As technology continues to advance and be increasingly integrated into varying areas of life, cyber risk becomes a more and more pressing area of concern. The 2025 holiday season represents the most aggressive alignment yet between consumer behavior and cybercriminal strategy. Attackers, looking to increase their success rates and payouts, exploit predictable spikes in online shopping traffic, digital payments, and usage of mobile apps.
Three independent sources of threat intelligence—Fortinet, Darktrace, and Zimperium—have each identified the same pattern in attack trends. They cite higher automation, faster imitation, and broader targeting of not only shoppers, but enterprises as well.
The Domain Gold Rush: Fortinet’s View of Pre-Holiday Recon
Attackers understand cyclical shopping trends and consumer behavior, and often prepare weeks ahead of time for massive shopping holidays like Black Friday. They do this by registering huge numbers of holiday-themed and retail-brand-themed domains to use in their attacks. The core findings of Fortinet’s article include over 18,000 holiday-themed domains registered in the previous three months, with 750 of them confirmed malicious and many more considered suspicious. Additionally, there were over 19,000 e-commerce-themed domains registered, almost 3,000 of which were malicious.
Fortinet also noted an explosion of stealer logs, with 1.57 million compromised e-commerce accounts circulating underground. These statistics demonstrate that threat actors are not improvising their attacks, but building foundational infrastructure to support strategic campaigns.
Phishing at Scale: Darktrace’s Early Data from Black Friday Week
Insights from Darktrace’s real-time observations in November include significant holiday season attack trends. Darktrace saw a 54% spike in phishing attacks impersonating retailers, a pattern dominated by Amazon spoofs, which make up 80% of brand imitations. The volume of phishing attacks is projected to surge by another 20-30% during Black Friday week.
Darktrace also noted a prolific “Deal Watchdogs” phishing campaign, which deceptively funnels shoppers to fake Amazon sites. Attackers leverage common behaviors around the holiday season, exploiting urgency and deal-hunting behavior in consumers, and synchronize campaigns with retailer promotions to take advantage of a lack of vigilance.
The Mobile Threat Explosion: Zimperium’s Warning for Enterprises
Zimperium’s zLabs Mobile Shopping Report highlights a dramatic escalation in the mobile vector. Mobile phishing (mishing) remains the top mobile threat, with holiday urgency fueling click-through rates. Zimperium saw spikes of up to four times as many phishing and malware detections during the 2024 holiday season. In 2025, Zimperium notes 120,000 fake retail apps, 65% of which are mimicking legitimate brands.
The zLabs report also shows that malware now intercepts one-time passwords and overlays login screens to achieve credential theft. Beyond malware and deceptive imitations, even legitimate retail apps are exposing enterprises through software development kit misconfigurations and vulnerable third-party libraries. While most intelligence and discussion surrounding risk in the holiday season is focused on the dangers faced by individual consumers, attackers don’t just target shoppers; they target the retail ecosystem. Enterprises are also at risk from these attacks and should take steps to protect against them.
What This Means for Retailers, Financial Institutions, and E-Commerce Infrastructure
Taking altogether the reports from Zimperium, Fortinet, and Darktrace, it is easy to see that the threat landscape is changing. Some of the most prominent trends in modern landscapes include:
- Automation is increasingly helping to accelerate the speed from domain registration to phishing campaign execution.
- The surge in fake mobile apps and mishing attacks blends seamlessly with user behavior around the holidays.
- The supply chain behind digital retail—including payments, loyalty systems, and cloud infrastructure—is now a part of the attack surface that must be overseen and secured.
- Stealer logs create a persistent downstream risk that continues to empower attacks long after the end of the holiday season.
These trends highlight an ongoing need for effective visibility, identity security, and continuous monitoring to protect against rising threats. “Black Friday doesn’t need to be a hacker’s payday,” says Anne Cutler, Cybersecurity Evangelist at Keeper Security, a Chicago-based provider of zero-trust and zero-knowledge cybersecurity software. “A few proactive steps, coupled with an identity-first mindset, can make the difference between a money-saving bargain and a costly breach.”
Preparing for the Peak Season: Strategic Recommendations
In order to effectively account for the rising threats in the holiday season and prevent opportunistic attacks, it is vital for organizations and individuals alike to take steps to protect themselves. Retailers are advised to monitor brand domains and mobile app stores continuously to catch any imitators attempting to use their brand names for malicious purposes. Financial institutions should assume that behavioral anomalies lining up with seasonal attack trends may signal compromise, and have processes in place to remediate such incidents.
Enterprises are encouraged to reinforce mobile app security testing ahead of time when putting out promotions. Consumer-facing organizations can also increase messaging around phishing and fake app awareness during the holiday season to help protect shoppers. SOC teams are recommended to prepare for trends in threat activity, like higher volumes of credential stuffing due to surging stealer log usage.
The Holiday Threat Surface Isn’t Seasonal Anymore
The data from Fortinet, Darktrace, and Zimperium collectively point to a structural shift in attack trends. Holiday cybercrime is no longer a predictable annual spike—it’s a testing ground for attackers refining techniques they will deploy year-round. The convergence of consumer behavior, mobile-first commerce, and attacker automation is reshaping the security expectations for every organization operating in the digital economy.
