Merry Phish-mas: How to Protect Your Business From AI-Generated Risk During the Holidays
While the holidays should bring tidings of comfort and joy, most of us can expect to get more spam and phishing messages in our inboxes than any other time of the year. In 2024, Darktrace found that Christmas-themed phishing attacks surged 327% globally in the run-up to the holidays. During high-volume shopping periods, including Black Friday and Cyber Monday, the company reported that malicious emails designed to look like they were coming from major brands like Walmart and Best Buy increased by more than 2,000%.
Holiday phishing risks aren’t relegated to your team’s personal devices or accounts. The increase in cyberthreat activity and ever-more-sophisticated AI phishing campaigns put organizations in jeopardy too.
In this article, we’ll unwrap why businesses are more vulnerable to phishing attacks during the holidays and discuss how IT teams can use AI to improve their security posture, even if they’re short on resources this season.
What Makes Businesses Vulnerable to Cyberattacks During the Holiday Season?
Threat actors leverage the holiday rush to scale up cyberattacks. Throughout the season, team members are inundated with promotional emails and SMS messages. Conditions are ideal for phishing attacks that prompt them to give up login credentials and payment details.
If you have a bring your own device (BYOD) program, there could be far more crossover than you think between work and personal device usage. Verizon found that 46% of systems that had suffered an infostealer attack which lifted corporate login credentials were non-managed devices, meaning nearly half of users were using their company credentials on devices that were technically outside the organization’s perimeter. If employees working (and shopping) on their own device encounter malicious messages that compromise their personal information, their corporate credentials could be at risk, too.
In the run-up to the holidays, businesses might be sending more company-wide messages, such as invitations to holiday events and reminders about year-end initiatives. This could mean that team members are receiving messages from people they don’t usually interact with—cue that urgent email from “Pam in Accounting”—making it harder to discern who’s legitimate and who isn’t. Busy teams are also in a rush to wrap up projects and juggle workloads as people take time off, adding to inbox chaos. Attackers know potential victims are overwhelmed and distracted.
Hoxhunt found that Microsoft, Docusign, and the human resources (HR) department were the top three entities attackers impersonated most often. Employees implicitly trust these entities, making them prime disguises for social engineering actors.
And there’s truly no rest for the wicked: threat actors take advantage of public holidays when there are fewer staff in the office or online to detect, report, and remediate breaches. When people aren’t checking their email, it’s the perfect time to push out spear phishing emails from trusted coworkers’ compromised accounts without getting caught. Darktrace also found that 76% of ransomware attacks start outside of business hours or on weekends. In 2024, one of their clients suffered a ransomware attack in the early hours on Christmas Day—not exactly the type of present the company was hoping to find under the tree that morning.
Some businesses may also put off deploying patches or updates through the holiday season and attackers know there’s ample opportunity to exploit those weakened defences when key team members head out of office.
GenAI: This Year’s Must-Have Gift for Cybercriminals
Generative AI (genAI) has made it easier than ever for threat actors to design counterfeit digital assets, from convincing corporate email signatures to full-blown ecommerce sites that look and feel exactly like those from major retailers. Gen AI also allows attackers to quickly camouflage themselves within a business’s systems after they gain access.
At unprecedented scale, cybercriminals can use genAI to:
Replicate the tone of voice of individual team members in the organization within spear phishing messages.
Create deepfake voices or videos and pretend to be a leader or IT team member, even on calls.
Optimize phishing messages to bypass spam filters and more effectively manipulate recipients to take action.
In the past, people might have looked for grammatical errors or strange turns of phrase to identify phishing messages. Today, attackers can easily generate thousands of polished messages in the victim’s native language, complete with contextual details compiled using publicly-available information about individuals and companies. Threat actors can also spin up many unique variations of phishing messages, enabling them to slip past signature-based detection methods.
How to Improve Your Holiday Cybersecurity Hygiene
Sixty percent of breaches involve the human element, and attackers know humans are most vulnerable to phishing during the holidays. Engaging your team in cybersecurity awareness reduces the risk of an incident. Hoxhunt research shows that training employees to recognize social engineering attacks can reduce phishing incidents by 86%.
Meanwhile, Push Security research reveals that one in three employees reuse passwords and that 9% of identities have reused passwords and no MFA. That means simply improving password hygiene or implementing phish-resistant authentication ahead of the holiday season can make a big difference.
