As the holiday season approaches, CISOs face a perfect storm of cyber threats that would make any security professional’s blood run cold. In 2024, 80% of retailers experienced a cyberattack—and nearly all were hit multiple times. A staggering 22% faced as many as seven to 15 attacks during a single year. [

Holiday Scams 2025: $529 Million Lost as Black Friday Phishing Surges 692% and AI Deepfakes Target Shoppers

The holiday season is supposed to be about joy, family gatherings, and finding the perfect gifts. Instead, for 34 million Americans, it became a nightmare of drained bank accounts, stolen identities, and fraudulent charges. As Thanksgiving 2025 approaches and Black Friday deals flood your inbox, cybercriminals are already counting their

ScamWatchHQScamWatchHQ

](https://www.scamwatchhq.com/holiday-scams-2025-529-million-lost-as-black-friday-phishing-surges-692-and-ai-deepfakes-target-shoppers/)

Now add to that equation: Black Friday phishing attacks that surge 692%, ransomware campaigns specifically timed for holiday weekends, DDoS attacks targeting 7% of all retail traffic on Cyber Monday, and a seasonal workforce that receives zero cybersecurity training in 78% of organizations.

The average data breach now costs $2.96 million, representing an 18% year-over-year increase. For retail and hospitality organizations during the holiday season—when revenue is highest, staffing is stretched, and attackers are most aggressive—the stakes have never been higher.

This is your operational guide to defending your organization during the most dangerous time of the cyber calendar.

The Holiday Threat Landscape: What CISOs Must Know

Social Engineering, Ransomware, and Scattered Spider Lead the Charge

According to the Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC), social engineering, ransomware, and activity from the Scattered Spider threat actor are predicted to be primary threats to retail and hospitality organizations during the 2025 holiday season.

These aren’t theoretical concerns—they’re active, ongoing campaigns with documented impact:

  • Phishing attacks mimicking major US retail brands increased by more than 2,000% during peak shopping periods
  • Black Friday and Cyber Monday themed phishing attacks soared to 692% in late November compared to early November
  • Christmas-themed phishing attacks rose 327% globally during Black Friday week (November 25-29, 2024)
  • Ransomware accounted for 26% of all reported incidents during the last holiday season, doubling from 13% the previous year

The United States reported more than 250 ransomware incidents in the first three quarters of 2024, up 24% year over year.

The Weekend and Night Attack Pattern

Here’s the data point that should fundamentally change your staffing strategy: Nearly 9 in 10 organizations hit by ransomware over the past 12 months were targeted at night or over a weekend period, when IT security staffing was low.

Cybercriminals explicitly exploit this timing to launch:

  • DDoS attacks designed to disrupt operations during peak shopping hours
  • Ransomware campaigns that encrypt systems when response teams are minimal
  • Data exfiltration operations that go undetected for hours without monitoring

During Cyber Monday 2024, shopping and retail sites in the United States experienced a significant rise in DDoS activity, with 7% of all traffic mitigated as DDoS attacks and an additional 8% flagged as potential threats. Across the entire Cyber Week, there was a 41% increase in blocked DDoS attack requests compared to the previous week.

Mobile Threats Quadruple

Mobile phishing (mishing) and malware attacks quadrupled during 2024’s holiday season. This presents particular risks as:

  • Employees use the same mobile devices for work and personal shopping
  • Opening a malicious link in a seemingly personal message can compromise corporate systems
  • BYOD policies create expanded attack surfaces
  • Mobile device management gaps leave vulnerabilities unpatched

More than 120,000 fraudulent retail apps were identified in 2025, with 65% impersonating legitimate brands. These apps target both consumers and employees, potentially compromising corporate credentials when employees access work systems from infected devices.

The Fake Merchant Website Explosion

Visa’s Payment Ecosystem Risk and Control (PERC) team identified a 284% increase in fake and spoofed merchant websites in the four months leading up to the holiday season. These sites don’t just target consumers—they’re also used for:

  • Credential harvesting targeting employee logins
  • Malware distribution to corporate networks
  • Brand reputation damage when customers blame the legitimate retailer
  • Data theft when employees test systems or investigate customer complaints

The Seasonal Workforce: Your Biggest Vulnerability

The Training Gap That Threat Actors Exploit

The greatest vulnerability during the holiday season isn’t technology—it’s people. Specifically, the seasonal workforce.

