Holiday Fraud Trends 2025: The Top Cyber Threats This Season

Holiday Fraud Trends 2025: The Top Cyber Threats to Watch This Season

Holiday Fraud Trends 2025: The Top Cyber Threats to Watch This Season

image: envato/LightFieldStudios

Holiday fraud in 2025 is evolving faster than ever, as attackers use AI, automation, and stolen data to launch large-scale campaigns.

Écrit par
Ken Underhill
Ken Underhill
Nov 12, 2025

As the 2025 holiday season approaches, fraud activity is already accelerating.

According to data from KasadaIQ, attackers are starting earlier, automating faster, and leveraging artificial intelligence (AI) to blur the line between human and bot activity.

Across the retail, hospitality, and quick-service restaurant (QSR) industries, researchers warn that this year’s fraud landscape may surpass all previous records in both scale and sophistication.

Unwrapping the top Holiday fraud trends of 2025

Fraud operations have evolved into an industrialized ecosystem.

Automation kits, stolen account data, and malicious configurations — known as configs — are traded with the same efficiency as legitimate software tools.

Generative AI is fueling this trend, enabling attackers to mimic authentic consumer behavior and bypass traditional fraud detection systems. KasadaIQ’s analysis reveals that adversaries are pre-positioning for the holiday period with early configuration sales, higher automation, and more adaptive attack patterns.

The convergence of AI, automation, and underground marketplaces means fraud is no longer limited to major shopping days — it is a continuous, data-driven enterprise.

Trend 1: Fraud campaigns are starting weeks earlier

Attackers are no longer waiting for Black Friday.

KasadaIQ tracked a 92% increase in malicious configurations targeting retail and a 400% increase against accommodation industries between January and October 2025. These configurations — scripts used for credential stuffing, scraping, and automated checkout — are now being deployed 10 to 14 days before peak sales.

This shift allows adversaries to test infrastructure, refine attack scripts, and sell proven configurations ahead of the holiday rush.

Organizations that only activate heightened monitoring during Thanksgiving week will likely miss the preparatory attacks that set the stage for large-scale fraud.

Advertisement

Trend 2: Account takeover is the fastest-growing fraud channel

Account takeover (ATO) remains the most active vector for holiday fraud.

Kasada’s telemetry found more than 311 million stolen accounts listed across dark web marketplaces in 2025 — 63% belonging to retail brands. Attackers use large-scale credential-stuffing campaigns to access consumer accounts and exploit stored payment data, loyalty points, or shopping carts.

These attacks are often timed in the week before Black Friday, when accounts are fully loaded with value. In just one month, Kasada observed over 1,100 credential-stuffing incidents across 133 retailers, compromising an estimated 265,000 accounts.

Security teams should treat ATO as an ongoing, intelligence-driven campaign, not an isolated event.

Trend 3: Gift cards remain the preferred monetization tool

Gift cards remain the most effective channel for converting stolen assets into profit.

Kasada identified 8.9 million stolen retail cards and 7.5 million QSR cards listed for sale. Fraudsters favor gift cards because they are anonymous, fast to resell, and difficult to trace. Retail card activity typically spikes before Black Friday and Cyber Monday, while QSR cards peak later in December.

Security teams should monitor for unusual redemption velocity, repeated balance checks, and suspicious API calls that verify card validity.

Trend 4: AI-powered bots will dominate traffic

For the first time, AI-driven bots are expected to account for the majority of holiday web traffic.

Kasada predicts a 520% increase in AI-generated requests compared to 2024. These bots mimic human behavior with random movements, hesitations, and input variability — making them difficult to distinguish from legitimate shoppers.

AI bots are being used to enroll fake loyalty accounts, scrape pricing data, and complete automated purchases within milliseconds.  Because many interact directly with backend APIs, traditional web-based rate limiting and pattern recognition are becoming ineffective.

Organizations should adopt behavioral fingerprinting and API-level anomaly detection to combat these threats.

Advertisement

Trend 5: Adversaries are monetizing faster

Kasada’s monitoring of criminal forums shows that compromised data now moves from breach to resale in under five days.

Automation has shortened the fraud lifecycle dramatically — attackers steal, process, and sell data before defenders can respond. This speed compresses investigation windows and increases pressure on incident response (IR) teams.

Security operations centers (SOCs) must integrate fraud telemetry into real-time monitoring and leverage automated alerts to identify brand-specific threats early. Collaboration between fraud and cybersecurity teams is essential to match the speed of modern adversaries.

How to strengthen holiday fraud defenses

This year’s holiday threat landscape demands faster, smarter, and more unified defenses.

Fraud prevention cannot operate in isolation from cybersecurity operations. To prepare, organizations should do the following:

  • Start monitoring earlier: Shift fraud readiness two weeks ahead of traditional timelines and baseline normal traffic.
  • Protect account integrity: Use adaptive multi-factor authentication (MFA) and detect logins from automated or unusual device types.
  • Defend APIs: Implement authentication and rate controls at the API layer, where most bots now operate.
  • Unify fraud and security operations: Combine ATO, bot detection, and fraud analytics under a single operational view.
  • Monitor criminal marketplaces: Track configuration sales and brand mentions to detect upcoming campaigns before they peak.

By taking these basic steps, organizations can build cyber resilience against fraudulent activity.

Editor’s note: This article first appeared on our sister publication, eSecurityPlanet.com.

Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and technology leader with more than 25 years of experience in IT, cybersecurity, and risk management. His career spans network administration, incident response, penetration testing, and entrepreneurship, giving him firsthand experience helping organizations reduce risk and ensure compliance. Ken is also a former nurse and combat medic and he uses this background to break down complex cybersecurity topics into digestible content for a broad, global audience. A multi-exit cybersecurity founder, Ken has spent decades helping organizations strengthen their security posture, manage risk, and navigate complex technology challenges. His expertise includes overall cybersecurity strategy, cloud security, incident response, risk management, security awareness, and emerging threats affecting businesses. Ken is also an advisor to multiple startups on AI security and risk. In addition to his hands-on industry experience, Ken is a cybersecurity newsletter writer for TechnologyAdvice, where he covers cybersecurity news/trends and actionable best practices for business and IT professionals. Ken is also an educator with over 2 million people going through his courses over the years. He has won the Global Cybersecurity 40 under 40 (2x winner), the Cyber Champion award from Women's Society of Cyberjutsu, and the 2019 SC Media award for Outstanding Educator. Ken is also a volunteer with organizations like Minorities in Cybersecurity, Black Girls Hack, and the Whole Cyber Human Initiative, which helps veterans transition into security careers. Ken holds a Master of Science in Cybersecurity and Information Assurance from Western Governors University and a Bachelor of Science in Information Systems, with a major in Cybersecurity Management, from Strayer University. His certifications include the Certificate of Cloud Security Knowledge (CCSK), Certified Ethical Hacker (CEH), and Computer Hacking Forensic Investigator (CHFI) and he is a former adjunct professor of Digital Forensics. Ken also had a streaming cybersecurity television show from 2020-2022 that reached over 200K monthly viewers around the world. His work and expertise have been featured in Forbes, Reader's Digest, Medium, TechRepublic, Fox, NBC, CBS, Dark Reading, MSN Money, and other leading publications and media outlets, making him a trusted voice on cybersecurity, election security, and privacy.