The holiday season may be all about goodwill, but for cybercriminals, it’s also prime time for digital mischief. Last holiday season, while shoppers were busy looking for deals for Black Friday and Cyber Monday, cyber attackers were on the hunt too—seizing the season’s rush as the perfect moment to target businesses of all sizes. From an uptick in sneaky phishing scams to vulnerabilities in payment and shipping platforms, the holiday cheer masked some serious cybersecurity challenges.
The good news is that these incidents don’t have to be the "ghost of Christmas past" for your business. By learning from last year’s threats, you can build stronger defences to keep your customers’ data safe and make this season a safe and merry one for everyone.
We're committed to helping you and your teams stay cybersafe all year round! With that in mind, we've put together a free shopping season pack for you to download!
Read on to learn the crucial cybersecurity lessons you need to know, and get ready to make this year's shopping season memorable for all the right reasons.
Last year saw a sharp increase in phishing attacks and, in particular, an increase in occurrences of angler phishing. Angler phishing attacks on social media platforms. This type of phishing involves creating fake social media accounts that pose as customer service representatives for well-known brands. During the holidays, these scammers take advantage of the rush in customer support requests to lure victims who are trying to resolve order issues or get holiday deals. They impersonate trusted companies, often using similar logos and language, to trick users into sharing sensitive information or clicking on malicious links.
What makes angler phishing particularly dangerous is its ability to blend into the fast-paced social media landscape. During the holiday shopping season, businesses often face an increase in customer inquiries and engagement, making it challenging to monitor every interaction. Scammers exploit this by setting up accounts that appear to help customers but are designed to steal login credentials or financial information.
For businesses, combating phishing requires a multi-pronged approach. First, training employees to recognise phishing schemes—especially those targeting customer service interactions on social media—is essential. Employees should be taught to spot suspicious messages and to be aware of tactics that attackers use, such as urgency and requests for personal information. Businesses should also monitor social media platforms closely for fake profiles impersonating their brand and use verification tools where possible to prevent customers from falling victim to angler phishing.
Ransomware has remained a significant threat this year, and attacks tend to increase around Christmas, with one study suggesting a 30% increase in ransomware attacks over the holiday season, and a 70% increase in the months of November and December, compared with January and February.
The increased digital activity during the holiday season offers a fertile ground for ransomware attacks, and last year saw many businesses face ransomware threats, which not only resulted in financial losses but also damaged customer trust.
Ransomware attackers often gain access through phishing emails or compromised software updates, encrypting valuable business data until a ransom is paid. The urgency of holiday operations can make businesses more vulnerable, as attackers know that delays or disruptions could be particularly costly during this high-demand period.
The best way to combat ransomware is through prevention. Encourage employees to be cautious with email links, especially from unknown senders, and keep all software and systems up to date. Businesses should also regularly back up their data and ensure that these backups are stored securely offline. Implementing endpoint detection and response (EDR) systems can also help monitor and protect devices from potential ransomware intrusions.
Multi-Factor Authentication (MFA) played a huge role in helping some businesses fend off cyber threats last year, blocking around 99.9% of modern automated cyber attacks, 96% of bulk phishing attacks, and 76% of targeted attacks. MFA requires users to verify their identity with two or more verification methods, such as a password and a code sent to their phone. Businesses that had MFA in place saw significantly fewer successful cyber incidents, as it creates an extra barrier for attackers.
Given that login credentials can be easy for attackers to steal through phishing or other means, MFA serves as a crucial additional layer of security. If an attacker gains access to a username and password, they’ll still be blocked by the second authentication factor. During a time when hackers know people are busier than usual and likely reusing passwords, MFA can be an effective way to reduce risk.
Businesses should consider adopting MFA across all systems, especially those handling customer data and payment information. Educating customers on the importance of MFA and encouraging its use on their accounts is also a proactive step toward reducing the risk of unauthorised access.
The holiday season last year highlighted vulnerabilities in third-party services that businesses rely on, such as payment gateways, marketing platforms, and shipping services. Attackers targeted these third-party systems, knowing that a single breach could impact multiple businesses and their customers. With many companies dependent on external platforms to streamline operations, these services can become prime targets during high-demand periods.
Businesses should carefully vet third-party providers and ensure they follow strong security protocols. Regularly reviewing vendor agreements and understanding their security measures is essential. Implementing third-party risk management software can also help monitor vendors and flag any suspicious activity or vulnerabilities in real-time. This extra vigilance can help reduce the chances of a third-party breach affecting your operations and reputation.
APIs (Application Programming Interfaces) are vital tools for businesses, connecting various applications and enabling smooth data flow across platforms. However, poor API security has been a growing target for hackers, as APIs often handle sensitive customer information, with cross-site scripting emerging as the biggest potential threat. Last holiday season, several breaches involving API vulnerabilities led to data leaks and reputational damage for businesses.
To protect customer data, businesses should adopt a “security-first” approach to API management. Regularly updating and monitoring APIs for vulnerabilities is key, as is implementing access controls to ensure only authorised users can interact with sensitive data. Rate limiting is another effective measure, as it prevents excessive requests to an API that could indicate a potential attack. Businesses should also audit their APIs frequently and ensure they meet industry security standards.
The lessons from last year’s shopping season offer valuable insights for this year’s holiday cybersecurity strategy. Here are some final tips to help businesses stay safe:
The holiday season is one of the busiest—and most vulnerable—times for businesses. But with awareness, vigilance, and a commitment to robust cybersecurity practices, companies can protect themselves and their customers. By learning from the lessons of last year, businesses can ensure a safer, more secure shopping experience for everyone, keeping the focus on what truly matters: spreading holiday cheer.
Bob's Business is committed to helping you and your teams stay cybersafe, download our free shopping season pack today!
Whether you’re looking for complete culture change, phishing simulations or compliance training, we have solutions that are tailor-made to fit for your organisation.