Critical statistics:

  • 56% of retailers did not provide mock email phishing training to seasonal workers last year
  • 78% did not provide social engineering training to seasonal employees
  • Most retailers lack sufficient internal cybersecurity staff
  • Seasonal employees rarely receive any cyber training before being given system access

This creates a perfect target for attackers. Seasonal workers:

  • Have legitimate system access but minimal security awareness
  • Are unfamiliar with company protocols for verifying requests
  • Feel pressure to work quickly during high-volume periods
  • May not recognize phishing attempts or social engineering tactics
  • Often use personal devices that lack corporate security controls

The Employment Scam Threat Vector

Employment scams saw a staggering 545% increase during the previous holiday season. These scams don’t just target job seekers—they create risks for your organization:

  1. Fake recruiter accounts using your company’s name and branding
  2. Brand reputation damage when victims blame your organization
  3. Insider threat potential when scammers pose as new hires to gain system access
  4. Data harvesting targeting your HR and recruiting systems

Real-World Impact: The Retail Workforce Attack Surface

Many employees use the same mobile devices for work as they do for personal use. This means:

  • Personal shopping activity creates corporate risk
  • Phishing links in “personal” emails can compromise work accounts
  • Malicious apps downloaded for holiday deals infect devices with corporate access
  • Social engineering targeting “the employee” reaches “the company insider”

A single seasonal employee clicking a Black Friday phishing email can provide attackers with:

  • Initial access to internal systems
  • Lateral movement opportunities
  • Credential harvesting for privilege escalation
  • Persistence mechanisms for long-term compromise

Ransomware: The Holiday Weekend Nightmare

The $2.96 Million Question

The average breach now costs $2.96 million—but ransomware attacks during the holiday season can be far more expensive when you factor in:

  • Revenue loss during peak shopping periods
  • Emergency response costs for after-hours incident response teams
  • Ransom payments (if you choose to pay)
  • Recovery operations extending into your busiest season
  • Customer trust damage and long-term brand impact
  • Regulatory fines and compliance violations

The Attack Timeline

Understanding when attacks occur is critical for defense:

Pre-Thanksgiving (October-Early November):

  • Reconnaissance and initial access attempts
  • Credential harvesting campaigns
  • Vulnerability scanning of retail infrastructure

Thanksgiving Weekend:

  • Primary ransomware deployment window
  • Minimal security staffing
  • Maximum disruption potential
  • Pressure to pay due to business impact

Black Friday/Cyber Monday:

  • DDoS attacks targeting availability during peak revenue
  • Payment system compromises
  • Customer data theft during high-volume transactions

Post-Holiday (Late December-Early January):

  • Data exfiltration and extortion
  • Cleanup of access and persistence mechanisms
  • Second-stage attacks leveraging initial compromise

The RH-ISAC Threat Intelligence

The Retail and Hospitality ISAC specifically warns that social engineering and ransomware are the top predicted threats for the 2025 holiday season. Their analysis shows:

  • Attackers increasingly target smaller retailers with limited security resources
  • Supply chain compromises aim to reach multiple organizations through single vendors
  • Ransomware-as-a-Service (RaaS) operations specifically market “holiday campaigns” to affiliates

The Scattered Spider Factor

Scattered Spider (also known as UNC3944 and Octo Tempest) represents a sophisticated threat actor with proven capabilities against retail and hospitality targets. Their tactics include:

  • Advanced social engineering including vishing (voice phishing) to IT help desks
  • SIM swapping attacks to compromise multi-factor authentication
  • Cloud environment exploitation targeting SaaS and cloud infrastructure
  • Data extortion without encryption—stealing sensitive data and threatening exposure

RH-ISAC’s specific warning about Scattered Spider activity during the 2025 holiday season indicates active campaigns targeting the sector.

DDoS Attacks: Weaponizing Holiday Traffic

The Cyber Monday Data

The 2024 Cyber Monday attack data reveals the scale of the DDoS threat:

  • 7% of all traffic to US shopping and retail sites was mitigated as DDoS attacks
  • An additional 8% was flagged as potential DDoS threats
  • 41% increase in blocked DDoS attack requests across Cyber Week compared to the previous week

This means that during your highest revenue period, up to 15% of your traffic may be malicious attack attempts.

