Holiday Scams 2025: $529 Million Lost as Black Friday Phishing Surges 692% and AI Deepfakes Target Shoppers

The holiday season is supposed to be about joy, family gatherings, and finding the perfect gifts. Instead, for 34 million Americans, it became a nightmare of drained bank accounts, stolen identities, and fraudulent charges. As Thanksgiving 2025 approaches and Black Friday deals flood your inbox, cybercriminals are already counting their profits—and they're using technology you've never seen before.

This year is different. Black Friday-themed phishing attacks surged 692% compared to early November, while Christmas phishing campaigns jumped 327% globally during peak shopping week. But the most terrifying development? Scammers now need just three seconds of audio to clone your voice and impersonate you to your own family members.

CISO’s Holiday Survival Guide 2025: Defending Against 692% Phishing Surge, Ransomware, and DDoS Attacks During Peak Season

As the holiday season approaches, CISOs face a perfect storm of cyber threats that would make any security professional’s blood run cold. In 2024, 80% of retailers experienced a cyberattack—and nearly all were hit multiple times. A staggering 22% faced as many as seven to 15 attacks during a

Security Careers HelpSecurity Careers

Welcome to the 2025 holiday scam landscape, where artificial intelligence meets age-old greed, and where a single click can transform your festive season into a financial disaster.

The Devastating Scale of Holiday Fraud

Let's start with the numbers that should keep every shopper awake at night:

• $529 million: Total consumer losses from online shopping fraud in 2024, according to Federal Trade Commission data from over 380,000 reported cases
• $96 million: Losses to fraudulent charities and crowdfunding scams in 2024 alone (FBI Internet Crime Complaint Center)
• $217 million: Consumer losses specifically from gift card scams in 2023
• 3 out of 4: Black Friday spam emails that are actual scams in 2024, up from 7 out of 10 in 2023
• 2,000%: Increase in phishing attacks mimicking major US retail brands (Walmart, Target, Best Buy) during peak shopping periods
• 120,000: Fraudulent retail apps identified in 2025, with 65% impersonating legitimate brands

The Federal Trade Commission reports that online shopping fraud was the second most common type of fraud in 2024. Over the past five years, the U.S. Internet Crime Complaint Center (IC3) received 3.79 million complaints about online crime resulting in $37.4 billion in losses—with $12.5 billion reported last year alone.

This isn't theoretical anymore. The threat is real, immediate, and accelerating.

The AI Revolution: When Technology Becomes Your Enemy

Voice Cloning: The Three-Second Nightmare

Perhaps the most chilling development in holiday scams is the weaponization of artificial intelligence. In 2024 alone, deepfake fraud surged by 3,000%, fueled by increasingly accessible AI tools. In the Asia-Pacific region, AI-related fraud attempts jumped 194% compared to 2023.

Here's how it works: Scammers scrape a short audio clip—just three seconds—from a TikTok, Instagram video, or any public recording of your voice. Using AI voice cloning technology, they can then impersonate you with terrifying accuracy.

Real case: A mother in Arizona received a call from an unknown number. She heard her 15-year-old daughter's voice crying and claiming she'd been kidnapped. The ransom demand came immediately. While the mother was on the phone in a panic, her husband called their actual daughter, who was safe at ski practice. The voice on the phone was a complete AI fabrication.

Another victim lost $15,000 after receiving a call from her "crying daughter" in distress. She withdrew cash, placed it in a box, and handed it to a driver who picked it up from her house. Her real daughter was never in danger.

McAfee's 2025 holiday shopping research revealed that almost half of Americans (46%) say they've already encountered AI-powered scams while shopping. And 77% of AI voice scam victims lose money.

The "Grandparent Scam" Goes High-Tech

The most common variation is the "grandparent scam," where elderly people receive unexpected calls from a "grandchild" claiming to be stuck in a family emergency:

• "I've been in a car accident and need bail money"
• "I'm stuck abroad and lost my wallet"
• "I'm in jail and need money for a lawyer—please don't tell Mom and Dad"

The urgency, combined with the authentic-sounding voice, triggers panic. Victims are instructed to send money immediately via wire transfer, gift cards, or cryptocurrency—all payment methods that are virtually untraceable.

