White Paper Preview: Black "Fraud Day” and Beyond

It’s that time of year again: decorations go up, inboxes are flooded with seasonal deals, and gift buying begins in earnest. Black Friday marks the beginning of the most lucrative time of year for many retail organizations. Adobe estimates that U.S. online sales between November 1 and December 31, 2025 will reach US $253.4 billion. This is a 5.3% increase over 2024. Cyber Week (the period after the Black Friday weekend) alone is expected to generate US $43.7 billion in online spend, up 6.3% year-on-year.

But the same conditions that make the holiday season so profitable for the retail sector also present prime opportunities for cyber threat actors. Customers feeling the pressure to quickly navigate time-sensitive deals are more likely to click-first, think-later, while the sheer volume of transactions makes it easier for malicious activity to be masked by legitimate traffic. The problem is now so prolific that Black Friday is increasingly dubbed “Black Fraud Day."

This blog outlines some of the key cyber threats facing the retail sector over the holiday period, helping CTI and security teams to anticipate how to secure their organization. A full examination of these cyber threats — including analysis of underground markets and data — will be available in our upcoming whitepaper on the topic.

You can sign up to join the waiting list to receive early access to the full report, titled Black “Fraud Day” and Beyond - Key Cyber Threats Facing the Retail Sector this Holiday Season.

Gift Card Fraud in the Festive Period

Gift cards consistently rank among the most purchased items during the holiday period. In 2024, they were reportedly the third most purchased product over the Black Friday weekend. Cybercriminals find them useful too. Gift cards are easy to sell in underground forums in part because they can be used to make purchases with very little personally identifiable information (PII). This makes tracking gift card fraud difficult and reinforces the cards’ value to cybercriminals. The holiday rush also sees gift card sales spike, permitting any unusual or high-risk patterns to be obscured in the volume of normal activity.

Threat actors engage in gift card fraud through a variety of methods. Automated account‑checking tools are used to test stolen or guessed credentials at scale against retailers’ login pages and APIs. When the tools find a valid combination, attackers gain access to stored payment methods and any linked gift card or loyalty balances. Compromised account information from data breaches and infostealer logs feeds this process further: credentials stolen in one context are repurposed elsewhere to log into consumer accounts and either buy new gift cards or redeem existing balances. In some cases, malicious insiders within retail or partner organizations activate gift cards without receiving payment, or leak gift card details to external fraudsters. Social engineering also plays a role, with attackers manipulating customer service or store staff into issuing or topping up cards under false pretenses.

By monitoring the cyber underground, we continue to observe long-running marketplaces and platforms dedicated to the sale of gift cards, often obtained through fraud. Some of these boast user bases of up to five figures and a self-reported turn over in the mid-six figure of USD.

The forthcoming whitepaper will take a closer look at these ecosystems, discussing the operating models of prominent gift card and payment carding marketplaces, before exploring tactics like digital skimming and abuse of near-field communication (NFC) technology for their illicit gains.

Understanding these marketplaces is crucial to understanding how and where actors are successfully monetizing your customers and your brand. A noticeable increase in the volume of gift cards pertaining to a certain brand may be an indication of specific attack paths, such as insider fraud or account takeover, helping security teams to address these issues and protect the organization.

Phishing Attacks Target Holiday Shoppers

With inboxes bursting with seasonal promotions and consumers hungry for ways to save money, the holiday period presents threat actors with the perfect environment for social engineering. Threat actors will often use the same channels used by legitimate marketing organizations to spread news about genuine sales and offers. The scammers mimic these campaigns, which have a built-in sense of urgency, meaning that it becomes much harder for customers to distinguish a convincing fraudulent lure ready to harvest details from a genuine offer.

Interestingly, we’ve noted threat actors capitalizing on post-incident PR schemes. In one example, a retailer that had been impacted by a large-scale ransomware attack earlier in the year had sent out e-gift cards to affected customers as a means of compensation for any inconvenience caused. Threat actors were observed mimicking these outreach emails for their own malicious ends, directing recipients to attacker-controlled sites instead (See Figure 1).

Figure 1: The left image shows the legitimate outreach email from the retail brand and the screenshot on the right shows a scam email.

The observation highlights the long-term impact of falling victim to a ransomware attack. The damage continues long beyond the initial outage, with even remediation efforts being repurposed to become credible lures for social engineering campaigns. It may be worth considering the inclusion of monitoring for brand abuse and social engineering attempts in connection with the incident.

Fake Websites

Another effective way that attackers harvest credentials in the holiday period is by creating fake websites. They design these websites to mimic well-known companies, tricking consumers into thinking they are making purchases from the legitimate retailer. In reality, the attacker collects sensitive information like login credentials, payment details and personal data from unsuspecting consumers.