Why DDoS During Holidays?

Attackers target holiday shopping periods with DDoS attacks for several strategic reasons:

Maximum business impact:

  • Every minute of downtime equals significant revenue loss
  • Customers abandon sites that don’t load and may never return
  • Competitors gain market share when your site is unavailable

Pressure for ransom payment:

  • Some DDoS attacks include extortion demands
  • Time pressure during peak season increases likelihood of payment
  • Organizations may pay rather than risk extended downtime

Distraction technique:

  • DDoS attacks draw security team attention
  • Meanwhile, attackers conduct data theft or deploy ransomware
  • Incident response focuses on availability while confidentiality is compromised

Reputational damage:

  • Failed transactions during advertised sales harm brand trust
  • Social media amplifies customer complaints
  • Negative press coverage impacts long-term business

Cloudflare’s Cyber Week Analysis

According to Cloudflare’s analysis of Cyber Week 2024 internet trends, attack patterns show:

  • Application-layer attacks targeting specific retail functions (checkout, search, account login)
  • Volumetric attacks designed to overwhelm bandwidth
  • Multi-vector attacks combining different DDoS techniques
  • Repeated attacks over multiple days to maximize disruption

The CISO’s Holiday Defense Strategy

1. Workforce Security: Addressing the Human Element

Immediate actions:

Seasonal employee security program:

  • Mandatory security awareness training before system access is granted
  • Mock phishing exercises specific to holiday scam types
  • Clear reporting procedures for suspicious emails and messages
  • Limited access principles—seasonal workers should only access necessary systems
  • Enhanced monitoring of seasonal employee accounts for anomalous behavior

All-employee holiday security awareness:

  • Brief all staff on the 692% increase in holiday phishing
  • Share examples of Black Friday themed phishing emails
  • Emphasize verification procedures for unusual requests
  • Remind employees about personal device security (many use devices for both work and personal shopping)
  • Establish emergency communication protocols for potential compromises

Technical controls:

  • Enhanced email filtering during October-January
  • URL filtering to block newly registered domains mimicking retail brands
  • Attachment sandboxing for all external emails
  • Mobile device management enforcement for BYOD devices accessing corporate resources
  • Privileged access management limiting seasonal worker permissions

2. Ransomware Defense: 24/7 Coverage

The weekend and night staffing problem:

With 9 in 10 ransomware attacks occurring during off-hours, you have three options:

Option A: 24/7 SOC staffing

  • Most comprehensive but most expensive
  • Ensures human eyes on alerts around the clock
  • Enables immediate incident response

Option B: Managed detection and response (MDR)

  • Outsource monitoring to 24/7 security operations
  • Cost-effective for organizations without large security teams
  • Provides expert analysis and response capabilities

Option C: Enhanced automation with on-call rotation

  • Deploy automated detection and response tools
  • Establish on-call rotation for security team
  • Set aggressive alerting thresholds during holiday weekends
  • Accept some delay in response time in exchange for cost savings

Recommendation: Most retail organizations should implement Option B (MDR) or a hybrid of B and C during the holiday season, even if they don’t maintain it year-round.

Ransomware-specific controls:

  • Immutable backups stored offline and tested regularly
  • Network segmentation to limit lateral movement
  • EDR (Endpoint Detection and Response) on all systems, including PoS devices
  • Application whitelisting on critical systems
  • Email authentication (DMARC, SPF, DKIM) to prevent spoofing
  • Disable RDP from internet or implement zero-trust access controls
  • Patch management accelerated schedule before Thanksgiving week

Pre-holiday ransomware tabletop exercise:

Conduct a tabletop exercise in early November simulating:

  • Ransomware deployment on Black Friday morning
  • Decision tree for pay vs. recover vs. FBI notification
  • Communication plan for customers, employees, media, and executives
  • Recovery time objectives and procedures
  • Legal and compliance requirements

3. DDoS Mitigation: Protecting Availability

Pre-holiday DDoS preparation:

Capacity planning:

