond represent prime opportunities for attackers to exploit both businesses and consumers when defenses might be relaxed and attention divided.

At Lume Strategies, we believe in transparency and education, so let’s talk about what you need to know to keep your business and customers safe during this critical time.

Why the Holidays Are a Cybersecurity Risk

The holiday season creates a perfect storm for cyber threats. E-commerce traffic spikes, employees juggle year-end projects with personal shopping, and the general hustle can lead to rushed decisions and lowered vigilance. The numbers tell a sobering story: mobile phishing and malware attacks quadrupled during the 2024 holidays, while ransomware accounted for 26% of all reported incidents during the last holiday season, doubling from 13% in the previous year.

Research shows that nearly nine in ten organizations hit by ransomware over the past 12 months were targeted at night or over a weekend period, when IT security staffing was low. Cybercriminals know this and launch targeted campaigns featuring:

  • Phishing emails disguised as shipping notifications from major carriers like FedEx, UPS, and USPS
  • Fake retail websites – with Visa identifying a 284% increase in fake and spoofed merchant websites in the four months leading up to the holiday season
  • Business Email Compromise (BEC) attacks targeting finance teams processing year-end transactions
  • Malware-laden holiday e-cards and promotional offers
  • Gift card scams targeting both employees and customers

The threat landscape is evolving rapidly. AI-powered attacks are becoming more sophisticated, including convincingly forged order confirmations, spoofed retailer sites, and AI-generated customer service messages designed to steal login details or payment information.

Related Content – Microsoft’s New Mandatory MFA Policies: What You Need to Know in 2025

Protecting Your Business: Essential Steps

1. Educate Your Team

Your employees are your first line of defense. Before the holiday rush hits full swing, conduct a brief security awareness session covering:

  • How to spot phishing emails (urgent language, suspicious links, unexpected attachments)
  • The importance of verifying unusual payment requests through a separate communication channel
  • The risks of using business devices and networks for personal holiday shopping
  • Safe online shopping practices when work and personal boundaries blur
  • Reporting procedures for suspicious activity

According to industry research, phishing attacks historically spike around holiday times, with rates reaching as high as 52% in December. The Cybersecurity and Infrastructure Security Agency (CISA) emphasizes that legitimate businesses will not email you asking for passwords or personal and financial information.

2. Strengthen Email Security

Email remains the primary attack vector during the holidays. Ensure your email filtering is up to date and consider implementing:

  • Advanced threat protection with link scanning and attachment sandboxing
  • DMARC, SPF, and DKIM authentication to prevent email spoofing
  • Banner warnings for external emails to help staff identify messages from outside your organization
  • Impersonation protection to detect and block emails from domains that closely resemble your organization or trusted partners

3. Verify Before You Click

If something seems off about a shipping notification or payment request, it probably is. Train your team to:

  • Hover over links to preview URLs before clicking
  • Type website addresses directly into browsers rather than clicking email links
  • Contact senders through known, verified channels when requests seem unusual

CISA recommends that if you’re unsure if an email is legitimate, type the URL of the retailer or other company into your web browser as opposed to clicking the link.

4. Secure Your E-Commerce Platform

If you run an online store, now is the time to double-check your security measures:

  • Ensure your SSL certificates are current and properly configured – any website security issue like an expired or misconfigured certificate causing browser warnings can result in thousands of dollars in lost sales
  • Keep your platform and all plugins updated with the latest security patches
  • Monitor for unusual activity or unauthorized access attempts
  • Review your payment processing to ensure PCI DSS compliance

5. Maintain Holiday Staffing for Security

The FBI and CISA have observed a troubling pattern: highly impactful ransomware attacks frequently occur on holidays and weekends when offices are normally closed. To counter this:

  • Identify IT security employees to be available and “on call” during holidays
  • Ensure 24/7 monitoring capabilities are in place
  • Develop a holiday security strategy with an emergency response plan

Research indicates that attempted ransomware attacks increase 70% in November and December compared to January and February, with threat actors assuming resource-constrained businesses will simply pay the ransom.

6. Back Up Religiously

Ransomware attacks spike during the holidays when businesses can least afford downtime. CISA recommends making and maintaining offline, encrypted backups of data and regularly testing your backups. Backup procedures should be conducted regularly, and it’s critical that backups be maintained offline as many ransomware variants attempt to find and delete or encrypt accessible backups.

7. Monitor Financial Accounts Closely

Increase your vigilance on all business financial accounts. As holiday shopping ramps up, regularly check your credit card and bank statements for fraudulent charges. Set up alerts for unusual transactions and ensure multiple people review statements during this high-volume period.

Helping Your Customers Stay Safe

As a business, you also have a responsibility to protect your customers. Consider:

  • Sending out a brief security tips email reminding customers how you’ll communicate with them (and how you won’t)
  • Implementing multi-factor authentication for customer accounts
  • Being transparent about data collection and security practices
  • Responding quickly and transparently if a security incident does occur

According to the FBI’s Internet Crime Complaint Center, almost 12,000 victims reported scams during the 2022 holiday shopping season, resulting in over $73 million in losses.

Related Content – Top Security Threats Facing Small Businesses and How to Mitigate Them

The Bottom Line

Cybersecurity during the holidays isn’t about paranoia—it’s about informed vigilance. The statistics are clear: 52% of retailers report being at increased risk during the holiday shopping season, and the U.S. reported more than 250 ransomware incidents in the first three quarters of 2024, up 24% year over year.

A few proactive steps now can prevent significant headaches, financial losses, and reputational damage later. Retail data breaches in 2024 saw an 18% year-over-year increase, with the average breach now costing $2.96 million.

At Lume Strategies, we design security solutions based on your specific needs and risk profile, not a one-size-fits-all approach. Whether you have nine employees or 900, we’re here to help you navigate the cyber landscape with clarity and confidence.

This holiday season, give yourself the gift of peace of mind. Take time now to review your security posture, educate your team, and ensure your defenses are ready for whatever comes your way.

Need help assessing your cybersecurity readiness? Contact Lume Strategies today.