As the winter holidays approach, malicious spammers have ramped up their efforts, flooding inboxes with a surge of unsolicited emails and Christmas-themed scams, according to a Bitdefender report.

Key findings indicated a steady rise in Christmas-themed spam rates since November 13, with notable spikes detected around November 30 and between December 5-8, 2023.

Nearly 30% of unsolicited emails bearing Christmas themes from November 13 to December 12 were flagged as scams by Bitdefender Antispam Lab.

Bitdefender’s analysis uncovered a variety of deceitful tactics, including impersonation of reputable brands such as Temu, Alibaba, Aliexpress, Carrefour, Kaufland, Edenred, Walmart, Kmart, Home Depot and cryptocurrency platform Binance.

Scammers are enticing victims with tempting lures, ranging from coveted items like the PS5 to enticing offers like a $4.2 million “ATM CARD.”

Analysis reveals a geographical spread of these scams, with 29% of Christmas spam emails targeting U.S. users and 19% reaching individuals in Ireland.

France stands out as a top destination, receiving 13% of these spam emails, marking a 6% surge from the previous year.

Germany experienced a 7% increase, accounting for 10% of the spam, followed by the UK at 9%, Italy at 4% and Australia at 3%.

Cybercriminals are capitalizing on consumer trends during the holiday season, luring victims with promises of free gifts, money and exclusive offers.

These scams often entail fake surveys that request personal information, disguised as opportunities to win prizes, with the aim of defrauding unsuspecting individuals.

Alina Bizga, a security analyst at Bitdefender, warned that interacting with or falling for Christmas-themed scams (whether via fake emails, social media messages or phone calls) can result in significant financial losses, account takeovers and even identity theft.

“Organizations are also at an increased risk because employees are most likely at home shopping from their work computer or in a rush to finish end-of-year reports,” she said.

The surge in online shopping combined with short-staffed security teams and distracted employees, make it easier for cybercriminals to catch users off guard during this time and trick them into paying fraudulent invoices, deploying spyware or ransomware on an organization’s IT system.

“Nothing is off-limits during the holiday season,” Bizga explained. “Cybercriminals employ aggressive and diverse tactics when constructing fraudulent messages to get users to share personal information, credentials and money.”

She added that the use of AI and LLMs this year has also been a true game-changer for cybercriminals, as it allows them to create near-perfect phishing content over email, text and social media.

The Gift That Keeps on Giving

Mika Aalto, co-founder and CEO at Hoxhunt, pointed out that seasonal scams continue to exist because they’re successful for hackers.

“Cybersecurity leaders should take steps to bulk up defenses during Christmas when there is heightened email activity and emotions that social engineers can manipulate,” he said.

Aalto noted that many employees use the same devices for work and for personal use, so opening a malicious link in a seemingly personal message could have catastrophic consequences for the organization.

Bizga pointed out that the weakest link in cybersecurity will always be the human target, which is why cybercriminals place so much emphasis on the craft of social engineering.

“For many criminal groups, it is more important than the malware code itself,” she said. “Most compromises still start from a successful phishing or spear-phishing attempt.”

For organizations, regular security training that covers social engineering awareness is a must, along with periodic mock phishing tests to help gauge employee resilience against evolving scams.

For the individual, having the right security on all devices and paying close attention to any unsolicited communications will go a long way.

“If it is unsolicited, 99% of the time, they are after your credentials or money,” Bizga said.

Aalto said that cybersecurity awareness should be viewed as a culture multiplier that lies at the intersection of IT and HR, comparing it to a “wellness benefit” that doubly serves to secure the organization against attacks.

“Help people understand that by providing targeted cybersecurity training in December, you are giving them a wellness benefit that they can take home to their families,” he said. “And do it with Christmas cheer.”