  • Baseline your normal Cyber Week traffic from previous years
  • Add 30-50% buffer capacity beyond projected peaks
  • Load testing to identify breaking points before Black Friday
  • CDN capacity scaled for holiday traffic volumes

DDoS mitigation services:

  • Cloud-based DDoS protection (Cloudflare, Akamai, AWS Shield, etc.)
  • Automatic mitigation triggered by attack signatures
  • Rate limiting on application layer
  • Geo-blocking for traffic from regions where you don’t do business

Monitoring and alerting:

  • Real-time traffic analysis during Cyber Week
  • Automated alerts for traffic spikes or anomalous patterns
  • Dashboard visibility for executives to understand attack status
  • Runbook procedures for DDoS response

Business continuity:

  • Alternative communication channels if website is down (social media, email, SMS)
  • Customer communication plan for explaining downtime
  • Failover systems for critical functions like checkout
  • Revenue recovery strategy (extended sales, make-good offers)

4. Third-Party and Supply Chain Risk

The vendor vulnerability:

Many holiday breaches occur through third-party vendors:

  • Payment processors
  • E-commerce platforms
  • Shipping and logistics providers
  • Marketing and analytics tools
  • Cloud service providers

Third-party security assessment:

Before the holiday season:

  • Audit all third-party access to your systems and data
  • Review vendor security posture and incident response capabilities
  • Verify compliance with contractual security requirements
  • Limit access to only what’s necessary for business function
  • Implement monitoring for third-party account usage

The supply chain attack scenario:

The 284% increase in fake and spoofed merchant websites isn’t just a consumer problem. Attackers also target:

  • Your vendors’ systems to reach your environment
  • Your customers’ data through compromised integrations
  • Your brand reputation through fake sites claiming to be you

Supply chain controls:

  • Software composition analysis for all code deployments
  • Vendor code reviews for critical integrations
  • API security including authentication, rate limiting, and monitoring
  • Incident response coordination with key vendors

5. Brand Protection and Threat Intelligence

Proactive brand monitoring:

With 2,000%+ increases in phishing attacks mimicking retail brands, you need:

Domain monitoring:

  • Typosquatting detection for domains similar to yours
  • SSL certificate transparency monitoring for certificates issued with your brand name
  • Takedown requests for fraudulent domains impersonating your brand
  • UDRP proceedings for more complex cases

Social media monitoring:

  • Fake account detection impersonating your brand
  • Scam advertisement monitoring on major platforms
  • Customer complaint analysis to identify fraud patterns
  • Rapid response to customer warnings about scams

Dark web and threat intelligence:

  • Monitor paste sites for leaked credentials
  • Track dark web marketplaces for stolen customer data
  • Threat intelligence feeds specific to retail sector
  • ISAC membership (RH-ISAC) for sector-specific intelligence sharing

6. Mobile Security for Hybrid Workforce

The BYOD holiday challenge:

With mobile threats quadrupling, and employees using devices for both work and personal holiday shopping:

Mobile device management (MDM):

  • Enforce MDM enrollment for any device accessing corporate email or data
  • Require strong authentication (biometric + PIN)
  • Enable remote wipe capability for lost or compromised devices
  • Block jailbroken/rooted devices from corporate access
  • Monitor for malicious apps that could compromise corporate data

Mobile security awareness:

  • Educate employees about the 120,000+ fraudulent retail apps
  • Warn against downloading apps from unfamiliar sources
  • Recommend only downloading apps from official app stores
  • Establish policy about personal shopping on corporate devices (or vice versa)

Network security:

  • VPN requirement for remote access to corporate systems
  • Zero-trust architecture assuming breach and verifying every access request
  • Conditional access policies based on device compliance status

7. Payment Security and PCI Compliance

The high-volume risk period:

Holiday transaction volumes create security challenges:

Point-of-sale (PoS) security:

  • Network segmentation isolating PoS systems from other networks
  • PoS system monitoring for malware or anomalous behavior
  • Physical security of payment terminals (prevent skimmers)
  • EMV chip compliance to prevent card cloning

E-commerce security:

  • PCI DSS compliance validated before holiday season
  • Tokenization to avoid storing actual card data
  • 3D Secure implementation for online transactions
  • Fraud detection tools analyzing transaction patterns
  • Bot detection preventing automated credential stuffing and carding attacks

