Why do hackers love holidays?

This week we’re focused on…

Holidays, and why hackers like to exploit them. 

Why? 

We know, it’s not very cheerful to focus on the downsides of holidays. But it has to be done. Because two sets of data from 2025 make it clear that attackers actively plan around predictable time off; they time their strikes for when attention, staffing, and vigilance dip the lowest.

The timing of attacks 

A 2025 ransomware holiday risk study from Semperis found that 52% of ransomware attacks occur during weekends or holidays – when defenders are least ready and incident response is slowest.

For many organisations, holiday seasons mean that staffing drops, and monitoring slows down. Decision-makers are offline or preoccupied, and that leaves the door open. 

Semperis also identified another timing trick: 60% of ransomware attacks occur after material corporate events (like mergers, acquisitions, layoffs), and 54% of those follow mergers or acquisitions, when systems are in flux and roles are unclear. 

Email inboxes become attack surfaces

Threat timing isn’t limited to big ransomware operations. Holiday shopping spikes also create a massive social engineering window.

Data from cybersecurity firm Darktrace showed phishing attacks targeting Black Friday shoppers spiked by 620% leading up to the event – and volumes often climbed even higher during peak shopping weeks. 

In one snapshot of email traffic in the holiday period, scams impersonating major US retailers like Walmart, Macy’s and Best Buy jumped 54% in just one week ahead of Black Friday.

And these aren’t crude scams either. With generative AI and polished design tools, attackers are creating near-perfect replicas of trusted brands’ messaging and checkout flows to lure victims into clicking and divulging personal data.

When trust becomes the attack vector

McAfee Labs’ 2025 holiday brand impersonation research reinforces this. Cybercriminals are increasingly mimicking the brands consumers trust most – and hoisting that trust against the users themselves.

Among mainstream consumer brands, the most impersonated include Apple, Nintendo, Samsung, Disney, and Steam. Luxury brands are targeted too, with top impersonated names including Coach, Dior, Ralph Lauren, Rolex, and Gucci. 

So instead of just chasing clicks, attackers are chasing credibility. Major brand logos and trusted identities lower user suspicion, and that’s precisely what attackers exploit.

Why do defenders keep losing the timing game? 

Part of it is simple economics: most organisations still reduce security operations staffing by 50% or more during weekends and holidays, and a minority eliminate coverage entirely – sometimes with leadership blessing, to give teams work/life balance.

That creates gaps defenders can’t patch with tools alone. Attackers, on the other hand, don’t take days off (or at least, not days off in the holidays). They automate, scale, and scan for opportunity.

And even beyond staffing, there’s a deeper problem: many organisations detect identity system vulnerabilities – but far fewer can fix or recover them quickly. Only 45% have identity vulnerability remediation procedures, and only 63% automate identity system recovery – which leaves windows open during holiday lulls.

Tuned into the rhythm of human patterns

Holidays are when people shop. They’re when staffing drops. They’re predictable. And all of those factors are useful for attackers who place bets on the rhythm of life. 

If you want hackers to love holidays at your organisation a little bit less, you can: 

• Design for the low-staffing reality – assume coverage will be thin, and automate monitoring and response.
• Build identity resilience – invest in remediation and recovery.
• Treat brand impersonation as a business risk – protect customer trust as aggressively as systems.

Have fun, and stay safe out there. 

We want to know…

What’s your best tip for protecting an organisation against increased vulnerability during holidays or planned time off?