Does phishing volume actually increase during the holidays?

Yes. Reporting from the FBI Internet Crime Complaint Center (IC3), CISA, the Anti-Phishing Working Group (APWG) and the Verizon DBIR consistently shows phishing volume rising from late November through the end of the calendar year, with package-delivery and gift-card lure categories spiking the hardest. The pattern repeats reliably enough that defenders can plan against it.

What is the most common holiday phishing email?

The package delivery exception - a fake notification from UPS, FedEx, USPS or DHL claiming an issue with a recent shipment and requesting address confirmation or a small redelivery fee. It dominates because almost everyone has a real package in transit during the holiday window, and the volume of legitimate carrier emails conditions users to click without inspecting.

Should we run more simulations during the holidays?

Yes - but with seasonally appropriate templates, not just more of the same. The holiday window is the right time to run package-delivery, gift-card and charity-scam simulations because those are the lures users will encounter in real attacks. Running a generic password-reset campaign in December misses the seasonal threat surface.

Are year-end finance scams really targeting AP teams?

Yes. Vendors trying to close their books before year-end create real pressure on accounts payable to process invoices quickly, and attackers exploit that pressure with fraudulent invoices and bank-account-change requests. The FBI IC3 has tracked Business Email Compromise (BEC) losses spiking in Q4 for several consecutive years.

What about HR open enrollment scams?

U.S. employers run benefits open enrollment in late October and November, and attackers send lures impersonating HR or the benefits administrator asking employees to verify or update their information. The lures harvest personally identifiable information that fuels later fraud - tax-refund scams in February, identity theft in the new year. Train and test against this category specifically in the open-enrollment window.

Holiday Phishing: Black Friday-Year End

Holiday Season Phishing Patterns: Black Friday to New Year

Phishing has a calendar. The categories rotate with the season, the volume swells through the fourth quarter and the lures that work in November are not the same lures that work in March. The window from Black Friday to New Year is the single most attacker-rich stretch of the year - every employee is expecting a package, every accounts payable team is racing year-end, every employer is running open enrollment and every charity is asking for a year-end donation. The attacker doesn't need a clever pretext; the season provides it.

This post breaks the holiday phishing window into the lure categories that actually drive the most loss, what to train on and a month-by-month simulation playbook that lines up with the threat surface instead of running generic campaigns through it.

Why the holidays produce a phishing surge

Three forces compound between Thanksgiving and New Year's Eve:

Volume of legitimate transactional email. Real shipping notifications, real receipts, real charity asks, real benefits enrollment forms - all in inbox at the same time. Pattern recognition fires the wrong way.
Time pressure. Year-end deadlines, shipping cutoffs, gift-buying windows and benefits-election deadlines all have hard dates. Urgency lure copy stops sounding suspicious because legitimate urgency is everywhere.
Reduced staffing. Skeleton crews on IT and security teams between Christmas and New Year. Reduced verification capacity. Higher attacker leverage.

Reporting from the FBI Internet Crime Complaint Center (IC3), the Verizon DBIR, CISA, the Anti-Phishing Working Group (APWG), and ongoing coverage at Krebs on Security consistently shows phishing volume and successful BEC losses concentrating in this window. The pattern is repeatable.

The seven holiday lure categories

1. Package delivery exceptions

The dominant lure of the season. "Your UPS package is delayed - confirm address." "FedEx attempted delivery - schedule redelivery." "USPS held parcel - pay $1.99 fee." Spans every carrier. Works because everyone has at least one real package out at any time during the holiday rush. Train users that legitimate carriers do not collect redelivery fees over email links and that the carrier app is the safe channel.

2. Gift card and reward scams

"Verified $500 Amazon gift card - claim before midnight." "Your reward points expire today." Often pretextually framed as an internal reward from HR or a legitimate retailer's loyalty program. The financial pretext combined with seasonal generosity makes users credulous. The trap is either credential harvesting or a small "shipping fee" credit-card capture.

3. Charity solicitations

The end-of-year giving window is when legitimate charities run their hardest fundraising - and attackers piggyback. Lures impersonate well-known charities or crisis-response orgs and route donations to attacker-controlled accounts. Defense: verify the charity through its known URL or a registered charity database before giving, never through an emailed link.

4. HR open enrollment

Late October through November in the U.S. brings benefits open enrollment, and attackers send lures impersonating HR or the benefits administrator asking employees to "verify your dependents" or "confirm your tax information." The harvested PII fuels next year's tax-fraud and identity-theft campaigns. Train HR to communicate enrollment links through the corporate HRIS portal only, and train employees to access enrollment through the portal directly.

5. Year-end vendor invoices

Vendors close their books in December and pressure on accounts payable spikes. Attackers exploit this with fraudulent invoices that look like routine year-end items, often paired with a request to update bank account details "before our new banking transition January 1." The IC3 has documented multi-million-dollar BEC losses in this category every year. Out-of-band callback verification on every bank-account change - see our deepfake vishing piece for the underlying defensive logic - is non-negotiable.