The gift card fraud problem:

With $217 million in gift card fraud losses, protect your gift card program:

  • Secure storage of physical gift cards in stores
  • Tamper-evident packaging for gift cards
  • Delayed activation requiring purchase completion before activation
  • Balance monitoring for unusual patterns (rapid draining, checking from multiple IPs)
  • Customer education about gift card scams

8. Incident Response Readiness

The pre-holiday IR checklist:

Team readiness:

  • Incident response team identified with on-call schedule for Thanksgiving, Christmas
  • Contact information verified for all team members
  • Escalation procedures documented and understood
  • Legal counsel pre-briefed on breach notification requirements
  • PR/communications team prepared with crisis communication templates

Technical readiness:

  • Backups tested and verified with successful restore exercises
  • Forensic tools pre-positioned and ready
  • Log aggregation functioning correctly across all critical systems
  • Network diagrams updated and accessible
  • Asset inventory current and accurate

External resources:

  • Incident response retainer with external firm if you lack in-house capability
  • Cyber insurance policy reviewed and claims process understood
  • Law enforcement contacts established (FBI, Secret Service for financial crimes)
  • Notification vendors contracted for breach notification if needed

Communication templates:

  • Customer notification templates prepared
  • Employee communication templates ready
  • Media statement drafted and approved
  • Regulatory notification templates (state AGs, FTC, etc.)

9. Executive Communication and Board Reporting

Making the business case:

Executives care about revenue. Frame security in those terms:

The revenue-at-risk calculation:

For a retailer that does 30% of annual revenue during the holiday season:

  • Average data breach cost: $2.96 million
  • Revenue loss from DDoS downtime: $X per minute
  • Ransomware recovery time: Days to weeks during peak season
  • Customer trust damage: Long-term revenue impact

Total potential loss > Cost of prevention

Pre-holiday board report:

Include these elements in your November board presentation:

  1. Threat landscape overview (692% phishing increase, ransomware targeting weekends, DDoS attacks)
  2. Current security posture (controls in place, gaps identified)
  3. Holiday-specific risks (seasonal workforce, attack timing, peak traffic)
  4. Mitigation strategy (the 9-point plan above)
  5. Resource requirements (budget, staffing, third-party services)
  6. Incident response readiness (tabletop results, communication plans)
  7. Success metrics (how you’ll measure security during the season)

The staffing conversation:

Data point for executives: Nearly 9 in 10 ransomware attacks occur during nights and weekends.

Question: “Are we comfortable with limited security coverage during Thanksgiving weekend when we’re doing our highest revenue?”

Options and costs:

  • 24/7 internal SOC: $X
  • Managed detection and response: $Y
  • Enhanced automation with on-call: $Z
  • Do nothing: Potential $2.96M+ breach cost

10. Post-Holiday Assessment and Lessons Learned

January security review:

After the holiday season, conduct a comprehensive review:

Metrics to analyze:

  • Number of security incidents detected and responded to
  • Phishing email volume and click rates
  • DDoS attack attempts and mitigation success
  • Unauthorized access attempts and blocked attacks
  • False positive rates (alerts that required investigation but weren’t threats)
  • Incident response times (detection to containment)

Employee feedback:

  • Seasonal worker survey about security training effectiveness
  • Security team debriefing on what worked and what didn’t
  • Help desk analysis of security-related tickets

Vendor performance:

  • Third-party security assessment of partners
  • MDR/SOC vendor performance against SLAs
  • DDoS mitigation effectiveness

Improvements for next year:

  • Document lessons learned
  • Update incident response playbooks
  • Revise security awareness training based on actual attacks encountered
  • Adjust staffing model if gaps were identified
  • Budget planning for next holiday season

Industry-Specific Considerations

For Retail CISOs

Your unique challenges:

  • 78% of organizations don’t provide social engineering training to seasonal workers—you can’t afford to be in this statistic
  • 80% of retailers experienced cyberattacks in 2024—assume you’re a target
  • Physical and digital convergence—PoS systems, inventory management, e-commerce all create attack surface

Retail-specific priorities:

