Full Report
From Black Friday to Boxing Day, shopping surges and so do cyber scams. Countdown timers and “last chance” offers create urgency that attackers exploit. Every click has consequences if you’re not prepared.
Analysis Summary
# Main Topic
Heightened cyber risk and scamming activity targeting consumers and retailers during peak shopping surges, specifically from Black Friday through Boxing Day, leveraging urgency created by flash sales and "last chance" offers.
## Key Points
- Attackers specifically time their malicious activities to coincide with the busiest trading periods when consumer caution is lowered due to the rush to secure bargains.
- Scams often involve cloned/look-alike websites, fake advertisements, and phishing/smishing/vishing attempts designed to influence quick decisions.
- AI is increasingly used to create highly convincing, localized phishing emails, texts, and deep-fake voice calls, diminishing the effectiveness of traditional fraud indicators.
- Password reuse is identified as a major vulnerability, allowing a single breach to compromise multiple retail, email, and banking accounts.
## Threat Actors
- **Scattered Spider:** Attributed to a major attack on Marks & Spencer during Easter 2025, which disrupted online orders, click-and-collect, and in-store payments.
## TTPs
- **Urgency Exploitation:** Using countdown timers and time-sensitive offers to push impulse buying and bypass caution.
- **Web Fraud:** Deploying cloned websites and fake advertisements.
- **Social Engineering:** Utilizing SMS ("smishing") and voice phishing ("vishing"), including AI voice cloning.
- **Credential Compromise:** Exploiting password reuse across multiple services.
- **Supply Chain Targeting:** Attacking smaller retailers/marketplaces that plug into larger platforms, enabling pivoting to larger systems.
## Affected Systems
- **Consumer Systems:** Online purchasing platforms, payment systems, personal email/banking accounts (due to password reuse).
- **Retail Operations:** Online ordering systems, click-and-collect services, and in-store payment infrastructure (as demonstrated by the M&S incident).
- **Smaller Ecosystems:** Smaller retailers and marketplaces serving as supply chain entry points.
## Mitigations
**For Consumers:**
- Enable multi-factor authentication (MFA) universally, preferring app-based codes or FIDO2 keys over SMS.
- Use password managers to ensure unique passwords for every site.
- Utilize virtual or disposable cards with preset transaction limits for one-off or high-risk purchases.
- Practice URL sanity checks (spelling, domain matching) before transacting.
- Never trust unsolicited messages/calls; hang up and call the official vendor number directly.
- Review statements immediately after major shopping events and enable transaction alerts.
**For Retailers/Marketplaces:**
- Enforce MFA for all staff, especially for administrative and payment accounts.
- Implement role-based access control to limit user privileges (Least Privilege principle).
- Ensure all platforms and plugins are promptly patched.
- Conduct regular phishing drills and establish a clear channel for employees to report suspicious activity.
- Test incident response and backup restoration capabilities proactively.
## Conclusion
The period between Black Friday and Boxing Day presents an elevated and targeted threat level, driven by opportunistic attackers leveraging consumer desire for discounts. Resilience requires simultaneous preparation from both consumers (through strong authentication and skepticism) and retailers (through robust internal controls and incident readiness). The increasing sophistication through AI deployment necessitates moving beyond traditional security awareness.