A Holiday “Perfect Storm”: Why Cyber Attacks Surge in the U.S. and How Organizations Can Prepare

As U.S. organizations head into the Thanksgiving, Black Friday, Christmas, and New Year holidays, attackers are doing the same thing your finance team is doing: planning their year-end numbers. Every year, security observes a consistent pattern of increased cyberattacks with higher impact when offices are understaffed, executives are traveling, and systems are under peak load.

 

Some key statistics support this:

  • There is a 30% average increase in cyberattacks during holiday periods.
  • Holiday phishing attempts continue to surge by over 25% year-over-year.
  • Fraud and abuse attacks jump up 15–30%. Recent retail data shows fraud attack rates during the holidays are 15–30% higher than the rest of the year, driven by increased e-commerce volume and overwhelmed defenses.

 

Why Holidays Create a “Perfect Storm” for Attackers

  • Higher transaction volume can obscure anomalies and increase fraud risk.
  • IT change freezes could result in leaving vulnerabilities unpatched.

 

Common Holiday Attack Patterns

Attackers tend to utilize similar techniques to achieve their objectives.

  • Phishing, smishing, and vishing use holiday themes to trick targets.
  • Typically, a ransomware attack is scheduled for long weekends, staged to execute on the anticipated day before workers return from time off.
  • Business Email Compromise (BEC) attacks target year‑end financial flows.
  • DDoS is sometimes deployed to provide a distraction to security and IT resources while the attackers try for deeper intrusion.
  • Increased use of web skimming and account takeover methods is utilized during peak shopping.

 

30‑Day Holiday Cyber Hardening Plan

HALOCK recommends a 30-day plan to harden systems and access for more resiliency and response before the holidays begin.

 

What to prepare before the holidays

  • Identify and prioritize key systems, third parties, and contacts. It is better to do this now vs. during an incident.
  • Patch and harden identity, MFA, and remote access. Got some lingering critical and high vulnerabilities?  Now is the time to address them.  Open RDP (Remote Desktop Protocol) and VPN (Virtual Private Network) access?  Consider locking these down for the holiday season.
  • Validate backups, test restores, and run a tabletop exercise.
    • Run a tabletop that answers the question, “What would we do if a ransomware happened on the Sunday after Thanksgiving?
    • Ensure there are immutable, offline, and/or isolated backups that cannot be accessed by an attacker.
  • Prepare your holiday incident response playbook. Who is on call for primary and backup?  Who are the escalation contacts for third-party providers, HR, legal, and executives?  Do you have an incident response partner or agreement in place if an incident occurs? 

If you had to run the business for a week with only 3 systems, which would they be? Those should be the focus of holiday preparation.

 

What to Monitor During the Holidays

  • Ensure that system and application monitoring is on and at the detail needed to identify potentially malicious activity. Unusual login patterns, increased authentication failures, and MFA fatigue attempts may indicate unwanted activity.
  • Privilege escalation or suspicious admin activity may be early indicators of an attacker staging the environment for an attack. Monitor privileged groups and accounts.
  • For phishing attacks, email forwarding rule creations or mailbox manipulation may be a sign of compromised email
  • Large outbound data transfers or encryption behavior may indicate the exfiltration of data and the beginning of a ransomware attack.
  • Remind your employees to be on the watch for potential scams such as unexpected emails about bonuses, gift cards, shipping issues, or changes to travel. Ensure your employees know how to report suspicious activity.

 

If You Suspect an Attack

Time to pull out the incident response playbook from the preparation phase.

  • Contain first: isolate systems, disable accounts, block traffic. The key is to keep the attack from spreading as quickly as possible.  These procedures should be documented as part of the tabletop exercise performed in the preparation step.
  • Escalate to leadership and activate IR support. Get them involved early.
  • Preserve evidence for forensics and insurance. These may be logs, system snapshots, or systems.  This is critical for forensics, insurance, and potential legal obligations.
  • Notify authorities and meet regulatory deadlines. The FBI’s Internet Crime Complaint Center (IC3) portal and CISA encourage prompt reporting, especially for ransomware and BEC, which can improve the chances of fund recovery and broader sector-wide defense.

If you would like to discuss any of the recommendations provided, what approaches or solutions can be put in place to address security gaps, or if you need incident response assistance, contact HALOCK.

 

Here is a concise checklist for a Holiday Cyber Readiness that can assist in the preparation and response to a cyber-attack.

Holiday Cyber Readiness Checklist

Pre‑Holiday Preparation (30 Days Before)

List crown‑jewel systems.

Confirm critical third‑party contacts.

Verify cyber insurance, IR retainer, legal/PR contacts.

Validate alternate communication channels.

Patch all internet‑facing systems.

Enforce MFA for all remote access and privileged accounts.

Disable unused remote access (RDP, legacy VPN).

Review SPF (Sender Policy Framework)/DKIM (DomainKeys Identified Mail) /DMARC (Domain-based Message Authentication, Reporting, and Conformance).

Enable impersonation protection.

Require out‑of‑band verification for banking changes.

Validate offline/immutable backups.

Perform a timed restore test.

Conduct a holiday ransomware tabletop exercise.

 

During the Holiday Window

Monitor unusual VPN/remote access activity.

Check for MFA fatigue or abnormal login locations.

Watch for admin group changes.

Detect email forwarding rules.

Monitor for large outbound data transfers.

Freeze non‑critical changes.

Require approvals for emergency changes.

 

If an Incident Occurs

Isolate devices and disable affected accounts.

Block malicious IPs/domains.

Notify security leadership immediately.

Engage Incident Response (IR) retainer or cyber insurer.

Capture logs, snapshots, and evidence.

Notify FBI’s Internet Crime Complaint Center (IC3) or CISA if required.

 

Review Your Risk Posture

 

 

QUICK FAQ (Frequently Asked Questions): Incident Response & Compromise Assessment  

What is an incident response plan (IRP)?

A written playbook for how to detect, contain, and respond to cybersecurity incidents.

 

Why do organizations need a compromise assessment?

To verify that an attacker is not in their environment and to assess the scope of the damage that has been done.

 

Are incident response plans a legal requirement?

Yes. GLBA, HIPAA, state privacy laws, SEC, and other regulations require incident response preparedness.

 

How fast can HALOCK respond to a breach?

HALOCK provides 24/7 response support with priority access through IR retainers and SLAs.

 

How does DoCRA (Duty of Care Risk Analysis) apply to incident response?

DoCRA’s approach ensures that response decisions fairly balance the harm, likelihood, and burden, which provides defensibility and reasonable security.

 

Citations