  1. Seasonal workforce security training (highest ROI)
  2. PoS system isolation and monitoring
  3. DDoS mitigation (availability = revenue)
  4. Gift card fraud prevention
  5. Brand protection and fake website takedowns

For Hospitality CISOs

Your unique challenges:

  • Guest privacy and data protection
  • Legacy property management systems
  • IoT devices (smart room controls, keycard systems)
  • Staff turnover and training challenges

Hospitality-specific priorities:

  1. Payment card security (PCI DSS compliance)
  2. Guest data protection (PII, payment information)
  3. Property management system security
  4. Employee training (high turnover industry)
  5. Physical security integration (keycard systems, surveillance)

For E-Commerce CISOs

Your unique challenges:

  • 100% digital attack surface
  • High-volume traffic creates visibility challenges
  • Bot traffic (both malicious and legitimate web scrapers)
  • API security for mobile apps and third-party integrations

E-commerce specific priorities:

  1. Bot management and anti-fraud systems
  2. Application security (web application firewall, code security)
  3. API security
  4. Cloud infrastructure security (if using AWS, Azure, GCP)
  5. Customer account protection (credential stuffing defense)

The Scattered Spider Threat: Deep Dive

Given RH-ISAC’s specific warning about Scattered Spider activity during the 2025 holiday season, CISOs need to understand this threat actor’s tactics:

Who is Scattered Spider?

  • Also known as: UNC3944, Octo Tempest, 0ktapus
  • Primary targets: Telecommunications, business process outsourcing (BPO), retail, hospitality
  • Notable victims: MGM Resorts, Caesars Entertainment (both hit in September 2023 during peak season)
  • Primary tactic: Advanced social engineering and SIM swapping

Their attack methodology:

Initial access:

  1. Social engineering against IT help desks—calling and impersonating employees to reset MFA
  2. SIM swapping attacks—compromising mobile phone numbers to intercept MFA codes
  3. Phishing for credentials—targeting specific employees with access to critical systems

Privilege escalation:

  • Exploitation of identity and access management (IAM) systems
  • Cloud environment compromise (particularly Azure AD/Entra ID)
  • Lateral movement through cloud infrastructure

Impact:

  • Data theft and extortion (without ransomware encryption in some cases)
  • Ransomware deployment (using various ransomware families)
  • Long-term persistence for future attacks

Defending against Scattered Spider:

Help desk procedures:

  • Never reset MFA or passwords based solely on a phone call
  • Verify identity through multiple channels before making changes
  • Flag requests from external phone numbers claiming to be internal employees
  • Document all requests and verification steps

MFA hardening:

  • Phishing-resistant MFA (FIDO2, hardware tokens) instead of SMS or app-based MFA
  • Conditional access policies that flag access from new devices or locations
  • SIM swap protection through carrier (though this isn’t foolproof)

Cloud security:

  • Azure AD/Entra ID hardening (a frequent Scattered Spider target)
  • Privileged access workstations for admin functions
  • Just-in-time access requiring approval for elevated privileges
  • Continuous monitoring of cloud environment changes

Key Metrics for Holiday Security Success

How to measure your security program during the holidays:

Leading indicators (predict future incidents):

  • Employee phishing click rate in mock exercises
  • Time to patch critical vulnerabilities
  • % of seasonal workers completing security training
  • Security awareness survey scores
  • % of systems with EDR deployed

Lagging indicators (measure actual incidents):

  • Number of confirmed security incidents
  • Mean time to detect (MTD) threats
  • Mean time to respond (MTR) to incidents
  • Mean time to recover (MTTR) from incidents
  • % of phishing emails blocked by email security
  • % of DDoS attacks successfully mitigated
  • Financial loss from security incidents
  • Customer data compromised (should be zero)

Business alignment metrics:

  • Website/system uptime % during Cyber Week
  • Transaction success rate (not blocked by fraud controls or DDoS)
  • Customer complaints about security-related issues
  • Revenue impact from security incidents (should be zero)

Dashboard for executives:

Create a real-time dashboard during Cyber Week showing:

  • Current threat level (based on attack attempts)
  • Attacks blocked in last 24 hours
  • System availability status
  • Any active incidents and status
  • Comparison to normal baseline

This gives leadership visibility and confidence in security posture.