Critical reality: In 2023, senior citizens were conned out of roughly $3.4 billion in a range of financial crimes. Many of these now leverage AI voice cloning.

AI-Generated Phishing: Grammar-Perfect Deception

Traditional phishing emails were easy to spot—poor grammar, obvious misspellings, awkward phrasing. Not anymore.

AI now enables the creation of highly personalized and grammatically correct phishing emails and text messages (smishing), impersonating retailers, delivery services like FedEx or UPS, financial institutions, or even government agencies. These messages are indistinguishable from legitimate communications.

Scammers use AI to:

• Analyze your social media presence and shopping history
• Generate personalized messages referencing real purchases
• Create convincing fake tracking numbers
• Design professional-looking fake websites that mirror real retailers

The result? Malvertising scams increased 41% ahead of Black Friday and Cyber Monday in 2024, while mobile phishing (mishing) and malware attacks quadrupled during the 2024 holiday season.

Black Friday & Cyber Monday: The Perfect Storm

The 692% Phishing Explosion

Black Friday and Cyber Monday represent the Super Bowl of scam operations. Darktrace reported that Black Friday-themed phishing attacks soared to 692% last week of November compared to the beginning of the month. Christmas-themed attacks weren't far behind, rising 327% globally during Black Friday week (November 25-29, 2024).

Between October 1 and November 17, 2024, Black Friday spam rates peaked at over 6% of total email volume. And remember: 75% of these emails are actual scams, not just annoying marketing.

Fake Shopping Websites: The $284% Surge

Visa's Payment Ecosystem Risk and Control (PERC) team identified a 284% increase in fake and spoofed merchant websites in the four months leading up to the holiday season.

These fraudulent sites are sophisticated:

• They use stolen photos and logos from legitimate businesses
• They offer incredible deals to lure victims
• They have professional-looking design and checkout processes
• They accept payments but never deliver products (or deliver counterfeit goods)

More than 120,000 fraudulent retail apps were identified in 2025, with 65% impersonating legitimate brands. These apps appear in search results, social media ads, and even in official app stores before being detected and removed.

Brand Impersonation: Who Scammers Are Mimicking

Attacks designed to look like they came from major brands increased by more than 2,000% during peak shopping periods. The most frequently impersonated brands include:

• Walmart (easily the most mimicked US brand)
• Amazon
• Target
• Macy's
• Best Buy
• Old Navy

These phishing emails typically:

• Announce "exclusive Black Friday deals"
• Claim there's a problem with your order
• Offer gift cards or reward points
• Request account verification or password updates
• Include malicious links or attachments

Delivery Scams: When Your Package Becomes a Trap

The USPS Smishing Epidemic

During the 2024 holiday season, the United States Postal Inspection Service (USPIS) saw a significant uptick in phishing and smishing scam attempts. The scams intensified as people anxiously awaited packages containing gifts and goods.

Here's how delivery scams work:

Common scenarios:

1. "You missed a delivery" message with a link to reschedule
2. "We can't deliver your package—update your address" request
3. "Pay customs fees to release your package" demand
4. "Confirm your identity to receive your package" phishing attempt

These messages arrive via:

• SMS/text messages (smishing)
• Email (phishing)
• WhatsApp or other messaging apps

Critical fact: USPS officials would never directly contact customers by email or text asking for payment or personally identifiable information (PII). USPS would never contact a consumer via text message unless the customer initiated the request.

The QR Code Threat

In 2025, scammers have increasingly attached QR codes to delivery notifications and even physical packages. These QR codes often link to:

• Convincing but fake order tracking websites
• Phishing portals designed to gather sensitive information
• Malware installation pages

Reports of brushing scams rose 46% in 2025 compared to the previous year. In brushing scams, you receive unexpected packages you didn't order. Attached to these deliveries are QR codes that, when scanned, compromise your device or steal your information.