6. Year-end bonus and W-2 lures

"Your year-end bonus statement is ready" or "Confirm your information for W-2 distribution." Targets internal payroll-themed lures. The harvested data feeds January and February tax-fraud schemes. Particularly effective on small businesses where bonuses are not on a fixed announcement schedule.

7. Travel and itinerary scams

Holiday travel produces a wave of legitimate "your itinerary has been updated" emails - and the attacker version. The lures target both leisure travelers and business travelers booking last-minute end-of-year trips. Defense: log into the airline or hotel directly, never reschedule from an emailed link.

The holiday simulation playbook

Generic password-reset campaigns in December are wasted simulations. The threat surface has shifted; your simulation library should shift with it. A workable month-by-month playbook:

Late October: HR open-enrollment-themed campaign. Aimed at the entire organization, easy-to-regular difficulty.
Early November: Vendor invoice / bank-account-change campaign targeted at accounts payable and finance, regular-to-hard difficulty. The single highest-loss test of the year for most companies.
Black Friday through Cyber Monday: Package delivery campaign, organization-wide, easy difficulty. High-volume, high-engagement, low-stakes - a teaching moment.
Mid-December: Charity-scam-themed campaign, organization-wide, regular difficulty. Pair with internal communications about the company's actual year-end giving.
Late December (skeleton-crew period): Year-end bonus / W-2 themed campaign for cohorts that have access to payroll or HR systems. Higher difficulty.

The platform's auto-assigned remediation training matches the lure category - a user who clicks a charity-scam simulation gets the charity-verification training, not a generic awareness module. Seasonal alignment of training matters as much as seasonal alignment of testing.

Operational checklist for security teams

Beyond simulation, four operational moves before December 1:

Brief AP and finance on year-end BEC. Reinforce out-of-band verification policy. The single email reminder, sent to the right cohort at the right time, prevents most of the losses.
Verify holiday on-call coverage on the IT and security teams. The skeleton-crew window is exactly when attackers ramp up. Document who's reachable, when and through which channels.
Pre-approve communications channels for HR. Open-enrollment emails should come from a known sender; spoofed lookalikes should be flagged at the gateway. Verify the HR sender domains are on the email gateway's allowlist and that DMARC is enforcing.
Refresh your phishing-report mechanism. Make sure employees know the one-button "report phishing" path in their mail client, and that it routes to a monitored mailbox even during the holiday week.

Communicating with employees during the surge

Internal communications matters as much as simulation during the holiday window. Three short messages, sent at the right time, change behavior more than a 60-minute training would:

Pre-Black-Friday note (early November). "You're going to get a lot of fake delivery notifications over the next six weeks. Carriers don't ask for redelivery fees over email links. Use the carrier app or website directly." One paragraph. Sent once.
Pre-open-enrollment note (mid-October). "HR will only communicate enrollment links through the corporate HRIS portal. If you receive a 'verify your benefits' email from any other source, report it." Specific. Time-bound. Pairs with the simulation.
Year-end finance alert (early December). Targeted at AP and finance staff specifically. "Vendors are pushing year-end invoices and may request bank account changes. Every change must be verified through callback to a directory-listed number, regardless of urgency. No exceptions, including from leadership."

These aren't training modules - they're awareness nudges. The simulations build the muscle; the nudges activate it at the right moment.

The post-holiday review

Most security teams skip the January retrospective on the holiday window, which is the single most useful piece of the cycle. Worth scheduling a short review the second week of January covering: which lure categories produced the most clicks, which cohorts struggled most, whether any real (non-simulated) phishing emails got through and what changes to plan for next year. The IC3 publishes its annual Internet Crime Report in spring; cross-reference your internal data against the published trends and update your template library accordingly.

What insurers ask about seasonal coverage

Cyber insurance carriers have started to ask, in renewal applications, whether the program "addresses seasonal threat patterns" - see our cyber insurer phishing questions guide. The expected answer is documented evidence of holiday-themed campaigns and elevated coverage of finance and HR cohorts during Q4. The cost of "no" is paid in premium; the cost of "yes" is the time spent running the campaigns.

Where Bait & Phish fits

The Bait & Phish template library includes seasonally-themed templates across every category above, at all three difficulty levels. The platform supports time-of-year scheduling so a holiday-themed campaign queues for November even when you build it in May. Start a 25-user free trial if you want to run a holiday-aligned simulation against your team this season; pricing covers organization-wide programs; contact us for help building the full Q4 calendar; about us covers our methodology in more depth; and the simulated phishing attacks page walks through the multi-channel campaign architecture.

External authoritative references: FBI IC3 annual Internet Crime Report, CISA holiday-season advisories, the Verizon DBIR, the Anti-Phishing Working Group (APWG) trend reports, and NIST SP 800-50 on awareness program design.

See also: Phishing Trends 2026 - annual roundup covering AiTM commoditization, AI-generated lure quality, collaboration-tool phishing, ransomware dwell-time compression and other patterns that defined the year.

5nov