As holiday shopping surges across Thanksgiving, Black Friday, Cyber Monday, and Christmas, attackers are once again ramping up operations—this time with more automation, more AI, and more ways to turn consumer distraction into profit.

Two new reports—Fortinet’s 2025 Holiday Season Cyber Threat Landscape and Darktrace’s holiday phishing analysis—reveal a concerning convergence of threat actor tactics: domain abuse, credential theft, mass phishing, e-commerce exploitation, and high-volume fraud campaigns targeting both consumers and retailers.

The data shows an unmistakable trend: holiday cybercrime is now industrialized, highly coordinated, and supported by a robust ecosystem of AI-driven tools, dark web marketplaces, and prebuilt fraud infrastructure.

Fortinet’s threat researchers observed a massive spike in malicious and suspicious holiday-themed and shopping-related domain registrations in the three months leading into the 2025 season:

• 18,000+ newly registered holiday-themed domains, with 750+ (4%) classified as malicious—many mimicking themes such as “Christmas,” “Black Friday,” and “FlashSale."

• 19,000+ newly registered e-commerce-themed domains, of which 2,900+ (15%) were malicious.

• These domains fuel phishing, fake storefronts, credential harvesting, and gift-card fraud campaigns. Attackers use SEO poisoning, website cloning, and AI to create believable, high-traffic scam sites.

Fortinet’s analysis found 1.57 million stolen e-commerce account credentials circulating on dark web marketplaces in the past quarter alone, including:

• Full credential logs

• Active session cookies

• Stored autofill payment data

• Email logins

• Crypto wallet details

These “stealer logs” enable instant account takeover (ATO), bypass MFA through active sessions, and open the door to fraudulent purchases during peak holiday activity.

Attackers are also selling credit card CVVs, dumps, and combo lists, often at discounted “Black Friday” prices to encourage bulk purchases by fraud rings.

Fortinet documents widespread adoption of AI-driven attack tooling, including:

• AI-powered brute-force frameworks that mimic human behavior

• Credential checkers for validating stolen WooCommerce, FTP, or WordPress logins

• AI-driven phishing mailers designed to evade spam detection

• Automated website cloning services

• Sniffer (credit card skimmer) installation kits for Magento, Shopify, WooCommerce

These tools lower technical barriers and enable “one-click” fraud operations tailored to holiday shopping surges. 

Darktrace: Phishing Attacks Surge 620% Leading into Black Friday

While Fortinet tracked infrastructure and marketplace activity, Darktrace observed massive increases in email-based attacks targeting holiday retail shoppers:

• Phishing attacks targeting Black Friday shoppers jumped 620% in November.

• 54% month-over-month rise in phishing impersonating major festive retailers such as Walmart, Macy’s, and Best Buy.

• Amazon impersonation accounted for 80% of all brand-impersonating phishing campaigns.

Darktrace warns that phishing volume was expected to rise another 20–30% during actual Black Friday week.

The most pervasive campaign? A fake brand called “Deal Watchdogs”—emails sent from deceptive domains promising can’t-miss holiday discounts, redirecting users to realistic-looking Amazon phishing sites.

Darktrace notes these are not the sloppy scam emails of years past. AI now enables attackers to perfectly match tone, branding, and timing—making detection nearly impossible without advanced email security.

Fortinet highlights that cybercriminals aggressively exploit newly disclosed and high-impact vulnerabilities across e-commerce technologies:

Actively Exploited CVEs include:

• CVE-2025-54236 (Adobe/Magento) – session takeover + RCE; over 250 stores compromised.

• CVE-2025-61882 (Oracle EBS) – unauthenticated RCE used by Clop ransomware to compromise ERP systems.

Major weaknesses include:

• Magecart-style JavaScript skimmers

• API authorization flaws

• Payment form interceptors

• XSS injection enabling credential theft

• Depot and warehouse backend exploitation

Attackers also sell admin-level access to high-revenue U.S. retail e-commerce companies—including full FTP access for systems generating over $6.5B annually.

