Christmas - 'Tis the Season for Cybercrime?

The lead-up to Christmas is one of the busiest times of the year for retailers, couriers, and… cybercriminals. For Kiwis, there’s more online shopping, more digital communication, and more financial transactions happening in a short space of time, which means attackers see an opportunity and they take it.

It’s also the time of year when attention is at its lowest in NZ businesses. Staff are winding down, dreaming of the Kiwi summer, BBQs, and family time. Many businesses run reduced teams over the break, which means fewer people available to spot unusual activity, less time and bandwidth to be more skeptical or respond quickly when something looks off. All of this makes both organisations and individuals more susceptible to threats.

Whether you’re a business handling increased customer demand or taking a break over the Christmas period, or a consumer racing to finish your gift list, it’s worth taking a moment to tighten up your digital security.

What to Look Out For

While it’s not exactly festive, but Christmas is peak opportunity for attackers. Attention drops, urgency skyrockets, and online spending jumps significantly from November–January. This combination creates the perfect conditions for scams to thrive.

Additionally, with attackers increasingly using AI to craft highly convincing phishing emails, fake courier notifications and voice cloned phone calls pretending to be executives or family members, scams are harder to identify, especially when people are busy and less alert during the Christmas period.

Fake Retail Sites

People spend more online during this period than any other time of year. More transactions mean more opportunities for phishing, card-skimming, fake retail sites, and payment fraud. Scam ads on social media have surged, including sponsored posts for non-existent stores and counterfeit goods. Even paid ads can be fraudulent, so it pays to check reviews and verify the retailer before purchasing.

Urgent, too-good-to-be-true Sales

Tight deadlines and having to buy multiple gifts for Christmas all contributes to quick clicks and less scrutiny of bargains. Cybercriminals rely on this.

Courier-related Scams

With parcels flying everywhere, fake delivery updates become easier to disguise among the real ones, and you’re less likely to expect a scam, when you’ve actually got a delivery, or several, on the way.

Attackers are also using malicious QR codes (quishing) in fake delivery emails or texts. These link to fraudulent tracking pages or payment requests.

Charity Scams

Attackers take advantage of the season of giving, spinning up fake donation pages and emotional appeals. Crypto based charity scams are also becoming more common, promising “matched” or “multiplied” donations.

How Businesses Can Protect Themselves

1. Enable Multi-Factor Authentication (MFA) Everywhere

MFA blocks most account-takeover attempts, even if passwords are stolen in scams.

2. Review access and permissions before the break

Remove old accounts, limit admin roles, and ensure the right people have the right access while teams are reduced.

3. Patch and update before shutting down

Unpatched systems are one of the easiest entry points for attackers.

4. Improve email filtering

Flag impersonation attempts, suspicious attachments, and high-risk links before they reach staff inboxes.

5. Back up everything

Ransomware incidents spike over the holiday period. Verified, offline backups ensure you can recover quickly.

6. Educate staff about seasonal scams

Share real examples of courier scams, invoice fraud, and charity-based phishing. Awareness is powerful.

7. Ensure holiday period monitoring

With reduced staffing over Christmas, consider automated monitoring or outsourced alerting so unusual activity is picked up even when teams are offline. Many breaches happen when security teams are least active.

8. Double check supplier and payment requests

Fake or compromised supplier emails increase during the holiday season. Verify any changes to bank details, unexpected invoices, or urgent payment requests using known contact channels.

How Consumers Can Stay Safer Online

1. Check websites before entering card details

Look for HTTPS, legitimate URLs, clear contact information, and trustworthy payment options. It’s always worth doing a quick check of reviews through a google search too.

2. Be cautious of delivery texts and emails

If you weren’t expecting a parcel, don’t click and avoid scanning QR codes in unsolicited messages. If you were, go directly to the courier’s official site or original confirmation email from the sender.

3. Use strong, unique passwords

A password manager helps keep everything secure and prevents a breach in one place from spreading.

4. Turn on MFA for banking, email, and key accounts

Even if someone gets your password, MFA can stop them.

5. Monitor your accounts & Enable bank transaction alerts

Although you don’t want to be trawling through your expenses over a big spending period - December and January are prime time for fraudulent charges. Regular checks help you spot anything suspicious early, even if the spending ends up being all yours (oops).

Most NZ banks also offer real-time mobile notifications for card transactions. These alerts can help you detect fraudulent activity immediately, especially during the busy spending period in December and January.

6. Be wary of charity appeals

Donate only through official websites or in-person appeals. Even if you’re in the giving spirit, you want it to be going to the right organisations. Be mindful of the form the donation is suggested too - legitimate charities will never request cryptocurrency as a donation method.

7. Watch out for Buy-Now-Pay-Later scams

BNPL platforms like Afterpay and Laybuy are increasingly targeted through account-takeover attempts and fake repayment alerts. Always log in through the official app or website – never via links in emails or texts.

Cybercrime over Christmas isn’t about fear, it’s about preparation. A few practical steps can significantly reduce risk for both businesses and individuals.

Let’s keep the silly season silly for the right reasons and not when talking about your cybersecurity.

If you’re looking to strengthen your organisations’ or home security heading into the new year, our team is here to chat. Get in touch with us here.