Halloween-themed spam has risen sharply this season, with Bitdefender reporting that 40% of these emails contain malicious content designed to scam users or harvest personal data.

In the first half of October alone, spam volumes increased by 18% compared to September, signaling the start of a cybercrime spike that is expected to continue through the holiday season.

Half of these Halloween-themed emails resemble typical promotional offers, enticing consumers with costume discounts and seasonal deals.

However, 40% were identified as phishing attempts, often using subject lines like “You have won the October 2024 mystery box giveaway” to lure recipients into clicking on harmful links.

Bitdefender cautions that as Halloween nears, consumers should remain vigilant against scams masked as holiday offers.

Alina Bizga, security analyst at Bitdefender, said cybercriminals have a long-standing tradition of taking advantage of heightened consumer activity during Halloween to launch scams and other internet fraud.

“People often let their guard down during seasonal events and are more likely to engage with promotions, giveaways and similar content,” she explained.

This combined with spikes in online shopping for costumes, decorations or party supplies, makes individuals more susceptible to phishing emails, fraudulent deals and malicious links.

“We anticipate that Halloween-themed spam will continue to rise as the holiday shopping season approaches,” Bizga added.

She explained cybercriminals know that consumer engagement peaks before major holidays, as people rush to complete last-minute purchases or take advantage of promotions.

“The increase in online shopping, combined with excitement around the holiday, creates fertile ground for threat actors and scammers,” she said. “However, it’s also likely that we will see additional Halloween-themed campaigns circulating even after Oct 31.”

She noted many retailers offer huge discounts on unsold Halloween merchandise after the holiday, and scammers will likely exploit these sales to continue luring unsuspecting consumers with phishing emails and fraudulent offers.

Cybercriminals use these emails to steal personal or financial information or trick recipients into paying for fake products or services.

U.S. Dominates in Halloween Spam

The report noted the United States dominates in both spam origination and targeting, with 83% of Halloween-themed spam sent from U.S. sources and 71% hitting American inboxes.

China and Germany follow as minor sources, contributing 6% and 4%, respectively, while countries like Japan, France and Australia experience lower levels.

Targeted regions include Germany (8%), the UK (5%), and Ireland (4%), highlighting the global spread of these seasonal scams.

Sean McNee, vice president of research and data at DomainTools, said in the past, the FTC has noted Halloween-themed scams targeting popular retailers like Spirit Halloween and Party City, making it appear they have the “treat” of a discount, but it’s a “trick” to scam victims for credit card information.

“Victims might receive an order they placed, but it might be counterfeit, damaged, or a different item than expected,” he explained.

Online shopping plays a significant role in holiday-themed scams as shoppers keep moving toward online shopping versus brick-and-mortar options.

The 2023 holiday season saw a growth rate of 3.8% to a record $964.4 billion due to an extended shopping period and online sales, which grew to 8.4% according to the National Retail Federation.

McNee said as large retailers begin sharing deal days, there will likely be an increase in malicious activity targeting the retail space.

“Given the breadth of the infrastructure and domains employed by these actor groups, along with the rate of recidivism they have displayed, it’s imperative for retail brands to maintain regular watch over their activities,” he said.

From his perspective, sharing information between brands is tremendously important, as threat actors rarely focus on a sole organization.

“Sharing intelligence and data that helps protect one brand can be used to benefit others,” McNee said.