The Takeaway: Holiday Cybercrime Is Now a Fully Automated Industry

Together, Fortinet and Darktrace paint a clear picture:

Threat actors treat the holidays as their own “peak season,” leveraging automation, AI, and prebuilt infrastructure to maximize profit.

The attack surface is vast, spanning:

• Phishing

• Malicious domains

• Stolen credentials

• Card fraud

• Gift card scams

• Website cloning

• Sniffers/JavaScript skimmers

• RCE exploitation

• SMS/vishing infrastructure

For defenders, this is a period requiring heightened vigilance, rapid patching, and increased monitoring across identity, email, web, and third-party ecosystems.

Holiday Cyber Safety Checklist For Your Loved Ones

Here's a simple, high-impact checklist cybersecurity leaders can share with employees, friends, and family.

For Individuals (and Nontechnical Staff):

• Double-check domain names — watch for subtle misspellings or strange extensions.

• Never click links in unsolicited emails or texts—navigate manually to retailer sites.

• Avoid “too good to be true” offers—especially luxury items or large discounts.

• Use credit cards over debit cards for better fraud protection.

• Enable MFA everywhere, especially on Amazon, Apple, and banking apps.

• Beware of urgent countdown timers—pressure tactics are common.

• Check for “https://” and valid certificates before entering payment info.

• Use a password manager to avoid reusing credentials across sites.

• Avoid shopping on public Wi-Fi—use your mobile hotspot instead.

• Monitor bank and credit card activity daily during the holiday period.

For Organizations:

• Monitor for brand impersonation domains (Fortinet’s 37k+ domain surge is a warning).

• Increase email filtering sensitivity during November–December.

• Alert employees about phishing lures impersonating Amazon and major retailers.

• Patch critical e-commerce and CMS CVEs immediately.

• Watch for anomalous logins from validated stolen credentials.

• Deploy anti-skimming protections on payment pages.

• Review incident response plans for fraud and account takeover scenarios.

The 2025 data from Fortinet and Darktrace confirms that holiday cybercrime is becoming faster, more automated, and more convincing than ever before. Retailers, banks, e-commerce platforms, and consumers are all in the crosshairs.

Cybersecurity teams should prepare for:

• More AI-generated phishing

• More credential-stuffing attacks

• More malicious domains

• More exploitation of new CVEs

• More fraud operations fueled by stolen data

With informed employees, proactive monitoring, and strong email and identity protections in place, organizations can significantly reduce the risk posed by this annual wave of cyber activity.

We asked some cybersecurity vendor SMEs for their thoughts on increasing holiday scams:

Will Glazier, Head of CQ Prime Threat Research Team at Cequence Security:

• "Social engineering and phishing might just be two of the oldest professions in the cybersecurity space, and this report shows how criminals leverage vulnerabilities in our psyches, such as excitement over holiday gift tracking, every bit as much as they do in software."
• "Tricking users into installing malicious mobile applications is by no means novel, but the surge in malicious activity targeting retail in the pre-holiday and holiday period is something we see at Cequence Security annually. In fact many of the early indicators of campaigns begin in the months of September and October."
• "One interesting development to consider as we look towards the future. Many retailers are looking to see how "agentic commerce" will truly look in the burgeoning era of AI. As we humans begin to let agents shop on our behalf, it will leave retailers one step removed from their human customers. The applications and agentic frameworks humans will delegate their shopping experience to will be vulnerable to the same type of spoofing that we see currently where malicious actors impersonate trusted brands or applications."