The Major Carriers Being Impersonated

Scammers impersonate all major delivery services:

• USPS (U.S. Postal Service)
• FedEx
• UPS
• DHL
• Amazon Logistics

The messages often use official-looking logos, tracking number formats, and professional language to appear authentic.

Gift Card Fraud: The $217 Million Disaster

Gift cards are the perfect crime for scammers—they're untraceable, immediately usable, and irreversible once activated. In 2023, consumers lost approximately $217 million to gift card scams, according to the Federal Trade Commission.

Gift Card Draining: The Store Shelf Attack

Gift card draining is particularly insidious. Here's how it works:

1. In-store tampering: Criminals visit retail stores and carefully record the numbers and codes from gift card backs
2. Monitoring: They regularly check these numbers online to see when cards are activated
3. Instant theft: The moment a legitimate customer purchases and loads money onto the card, scammers immediately drain the balance online
4. Victim discovers: When the gift recipient tries to use the card, it's already empty

Flashpoint observed a noticeable increase in Chinese threat actors conducting and recruiting for gift card fraud campaigns targeting American shoppers, leveraging gift card draining to activate stolen or fraudulently obtained gift cards to purchase electronics and luxury items.

Most of the money is lost when criminals steal numbers or codes from the backs of cards in stores, then drain the cards before consumers can spend them.

Social Media Gift Card Scams

According to McAfee's 2024 Global Holiday Shopping Scams Study, 83% of Gen Z consumers say their shopping starts on social media. Scammers exploit this behavior through:

• Fake voucher giveaways
• "Free gift card" offers requiring survey completion
• Influencer impersonation promoting fraudulent gift card deals
• Fake brand accounts offering exclusive gift card promotions

These scams often lead consumers to complete online surveys designed to steal personal information, or to fake websites that collect payment information under the guise of "verification" or "shipping fees" for "free" gift cards.

Payment Scams Using Gift Cards

Never buy from online sellers who demand you pay with gift cards. This is the number one indicator of fraud.

Legitimate businesses never require payment via:

• Gift cards
• Wire transfers
• Payment apps (for initial purchases from unknown sellers)
• Cryptocurrency

Only scammers tell you to pay this way. Yet victims continue to fall for scams involving:

• "Tech support" claiming you need to pay for services with gift cards
• "IRS" or "government officials" demanding tax payments via gift cards
• "Family members" in emergency situations needing gift card numbers
• "Romance" scammers asking for gift cards as proof of affection

Charity Scams: Exploiting Holiday Generosity

The holiday season brings out the best in people—and scammers know it.

The $96 Million Fraud

In 2024, the FBI Internet Crime Complaint Center (IC3) received more than 4,500 complaints reporting approximately $96 million in losses to fraudulent charities, crowdfunding accounts, and disaster relief campaigns.

Interpol's Operation Pangea XV dismantled 70 fake charity websites in 2024, seizing $8 million in fraudulent donations.

Christmas 2024 Specific Charity Scams

The FTC warned of fake "Christmas Miracle" campaigns promising to double donations, which never reached beneficiaries. Scammers create fictitious organizations with names designed to sound legitimate:

• "Toys for Tots Fraud" (mimicking the real Toys for Tots)
• "Holiday Meal Relief"
• "Christmas Food Bank Alliance"
• "Winter Warmth Foundation"

These fake charities often use stolen logos from reputable charities to appear legitimate. The IRS reports a spike in fake charity emails during December, often containing malware links disguised as donation portals.

UK Data: A Global Problem

In the UK, 42% of charity respondents were victims of fraud or attempted fraud in 2024. The average loss per fraud was between £102,000 and £197,000 (approximately $129,000 to $249,000).

Around a third of charities experienced a cyber-attack in 2024, and four in five of these cases involved phishing.

