Note: Cyber threat statistics are updated annually as new data becomes available from the Australian Signals Directorate’s ACSC Annual Cyber Threat Report and Scamwatch. The figures below reflect the most current published data available as of 2025–26.
The holiday season is a time for joy, connection, and celebration. But for cybercriminals, it’s peak hunting season. With consumers and businesses busier than ever, the holiday period provides the perfect conditions for a surge in cyber attacks.
Why Cybercrime Peaks During the Holidays
The holiday rush creates a golden opportunity for cybercriminals. Increased online shopping, hectic work schedules, and a general sense of urgency make people more susceptible to scams and phishing attempts. Whether it’s a fake shipping notification, a too-good-to-be-true discount, or a fraudulent email disguised as a holiday greeting, malicious actors know how to exploit the moment.
Businesses are also prime targets. As organisations focus on closing the financial year, cybercriminals take advantage of overworked teams, outdated systems, and the general frenzy of the season.
What you can do: Brief your team before the holiday period begins. A short internal reminder about phishing red flags, password hygiene, and how to report suspicious activity can significantly reduce your exposure during the highest-risk weeks of the year.
Cybercrime by the Numbers
The statistics are sobering:
- Online Shopping Scams: Shopping scams were the most reported scam type involving financial loss in 2025, with 9,628 reports resulting in $8.6 million in losses: a 19% increase from the same period in 2024. Fake websites, fraudulent social media ads, and counterfeit deals top the list of delivery methods.
- Rise in Cybercrime Reports: The ASD’s ACSC Annual Cyber Threat Report for 2024–25 recorded over 84,700 cybercrime reports (an average of one every six minutes) with the top three categories being identity fraud, online shopping fraud, and online banking fraud.
- Fake Content Dominates: The ACCC identified fake apps, websites, and social media advertisements as responsible for 47% of overall scam losses, a tactic that ramps up dramatically during holiday sales events.
- Consumer Vigilance: Despite increasing awareness, nearly 60% of Australians admit to falling for or narrowly avoiding scams, particularly during high-pressure sales events like Black Friday and Cyber Monday.
What you can do: Share these figures with your leadership team. The business case for investing in cybersecurity protection is no longer theoretical; it is measured in millions of dollars lost every month across Australia.
Top 10 Cyber Security Threats
Cybercriminals have an arsenal of tactics designed to exploit vulnerabilities. Here are the most common:
- Phishing Emails: Often disguised as receipts, shipping updates, or special offers, these emails trick users into clicking malicious links or sharing sensitive information. AI-generated phishing campaigns are now targeting Australian businesses with messages that reference real staff names, real projects, and real client relationships, making them far harder to detect than the poorly worded scams of previous years.
- Fake Websites: Fraudulent e-commerce sites mimic legitimate retailers to steal credit card details or sell counterfeit goods. Scamwatch data shows scammers are creating increasingly convincing online shopping platforms and advertising fraudulent products with deals that appear too good to pass up.
- Delivery Scams: With parcel deliveries at an all-time high during the holiday period , fake notifications from Australia Post and other carriers lure victims into revealing personal or financial information.
- Malware and Ransomware: Clicking the wrong link or downloading a suspicious attachment can infect devices, locking them down or stealing sensitive data. Ransomware remains the most disruptive cybercrime threat in Australia, with the ACSC responding to 138 ransomware incidents in FY2024–25, and the Australian Government introducing a mandatory ransomware reporting regime in May 2025 for businesses with annual turnovers of $3 million or more.
- Supply Chain Attacks: Rather than targeting your business directly, attackers compromise a trusted third-party vendor, software provider, or managed service tool your organisation relies on, gaining access to your systems through the back door.
- QR Code Phishing (Quishing) QR codes have become a staple of modern business (menus, payment terminals, parcel tracking, event check-ins) and cybercriminals are exploiting that trust at scale. Quishing involves embedding malicious links inside QR codes that bypass conventional email security filters entirely, because most security gateways scan text and URLs but cannot read image-encoded payloads.
Cyber threats are evolving. Beyond traditional phishing and malware, newer tactics include:
- Cryptocurrency Scams: Fraudulent investment schemes that promise high returns.
- Deepfake Technology: Sophisticated impersonations used to trick employees into transferring funds or sharing sensitive information.
- Social Engineering: Manipulative tactics designed to exploit trust, such as posing as a colleague or trusted vendor, remain highly effective, especially when teams are distracted and understaffed during the holiday period.
- Cloud Misconfiguration and Unauthorised Access: As businesses move more systems and data to the cloud, the security of that environment becomes critical, and misconfiguration remains one of the most common and costly vulnerabilities. Improperly configured storage systems, overly permissive access controls, and a lack of activity monitoring can expose sensitive business data without any sophisticated attack being required.
The Real-World Impact
The consequences of cybercrime during the holiday season extend beyond financial losses. Individuals risk identity theft, while businesses face operational downtime, reputational damage, and regulatory penalties under the Privacy Act 1988 and the Notifiable Data Breach scheme .
Imagine this: A small online retailer falls victim to a ransomware attack in mid-December. With systems locked down, they’re unable to process orders or access customer data. Not only do they lose revenue, but their customers lose trust, a double blow during what should have been their busiest season.
Businesses Are Not Immune
For businesses, the stakes are higher than ever. Employee devices used for personal shopping, outdated software, and lack of cybersecurity protocols create vulnerabilities that attackers can exploit. A single breach can disrupt operations, leak sensitive data, or result in fines for non-compliance.