The Budget Conversation: Justifying Holiday Security Spend

The ROI of prevention:

| Security Investment | Annual Cost | Potential Loss Prevented |
| MDR service for Nov-Jan | $15,000 | $2.96M (avg. breach cost) |
| Enhanced DDoS protection | $10,000 | $500K+ (revenue loss from downtime) |
| Seasonal employee training program | $5,000 | $2.96M (breach from untrained employee) |
| Incident response retainer | $20,000 | $100K+ (emergency IR costs) |
| Brand monitoring and takedowns | $8,000 | Reputation damage, customer trust |
| Total | $58,000 | $6M+ in prevented losses |

The cost of doing nothing:

Organizations that skip holiday security investments face:

  • 26% chance of ransomware incident (based on holiday statistics)
  • 80% likelihood of experiencing a cyberattack (retail sector)
  • $2.96M average breach cost
  • Revenue loss from downtime during peak season
  • Customer trust damage with long-term revenue impact
  • Regulatory fines for compliance violations

Expected value calculation:

Even if you estimate only a 10% probability of a significant incident during the holidays:

  • 10% × $3M potential loss = $300,000 expected loss
  • Security investment: $58,000
  • Net benefit: $242,000

And this doesn’t account for the reputational damage, customer trust erosion, and long-term business impact.

Conclusion: The CISO’s Holiday Imperative

The 2025 holiday season represents the perfect storm of cyber risk: 692% increases in phishing attacks, ransomware campaigns timed for weekend deployment, DDoS attacks targeting 7% of all traffic, and a seasonal workforce that receives zero security training in 78% of organizations.

With 80% of retailers experiencing cyberattacks and 22% facing seven to 15 attacks in a single year, the question isn’t whether you’ll be targeted—it’s whether you’ll be ready.

The data is unambiguous:

  • 9 in 10 ransomware attacks occur during nights and weekends
  • The average breach costs $2.96 million
  • 26% of holiday incidents involve ransomware, double the previous year
  • $529 million lost to online shopping fraud in 2024
  • More than 250 ransomware incidents in the U.S. in just three quarters of 2024

But awareness and preparation can transform these statistics from prophecies into prevented incidents.

Your November Action Plan

This week:

  • ✅ Complete seasonal employee security training program
  • ✅ Test backups and verify recovery procedures
  • ✅ Implement enhanced email filtering for phishing detection
  • ✅ Review and test incident response plan
  • ✅ Establish 24/7 coverage (internal SOC, MDR, or on-call rotation)

Before Thanksgiving:

  • ✅ Conduct ransomware tabletop exercise
  • ✅ Verify DDoS mitigation services are scaled for holiday traffic
  • ✅ Complete third-party security assessments
  • ✅ Implement brand monitoring and fake website detection
  • ✅ Brief executives and board on threat landscape and readiness

Ongoing through January:

  • ✅ Maintain heightened monitoring and alerting
  • ✅ Conduct weekly security briefings with leadership
  • ✅ Monitor threat intelligence for sector-specific attacks
  • ✅ Maintain communication with RH-ISAC and sector peers
  • ✅ Document all incidents and lessons learned

Final Thought: From Defense to Resilience

The holiday season will bring attacks. That’s not in question. What is in your control is whether those attacks become incidents, whether incidents become breaches, and whether breaches become catastrophes.

The goal isn’t perfect security—that doesn’t exist. The goal is resilience: the ability to detect, respond, recover, and continue operations despite active threats.

Your organization will face phishing attempts, DDoS attacks, and possibly ransomware campaigns. The difference between a minor security event and a business-ending disaster lies in the preparation you do right now, in November, before the attacks begin.

The attackers are counting on your distraction, your limited resources, and your hope that you won’t be targeted. Don’t give them what they want.

This holiday season, be the CISO who invested in prevention, trained the workforce, implemented the controls, and had the plan ready when the inevitable attacks came.

Your board will thank you. Your customers will trust you. And your security team will know they work for a leader who takes threats seriously.

The holiday shopping season is coming. The cyberattacks are coming with it.

Are you ready?

For ongoing threat intelligence and security insights, visit Breached Security. To join the Retail and Hospitality Information Sharing and Analysis Center and receive sector-specific threat intelligence, visit rhisac.org.