How to Verify Legitimate Charities

Before donating:

1. Verify the organization at give.org (BBB Wise Giving Alliance) or charitynavigator.org
2. Never donate via gift cards, wire transfers, or cryptocurrency
3. Be wary of unsolicited donation requests via email, text, or phone calls
4. Search for the charity name plus "scam" or "complaint" to see if others have reported issues
5. Donate directly through the charity's official website, not through links in emails or social media

How to Protect Yourself: Practical Defense Strategies

Create a Family Password

Experts recommend creating a family password that everyone in your family knows and can use to verify identity during unexpected calls or messages. This password should be:

• Easy to remember in a panic
• Hard to forget
• Not public information

Examples include:

• The name of a well-known family object or person
• An inside joke
• A family meme
• Any word or phrase you can all remember easily

If someone calls claiming to be a family member in distress, ask for the family password before taking any action.

Limit Voice Recordings Online

To protect against AI voice cloning:

• Review your social media privacy settings and limit who can view your videos
• Consider making video posts private or friends-only
• Be cautious about what you post publicly on TikTok, Instagram, YouTube, and Facebook
• Educate family members, especially children and teens, about this threat
• Never assume a voice on the phone is authentic—always verify through other means

Email and Text Message Red Flags

Be suspicious of any message that:

• Creates urgency ("Act now or lose this deal!")
• Requests personal information or account credentials
• Contains unexpected attachments or links
• Comes from a slightly misspelled domain (amazom.com instead of amazon.com)
• Offers deals that seem too good to be true
• Claims there's a problem with your account that requires immediate action
• Uses generic greetings ("Dear Customer" instead of your name)

What to do:

• Don't click links in unexpected emails
• Go directly to the retailer's website by typing the URL yourself
• Contact customer service through official channels to verify any claims
• Forward phishing emails to the FTC at [email protected] and to the company being impersonated

Delivery Scam Protection

If you receive a text or email about a package:

1. Don't click any links in the message
2. Verify tracking information by going directly to the carrier's website
3. Check your email for legitimate tracking notifications from retailers
4. Remember: USPS, FedEx, and UPS don't ask for personal information or payment via text
5. Be cautious of QR codes on unexpected packages or delivery notifications

Safe Online Shopping Practices

Before making a purchase:

• Verify the website is legitimate (look for https:// and a padlock icon)
• Research the seller—search for reviews and complaints
• Be cautious of social media ads and sponsored posts
• Never provide your Social Security number for online purchases
• Use credit cards instead of debit cards (better fraud protection)
• Enable two-factor authentication on all shopping accounts

Check for fake website indicators:

• Recently registered domain (use whois.com to check)
• No phone number or physical address
• Unrealistic prices (70-90% off luxury items)
• Poor grammar or spelling errors
• No return policy or unreasonable return terms
• Only accepts wire transfers, cryptocurrency, or gift cards

Payment Security

• Use credit cards for online purchases—they offer better fraud protection than debit cards
• Monitor your statements regularly and report suspicious charges immediately
• Set up transaction alerts through your bank or credit card company
• Use virtual credit card numbers when available
• Never pay via gift cards, wire transfers, cryptocurrency, or payment apps for initial purchases from unknown sellers

Mobile Security

With mobile phishing attacks quadrupling in 2024, protect your smartphone:

• Don't click links in unexpected text messages
• Install security software on your mobile device
• Keep your operating system updated
• Only download apps from official app stores
• Review app permissions before granting access
• Be cautious when using public Wi-Fi for shopping

What to Do If You've Been Scammed

If you realize you've fallen victim to a holiday scam:

Immediate Actions

1. Contact your bank or credit card company immediately to report fraud and stop payment if possible
2. Change your passwords for any accounts that may be compromised
3. Enable two-factor authentication on all accounts
4. Document everything—save emails, text messages, screenshots, and transaction details
5. If you provided personal information, consider placing a fraud alert on your credit reports

Report the Scam

File reports with:

• Federal Trade Commission: reportfraud.ftc.gov
• FBI Internet Crime Complaint Center: ic3.gov
• Your state attorney general's office
• The company being impersonated (Amazon, USPS, etc.)
• Better Business Bureau Scam Tracker: bbb.org/scamtracker

For gift card scams, contact the company that issued the card immediately:

• Google Play: support.google.com/googleplay
• Apple/iTunes: reportaproblem.apple.com
• Amazon: amazon.com/contact-us

While you may not recover your money, reporting helps authorities track scam operations and potentially shut them down.

