November 18, 2025

Holiday Hackers—The 2025 AI Fraud Boom

14 minutes

Hackers are using AI to supercharge holiday scams—flooding the web with fake ads, phishing pages, and credential-stealing bots. This season, researchers predict a record spike in automated attacks and malvertising campaigns that blur the line between human and machine. Sherri Davidoff and Matt Durrin break down what’s new this holiday season—from AI-generated phishing kits and bot-driven account takeovers to the rise of prebuilt “configs” for credential stuffing. We used WormGPT to produce a ready-to-run holiday phishing page—a proof-of-concept that demonstrates how quickly scammers can launch these attacks with evil AI tools. This episode reveals how personal habits turn into corporate risk. Before Black Friday and Christmas hit, learn what your team can do right now to protect people, passwords, and payments.

Key Takeaways – How to Defend Against the 2025 AI Fraud Boom

Treat holiday scams as a business risk, not just a retail problem.

Automated bots, fake ads, and AI-generated phishing campaigns target your employees too — not just shoppers. Expect higher attack volume through the entire holiday season.

Expect password reuse—and enforce strong MFA everywhere.

Employees will reuse personal shopping passwords at work. Require MFA on all accounts — especially SSO, admin, and vendor logins — and block reused credentials where possible.

Filter out malicious ads and spoofed sites.

Use DNS and web filtering to block malvertising and look-alike domains. Encourage staff to verify URLs and avoid “too-good-to-be-true” promotions or charity appeals.

Strengthen bot and fraud detection.

Tune WAF and bot-management tools to catch automated login attempts, fake account creation, and credential stuffing. These attacks spike before Black Friday and often continue into January.

Run a short holiday security awareness push before Black Friday—and repeat before Christmas. Brief all staff, especially finance and customer service, on seasonal scams: gift-card fraud, fake charities, refund and invoice scams, malvertising, and holiday-themed phishing.

Remember: personal security is corporate security.

BYOD, home shopping, and password reuse mean an employee’s compromise can quickly become your organization’s compromise. Keep the message simple: protect your accounts, protect your company.

Don't forget to follow us for more cybersecurity advice, and visit us at www.LMGsecurity.com for tip sheets, blogs, and more advice!

Resources:

RH-ISAC — 2025 Holiday Season Cyber Threat Trends: https://rhisac.org/press-release/holiday-threats-2025/ (RH-ISAC)

Malwarebytes — Home Depot Halloween phish gives users a fright, not a freebie: https://www.malwarebytes.com/blog/news/2025/10/home-depot-halloween-phish-gives-users-a-fright-not-a-freebie (Malwarebytes)

Bitdefender Labs — Trick or Treat: Bitdefender Labs Uncovers Halloween Scams Flooding Inboxes: https://www.bitdefender.com/en-us/blog/hotforsecurity/bitdefender-labs-uncovers-halloween-scams-flooding-inboxes-and-feeds (Bitdefender)

FBI / IC3 PSA — Hacker Com: Cyber Criminal Subset of The Com — background on The Com threat cluster referenced by RH-ISAC and seen in holiday fraud activity: https://www.ic3.gov/PSA/2025/PSA250723 (Internet Crime Complaint Center)

Fast Company — Holiday season cybersecurity lessons: The vulnerability of the retail workforce: https://www.fastcompany.com/91270554/holiday-season-cybersecurity-lessons-the-vulnerability-of-the-retail-workforce (Fast Company)

#HolidayScams #Phishing #Malvertising #Cybersecurity #Cyberaware #SMB #BlackFridayScams

...more

View all episodes

By Chatcyberside

22 ratings