It’s smart to treat holiday cybersecurity as a high priority and focus team resources on strengthening your security posture. Here’s a checklist to help you to prepare your systems, and your humans, for the uptick in cyberthreats this season:
| Action | Why It Matters |
|---|---|
| Run an internal “holiday phishing test” to identify weaknesses | Raise awareness about phishing and demonstrate what social engineering attacks can look like. Keep cybersecurity top-of-mind when engagement and focus is low. |
| Ensure everyone is using MFA and encourage employees to reduce password reuse | Close gaps in your MFA rollout and train employees on the risks of password reuse. Consider using passwordless authentication. Protect accounts even if credentials are stolen and lower the risk of credential stuffing attacks. |
| Tighten conditional access policies | Consider reducing permissions around higher-risk systems or blocking international logins (especially for countries actively initiating exploits) while individuals are out of office. Strengthen your Zero Trust strategy and reduce potential entry points for attackers. |
| Audit and reinforce BYOD policies | Determine if there are vulnerabilities in your device management policies. Ensure employees verify their compliance with your policy or strengthen data loss protection (DLP) controls for non-managed devices. Secure the devices employees will take with them over the holidays. |
| Fortify your systems | Prioritize deploying patches and bringing operating systems, apps, and antivirus and firewall solutions up to date before team members head away. Limit the window of vulnerability during attackers’ peak season. |
| Validate suppliers and end-of-year invoice emails | Use three-way matching to confirm legitimacy and ensure the accounts payable (AP) team stays vigilant. Consider implementing a threshold: for invoices above a certain amount, schedule a call with the supplier to verify payment details. Avoid invoice phishing and fake invoice scams. |
| Establish a holiday response plan | Delegate on-call coverage and update escalation paths based on employee availability. Prevents missed alerts over the holidays. |
| Bring in a managed service provider (MSP) to fill coverage gaps | Reach out to your MSP well ahead of holiday office closures to ensure your system will be monitored when it’s most vulnerable. Get the coverage you need while your team takes a break. |
Keep Your Security Posture Merry and Bright with AI
For cybercriminals, AI is a gift that will just keep on giving as it continues to learn what nefarious tactics work, and what doesn’t. But in response, security solution providers are ramping up good-guy AI features to combat the complexity and scale of today’s AI-supported cyberattacks. IT teams can use AI to get a complete view of their attack surface, proactively detect vulnerabilities, automate security workflows, and streamline troubleshooting.
To give you an idea of what AI can do, here are some AI-enabled Microsoft Security products teams can use to check off the holiday security hygiene action items above:
Microsoft Defender for Office 365: Protects inboxes from malicious links and attachments using advanced AI and ML to analyze incoming messages and quarantine suspicious messages before they reach their victim.
Microsoft Defender for Identity: An AI-driven identity threat detection solution that helps you assess your identity posture, identify possible lateral movement paths, and get insights into potential vulnerabilities.
Microsoft Defender for Endpoint: Streamlines threat detection and response across all endpoints, including managed devices and those that are part of your BYOD program.
Microsoft Security Copilot: An AI security assistant that IT team members can use to troubleshoot issues, gather context about incidents as they occur, get insights into performance, and build custom AI agents.
Microsoft Defender Vulnerability Management: Provides asset visibility, assessments, and remediation tools as well as threat intelligence, breach predictions, and security recommendations based on your biggest vulnerabilities.
Microsoft Defender XDR: Unifies insights and alerts from Microsoft’s suite of security solutions and coordinates threat detection, prevention, investigation, and response across the entire environment, including endpoints and apps.
IX Solutions specializes in managing Microsoft solutions and implementing Microsoft Security products that fit the needs of your unique business. We work with your team to identify gaps in your security posture and match the right combination of Microsoft offerings to ensure your systems are protected, without compromising your team’s user experience.
Happier Holidays Start with Extra Security Support from IX Solutions
Leaning on an MSP like IX Solutions during the holiday season gives you access to additional expertise and coverage while your team is tied up with high-priority year-end projects. The IX Solutions team has extensive experience rolling out security initiatives with minimal disruption to help you reinforce your security posture against the seasonal surge in cyberattacks. We can also provide on-call staff to look after your systems over the holidays so your team can take some well-deserved time away from work.
Need support implementing policies and products that keep your systems secure all year long? Reach out to the IX Solutions team for an assessment and get help setting up the layers of protection you need before the new year.