Each year, there is a holiday surge in cyberattacks employing a wide range of attack vectors. This heightened activity can make organizations more vulnerable to legal and regulatory scrutiny. This is a good time to check your defenses.
No. 1: AI-assisted attacks are faster and more convincing than ever before.
Businesses should be on guard for deepfake voice mail messages and phishing attempts generated by artificial intelligence that are tied to holiday matters. For example, the phishing may involve fake shipment notices, messages from “Human Resources” seeming to approve time-off requests, or fraudulent requests for gift cards.
Being on guard includes maintaining reasonable system safeguards and training employees about the latest trends and the importance of being skeptical about messages received.
No. 2: Phishing via calendar “invites.”
Bad actors are increasingly using calendar invites as a phishing technique. Your employees should be aware that they may receive unsolicited “invites” with fraudulent links to fake invoices or requests for personal information. These “phishing invitations” take advantage of automatic event-adding features in platforms like Google or Outlook Calendar. A single click on an event link can redirect users to phishing websites designed to steal credentials or install malware.
No. 3: Connected networks and intrusions
We reported recently about a cyberattack at F5, Inc. The attack was significantly troubling, because it affected a company that provides cybersecurity services and applications. Attackers are increasingly targeting upstream providers -- including software, cloud, or managed service vendors – and as a result the provider, as well as all of its customers, can be compromised in a single attack. To defend themselves, organizations should ensure that they are timely installing patches and paying attention to network communications.
No. 4: Lean holiday staffing and fatigue
The holidays are a busy time for both individuals and businesses. With increased personal travel and customer demand, there are often fewer eyes on alerts and more automated systems running without manual oversight. Incident-response teams may be stretched thin or operating on reduced shifts. Organizations should plan for this by ensuring backup coverage and clear escalation procedures, since delayed responses can create additional exposures.
No. 5: High-risk industries.
Businesses in retail or health care, as well as public sector entities, are more likely to experience year-end strains. In the retail context, this unsurprisingly results from increased customer volume. In health care, open enrollment may be the culprit, and in the public sector, budget deadlines. Organizations in these sectors should ensure that their endpoint monitoring, access controls, and vendor assessments are up to date.
How to stay ready year-round
As the year winds down, threats don’t take a holiday. The following guidance builds on our previous post, Top Ten Cybersecurity Tips for Organizations During the Holiday Season, and incorporates new trends and risk considerations.
Organizations should continue employee training to recognize phishing and social engineering risks while expanding awareness to include AI-generated scams, calendar phishing, and vendor-chain exploits. Even short refreshers during the holidays can significantly improve response readiness.
Strong access controls are equally critical. Review and limit user privileges, especially for employees who may be traveling or on vacation, and monitor for unusual logins or vendor account activity that could signal a compromise.
Keep technical hygiene front and center. Accelerate patching, automate alerts, and rely on clear escalation procedures when staffing is limited. Treat unsolicited calendar invites and holiday-themed messages with the same caution as suspicious email attachments, and require VPN and multifactor authentication for remote access.
Finally, strengthen overall resilience through tested backups, incident-response plans, and vendor oversight. Holiday downtime is a prime time for attacks, so ensure that communication lines are open and notification obligations are up to date. Documenting these steps, and briefing leadership on how the organization is preparing its defenses, can help to make cyber defense a priority throughout your organization.
Although cyber risk is not seasonal, preparation for holiday periods is crucial. By boosting awareness, tightening access, and reinforcing response capabilities, organizations can enter the new year better positioned to protect themselves.