The Psychology of Holiday Scams: Why We Fall For It

Understanding why these scams work is crucial to protecting yourself.

The Urgency Factor

Holiday shopping creates natural time pressure:

• Limited-time Black Friday deals
• Shipping deadlines for Christmas delivery
• Last-minute gift panic

Scammers exploit this urgency, knowing that rushed decisions bypass our normal skepticism.

The Emotion Trigger

The holidays are emotionally charged:

• Excitement about giving the perfect gift
• Fear of disappointing loved ones
• Stress about budgets and expectations
• Panic when a "family member" claims to be in trouble

These emotional states make us vulnerable to manipulation.

The Trust Exploitation

We want to believe:

• That we're getting an amazing deal
• That our favorite brands are offering exclusive promotions
• That our family member really needs our help
• That our package really is delayed and needs our intervention

Scammers weaponize this inherent trust.

Looking Ahead: What to Expect in Holiday 2025 and Beyond

As we move through the 2025 holiday season and look ahead, several trends are clear:

AI Will Get More Sophisticated

• Video deepfakes will become more common, not just voice cloning
• Real-time voice manipulation will enable live conversation fraud
• Behavioral AI will create even more personalized and convincing phishing attempts

Attack Volume Will Increase

With phishing attacks already up 692% during Black Friday 2024, we can expect even higher volumes in 2025 and 2026 as scammers refine their techniques and scale their operations.

New Payment Platforms Will Be Targeted

As new payment methods emerge (cryptocurrency, digital wallets, buy-now-pay-later services), scammers will develop new fraud techniques to exploit them.

Social Media Will Remain a Primary Attack Vector

With 83% of Gen Z starting their shopping on social media, platforms like TikTok, Instagram, and Facebook will continue to be major sources of fraud.

Key Takeaways: Your Holiday Security Checklist

✅ Create a family password to verify emergency calls claiming to be from relatives

✅ Limit public voice recordings on social media to prevent AI voice cloning

✅ Never click links in unexpected emails, texts, or messages about deliveries or deals

✅ Verify websites before entering payment information—check for https:// and research the seller

✅ Use credit cards for online purchases, not debit cards or alternative payment methods

✅ Never pay with gift cards, wire transfers, or cryptocurrency for purchases

✅ Go directly to retailer websites instead of clicking email or social media links

✅ Verify charity legitimacy before donating

✅ Enable two-factor authentication on all shopping and financial accounts

✅ Monitor your accounts regularly and set up transaction alerts

✅ Be skeptical of deals that seem too good to be true—they usually are

✅ Research sellers by searching for the company name plus "scam" or "reviews"

✅ Keep your devices updated with the latest security patches

✅ Use strong, unique passwords for each account (consider a password manager)

✅ Trust your instincts—if something feels wrong, it probably is

Conclusion: A Season of Vigilance

The 2025 holiday season brings unprecedented cyber threats powered by artificial intelligence and scaled through global criminal networks. With $529 million already lost to online shopping fraud, 692% increases in phishing attacks, and AI voice cloning requiring just three seconds of audio, the landscape has never been more dangerous.

But awareness is power. By understanding these threats, recognizing the red flags, and following security best practices, you can protect yourself and your loved ones.

This holiday season, the best gift you can give yourself is vigilance. Take the time to verify before you click, to research before you buy, and to question before you trust. Your financial security—and your family's peace of mind—depend on it.

The scammers are counting on your holiday distraction, your emotional decision-making, and your desire for the perfect deal. Don't give them what they want.

Stay informed. Stay skeptical. Stay safe.

For more cybersecurity threat intelligence and protection strategies, visit Breached Security. Report all scams to the Federal Trade Commission at reportfraud.ftc.gov and the FBI at ic3.gov.