Nivedita Murthy, Senior Staff Consultant at Black Duck:

• "The online shopping experience has changed in recent years, and many users are now relying on the quick-click shopping experience on their mobile device. Users often also look out for the best deal, monitoring and tracking prices before they purchase, and Black Friday sales happen to be just the right time for many to make their move. With the number of users searching for sites that offer great deals they are also prime targets for scammers. Users are more likely to download an unknown app knowing they will get a good deal which makes mishing very common. App stores tend not to verify the authenticity or security of mobile applications due to the sheer volume of applications being hosted. There might be a base-level automated check, but malicious apps cannot be tested using automated scans. Smishing is not so popular as a lot of people are aware of the common text scams."

• "Users should be on high alert to what applications/sites they use for shopping, especially during the holiday shopping excitement. Some deals might just be too good to be true – often resulting in consumers paying a lot more than the item you are buying. Holiday shoppers should watch their credit card statements regularly for any misuse. With BYOD being popular, organizations may want to run a few mishing tests to test employee vigilance and double check and secure mobile endpoints."

Anne Cutler, Cybersecurity Evangelist at Keeper Security:

• "Where there’s money and momentum online, cybercriminals invariably follow - Black Friday and Cyber Monday deliver both in abundance."

• "The surge in online shopping activity, and time-sensitive nature of promotions, provides ideal cover for phishing, fake websites and credential theft, with criminals also looking to exploit the sense of urgency that accompanies the shopping frenzy."

• "This year we’re guaranteed to see ever more sophisticated scams, primarily fueled by artificial intelligence, whether that be convincingly forged order confirmations, spoofed retailer sites and even AI-generated customer service messages designed to steal login details or payment information. Cybercriminals’ tactics are quickly evolving, but the target ultimately remains the same: your personal information."

• "Recent global research found that identity-based attacks like phishing and credential stuffing are among the top concerns for cybersecurity professionals heading into 2025. This isn’t surprising, given that stolen credentials remain the most common initial access point for data breaches. The simple truth is that if an attacker controls your identity, they also control your access to everything, ranging from sensitive financial information to social media accounts."

• "Both consumers and organizations need to prioritize strengthening their defenses. Everyone must use strong, unique passwords and Multi-Factor Authentication (MFA) on all accounts. Businesses should review privileged access controls, ensure employees are trained to spot social engineering attempts and monitor for unusual login activity throughout the Black Friday period."

• "Black Friday doesn’t need to be a hacker’s payday. A few proactive steps, coupled with an identity-first mindset, can make the difference between a money-saving bargain and a costly breach."

Nick France, Chief Technology Officer at Sectigo:

• "As the holiday shopping season reaches its peak, consumers are eager to snag the best deals online, but this surge in activity also attracts cybercriminals looking to exploit vulnerabilities. One critical but often overlooked aspect of online security is the role of digital certificates that power the secure connection between shoppers and retailers. These certificates are the foundation of trust online, enabling the familiar HTTPS that shoppers should look for before entering personal or payment information."
• "For everyday consumers who may not be familiar with digital certificates, the simplest way to stay safe is to ensure the website they are shopping on shows these visible security indicators. If the site lacks HTTPS or triggers a “not secure” warning, it’s best to proceed cautiously or avoid the site altogether. Additionally, shoppers should take basic precautions such as using strong, unique passwords, avoiding public Wi-Fi networks for purchases, and monitoring payment accounts for any suspicious activity. These steps help protect personal information."
• "From a business standpoint, the stakes are extremely high during Black Friday and Cyber Monday. This short window represents a critical revenue opportunity, and any website security hiccup - like an expired or misconfigured certificate causing browser warnings - can result in thousands of dollars in lost sales as shoppers quickly abandon sites that seem untrustworthy. That’s why savvy businesses are turning to multi-year SSL/TLS certificate plans, which not only ensure continuous protection but also reduce costs and administrative burden."
• "Investing in a robust security infrastructure during this peak season is about preserving consumer trust that drives revenue well into 2026."
• "Ultimately, security is a shared responsibility. Consumers can benefit by staying vigilant and shopping wisely, while businesses must maintain their security posture to promote trust and confidence. Together, these efforts help create a safer online shopping experience during the holiday season and beyond."