Small and medium-sized businesses are especially at risk. From a cybercriminal’s perspective, SMBs hold money, customer data, and access into larger organisations, but without the layers of defence or full-time security teams that enterprise businesses maintain. Limited IT resources often mean less robust security measures, making them attractive targets for cybercriminals.
How Corp IT Can Help Protect Your Business
With threats becoming more advanced and more frequent, reactive security is no longer sufficient. Corp IT provides proactive, managed cybersecurity services designed to protect Australian businesses year-round, especially during the high-risk holiday period.
In our next blog, we’ll share practical steps you can take to stay safe, and how Corp IT can help you protect your business from these evolving risks. Contact us today.
Frequently Asked Questions
Why are small and medium businesses at greater risk from cyber security threats during the holidays?
SMBs face a disproportionate level of risk from cyber threats during the holiday period. Limited IT resources, less robust security measures, and employees using personal devices for work create vulnerabilities that cybercriminals actively seek out.
Without a formal cyber security risk assessment or access to MDR services or XDR security capabilities, many SMBs have little visibility into threats until damage has already been done. A single ransomware incident during peak trading can mean lost revenue, destroyed customer trust, and regulatory penalties; consequences that are difficult for smaller businesses to absorb.
How do managed detection and response services help businesses stay protected year-round?
Managed detection and response provides the continuous monitoring, expertise, and rapid response that most businesses cannot maintain internally, particularly outside business hours when cyber security threats often strike. Whether delivered as MDR security services, an XDR service, or a combination of both, these capabilities ensure that the cybersecurity threats most likely to cause serious harm (ransomware, phishing, social engineering, and deepfake fraud) are identified and contained before they escalate.
What are the most common cyber threats during the holiday season?
Cybersecurity threats peak significantly during the holiday period, when increased online activity and business pressure create ideal conditions for cybercriminals. The most prevalent cyber threats include phishing emails disguised as shipping notifications or special offers, fake e-commerce websites, delivery scams, and malware or ransomware delivered through malicious links and attachments.
What is a cyber security risk assessment and why does your business need one?
A cyber risk assessment is a structured process that identifies your organisation’s vulnerabilities, evaluates the likelihood and impact of cyber threats, and prioritises the controls needed to reduce exposure. A cyber risk assessment is particularly important ahead of high-risk periods like the holiday season, when overworked teams, employee devices used for personal shopping, and outdated software create exploitable gaps. For small and medium businesses with limited IT resources, a cyber risk assessment is often the first step toward building a proportionate and defensible security posture.
How do you conduct a cyber risk assessment for a small or medium business?
A cyber risk assessment for smaller businesses should map all systems, data, and access points; identify the cybersecurity threats most relevant to your industry and size; evaluate existing controls; and prioritise remediation based on risk and business impact. Many SMBs discover through this process that gaps in endpoint protection, patch management, and staff awareness represent their greatest exposure. Engaging a specialist to conduct the cyber security risk assessment ensures objectivity and access to current threat intelligence that internal teams may lack.
What is MDR and how does it protect businesses from cyber threats?
Managed Detection and Response is a security service that combines advanced threat detection technology with human expertise to monitor, identify, and respond to cyber threats in real time 24 hours a day, seven days a week. MDR cybersecurity is particularly valuable during high-risk periods like the holiday season, when internal IT teams are stretched and threat actors are most active. Unlike traditional security tools that generate alerts, MDR security services include active investigation and response, stopping threats before they cause damage.
What do MDR services include and how do you choose a provider?
MDR services typically include continuous monitoring, threat hunting, incident investigation, and guided or active response to confirmed threats. When evaluating managed detection and response providers, businesses should look for coverage across endpoints, networks, and cloud environments; clear response time commitments; transparent escalation processes; and integration with existing security tools. MDR service providers vary significantly in capability; the best MDR service offerings combine technology with experienced security analysts who understand the specific cyber security threats facing Australian organisations.
How do MDR solutions differ from traditional antivirus or firewall protection?
Traditional security tools are largely reactive; they block known threats based on signatures or rules. MDR solutions go further by actively hunting for unknown or emerging cyber threats across the environment, correlating signals that individual tools would miss, and responding rapidly when threats are confirmed. For businesses facing sophisticated cybersecurity threats like deepfakes, advanced phishing, and fileless malware, MDR cybersecurity provides a depth of protection that point solutions simply cannot match.
What is XDR and how does it relate to cyber security?
XDR meaning Extended Detection and Response refers to a security approach that unifies data from across an organisation’s entire environment, including endpoints, email, network, cloud, and identity, into a single detection and response platform.
XDR cyber security provides a broader, more correlated view of threats than siloed tools can deliver. A managed XDR service extends this capability by adding the human expertise needed to act on the intelligence XDR generates, a critical advantage when dealing with the volume and sophistication of modern cyber threats.
What is the difference between XDR and EDR?
XDR vs EDR is a common question for businesses evaluating their security options. Endpoint Detection and Response (EDR) focuses specifically on protecting individual devices: laptops, servers, and mobile endpoints. XDR security expands this scope to cover the entire attack surface, correlating signals from email, cloud workloads, network traffic, and identity systems alongside endpoint data. An XDR service therefore provides a more complete picture of an attack in progress, enabling faster and more accurate response to complex cyber security threats that move across multiple systems.
