Season of Giving, Season of Taking: Heightened Fraud During Holiday Shopping

Posted: 22nd November 2022
By: Insikt Group®


Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

This report details the risks the holiday season presents for individuals and financial institutions, describes the tools and services that scammers can use during the holidays, and provides tips on how to avoid threats during this period. It is intended for fraud and cyber threat intelligence (CTI) teams at financial institutions and security researchers.

Executive Summary

With Black Friday and Cyber Monday soon beginning the holiday shopping season, merchants are increasing efforts to attract consumers and online shoppers are looking for discounts. Meanwhile, in the criminal underground, a parallel process is beginning as threat actors anticipate increased opportunities to commit fraud. While retailers offer discounts on the latest electronics and clothing, carding shops offer discounts on compromised payment card data. While manufacturers increase production and create innovative goods and services, threat actors release phishing and scam sites to lure in online shoppers and use the latest criminal software. And while retailers launch advertising campaigns and partner with marketing firms, threat actors prepare spam lists and partner with other threat actors to place online ads for their fraudulent websites.

This report analyzes threat actors’ offerings and discussions on fraud-focused forums, carding-shop activity, and phishing and scam website activity from previous holiday seasons. Threat activity during this period involves all stages of the fraud life cycle, from the point of compromise to sale and fraudulent monetization. Historical data from the past 3 years shows that the volume of compromised payment cards offered for sale increases during the holiday season in comparison to the preceding and following 3-month periods. Ultimately, it is likely that the 2022 holiday season will follow a similar pattern, resulting in a period of heightened risk for cardholders, financial institutions, and associated service providers.

Key Judgments

  • Cybercriminals are sensitive to changes in victims’ purchasing habits during the holidays. As online shopping increases during the holidays, cybercriminals prepare to take advantage of expanded opportunities to defraud their victims.
  • Cybercriminals exploit seasonal changes in merchants’ anti-fraud measures, especially as anti-fraud measures are loosened to better handle the surge of transactions during the holidays.
  • Promotions, discounts, and special offers for illicit services and stolen data increase during the holidays, encouraging more cybercriminal activity both during and after the holiday season.
  • Cybercriminals are likely to take advantage of common holiday-related promotions such as Black Friday and Cyber Monday by creating themed phishing and scam pages designed to entice victims with the promise of savings.
  • An increase in compromised payment cards posted for sale is likely during the holidays. This could be a result of increased shopping activity, relaxed anti-fraud measures, and increased phishing and scam activity.


Payment fraud is a game of cat and mouse. The cats (financial institutions, payment card networks, merchants, payment processors, law enforcement, and payment fraud intelligence companies) continue to refine data-driven anti-fraud systems, develop more secure methods of payment, and improve payment card data storage standards. For the mice (threat actors and carding shops), the focus is adaptability. They must identify the cats’ blind spots and squeeze out criminal profits for as long as they remain.

For threat actors, adaptability occurs at all stages of the fraud life cycle: the abuse of legitimate services for more persistent e-skimming and hard-to-detect card checking, bypassing security advancements like 3-D Secure (3DS), and responding to exogenous shocks to card fraud market like the brief but unexpected Russian law enforcement crackdown on cybercrime.

Threat actors view Black Friday and the holiday season as another opportunity to adapt their schemes, offerings, and activities to squeeze out additional criminal profits. Over the past 3 years, the volume of compromised card-not-present (CNP) payment cards offered for sale on carding shops during the holiday season — November through January — has typically exceeded the preceding 3 months by an average of 5% and the following 3 months by an average of 20%.

Although the past 3 years of data indicate a relationship between the holiday season and payment fraud, we identify spikes in card fraud throughout the year resulting from a host of other factors (innovations by threat actors, large-scale breaches, carding shop dynamics, and more). Therefore, the holiday season should not be interpreted as a fundamentally exceptional period of increased fraud activity, but as another prominent example of threat actors’ adaptability, which in this case corresponds to a specific seasonal period.

Threat Analysis

Cybercriminals take advantage of the holidays to conduct their activities more frequently and effectively. The holidays present threat actors with enhanced opportunities to avoid detection since victims are less likely to notice fraudulent transactions due to the increased volume of sales and purchases. In part, promotional discounts on illicit services and stolen data within the threat actor community also facilitate a rise in attacks. Additionally, threat actors can attempt to directly exploit consumers’ relaxed spending habits with targeted phishing attempts such as holiday-themed phishing and scam pages.

Editor’s Note: This post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.