Fraudsters can build these fake webpages themselves if they have the required skills. However, those who lack the technical capability need only turn to the cyber underground, where ready-made templates, full storefront kits, and even managed “phishing-as-a-service” offerings are widely available.

NordVPN recently claimed it had detected a 250% rise in fake online shops in the lead up to Black Friday. Indeed, in the first two weeks of November 2025, we observed numerous domains and websites specifically designed to impersonate well-known brands. Similar websites impersonating other popular brands are almost certain to crop up as the holiday season commences.

Attackers also drive traffic to these deceptive sites using search engine optimization (SEO) techniques and invest in advertising across search engines and social media platforms (See Figure 2). These advertisements frequently offer seemingly unbeatable deals on sought-after items, playing on a sense of urgency and scarcity to attract shoppers.

Figure 2: Image of a fake website piggybacking off the Pandora jewelry brand appearing as sponsored content. Note the typographical errors.

Credential and card data taken from phishing and fake websites feed directly into downstream cyber threats in the holiday season and beyond. The information collected is sold in underground markets. Purchased by threat actors, these may be used for account takeover activity against legitimate retailers for fraudulent transactions or gift card purchases elsewhere. They may also provide the initial access for ransomware attacks to commence.

AI Drives Shopping Scams

The upcoming white paper will also discuss Artificial Intelligence (AI). The adoption of AI continues to make an impact in cyber underground activity. We assess that, for profit-driven criminals, it continues to serve more as an efficiency tool than a fundamentally new strategy. However, by lowering the barrier for entry, it is likely to have enticed newcomers and less-technically skilled actors to try their hand in contributing to the underground economy.

One of the prime use cases we observe for AI in the cyber underground is to enhance social engineering, as reported in our soon to be published white paper. Social engineering remains a leading attack vector, and AI has significantly increased its efficiency and authenticity, therefore enhancing its effectiveness. Threat actors are now able to rapidly generate tailored phishing content — such as fake webpages, texts and emails in non-native languages, impersonation attempts and other synthetic media — with far less effort than was needed before. As a result, we are observing a shift away from the broad, opportunistic scams to more targeted and personalized campaigns that closely mimic legitimate businesses and organizations with increasing accuracy. As AI’s capabilities evolve rapidly, it should be considered a real and escalating threat to online trust and security for retailers and their customers.

Ransomware Flourishes at Peak Retail Times

Ransomware is a critical operational threat throughout the year, but when systems and staff are under strain, the risk and the consequences may grow greater during the festive period. E‑commerce platforms, point‑of‑sale systems and logistics platforms are under a heavier load as shoppers fill their bags and deliveries intensify. At the same time, cybersecurity teams usually operate with reduced staffing as the holidays open gaps in shift changes and operational priorities compete for attention.

Ransomware actors will use this to their advantage, performing intrusions while defenders are distracted. If ransomware attackers can encrypt or steal data to coincide with this pivotal time of revenue generation, the downtime will exert maximum pressure with retailers more likely to pay to reduce the cost associated with downtime.In 2024, Intel 471 detected over 50 ransomware breaches impacting the retail industry during November and December alone, accounting for 18% of the total breaches for that year. Considering the importance the festive period serves to the retail sector, the number of incidents during these critical months would likely have a disproportionate impact on attacks implemented at any other time of year.

The upcoming white paper provides a breakdown of this year’s landscape including monthly incident counts, geographic distribution and the most prolific ransomware variants involved.

These insights will help organizations to better prioritize limited security resources against the threats most likely to interrupt their peak trading periods.

Outlook

Retailers wanting to fully embrace the rewards of the holiday season will need to be proactive as they prepare against the cyber threats that accompany it. Gift card fraud and card‑not‑present abuse show how attackers monetize compromised data and customer accounts at scale. Phishing campaigns and fraudulent websites reveal how they harvest that data in the first place, often abusing your brand and even exploiting post-breach remediation efforts as lures. Large numbers of ransomware incidents in November and December demonstrate that some adversaries time their most disruptive operations to coincide with your most critical trading days.

Continuous monitoring of the cyber underground, including marketplaces that trade gift cards, credentials and payment data and ensuring fraud, security and legal teams can operationalize this data, translating CTI into actions including controls, disruptions and customer communications before the peak period hits.

Our upcoming whitepaper, Black “Fraud Day” and Beyond — Key Cyber Threats Facing the Retail Sector this Holiday Season is designed to support this with a critical overview of the threat landscape. You can pre-register for early access here.