The holiday season is a predictable peak for scammers and disruptive cyber actors. Law enforcement and federal partners are again reminding organizations and the public that attackers exploit holidays and weekends when staffing and attention are low, and simple tactics like phishing, gift card scams, and ransomware continue to surge. Federal guidance this year repeats familiar themes: prepare for incidents by identifying who will be on call, strengthen remote access controls, and run your incident playbooks now.

Two trend items to note for 2025. First, law enforcement has documented not only the usual phishing and fraud patterns but also a measurable increase in AI-enabled scams, including voice and synthetic media used to pressure victims. Public reporting shows AI was already used in thousands of complaints in the first half of 2025, and agencies are calling that out as a driver of holiday fraud.

Second, federal agencies specifically highlight ransomware risk over holiday windows. Attackers know many organizations take critical staff offline or operate with skeleton crews during holidays, making detection and response slower. The joint CISA and FBI guidance recommends concrete mitigations such as enforcing multi factor authentication for remote access, securing RDP and other risky services, and preidentifying staff who can respond during off hours. Those are not optional this season.

Practical, immediate actions (what I would do in the next 24 to 72 hours)

  • Confirm holiday on call coverage: publish a single, authoritative contact list that includes after hours phone and alternate contacts. Test that numbers work. If you cannot staff 24x7, ensure automated escalation paths are in place.
  • Validate backups and recovery: run a rapid integrity and restore test for your most critical systems. Verify backups are offline or immutably stored away from production. If your restore procedure is manual, walk it once end to end now.
  • Lock down remote access: require multi factor authentication on every remote admin and VPN account, and ensure privileged accounts use separate, monitored admin workstations. Disable unused RDP and remote services or place them behind jump hosts that are logged and monitored.
  • Harden email: tighten inbound filtering, enable DKIM/DMARC/SPF, apply URL rewriting and safe link scanning, and increase sensitivity of filters for seasonal keywords like “gift”, “order”, and “delivery” that attackers abuse.
  • Run a mini tabletop: run a 60 minute holiday incident tabletop with leadership and one technical responder. Walk a phishing to ransomware scenario and confirm who notifies customers, regulators, and law enforcement.
  • Watch for AI-enabled fraud: brief staff on deepfake voice and text scams. Remind finance teams to never accept payment instructions solely by phone or chat without secondary verification. Include this in your tabletop.

Advice for small businesses and front line staff

  • Treat unusual delivery or order messages as suspicious. Confirm through the merchant site or by calling a verified number.
  • Never pay vendors or employees using gift cards or crypto because an email asked you to. These remain a top vector during the holidays and are difficult to reverse.
  • Report suspected fraud and loss of funds to IC3 and contact your bank immediately. Local FBI field offices are issuing public advisories to consumers and small businesses this season.

Operational refinements that scale with little budget

  • Automate detection of domain lookalikes for your main brands. Use inexpensive domain monitoring services or a small script that queries WHOIS and certificate transparency logs for new registrations that mimic your domains.
  • Implement temporary stricter egress rules over the holiday window. Limit outbound connections for admin workstations to just what is needed for business continuity and updates.
  • Increase logging retention for 14 to 30 days for critical assets over the holiday period so you can investigate activity that only surfaces after responders return.

When to call for help

If you detect suspicious encrypted file renames, large outbound data transfers, or an extortion demand, escalate immediately. Report incidents to CISA and the FBI as appropriate and use the federal ransomware resource as a first stop for mitigation and reporting. The quicker you get law enforcement and cyber partners involved, the more options you have.

Final note from the lab

Holidays are a recurring stress test for security programs. Treat this season like a planned exercise rather than a gamble. The most effective defenses are basic, repeatable actions: verified backups, enforced multi factor authentication, staffed response, and a communication plan that prevents panic payments. Tackle the checklist above this week and you will materially reduce your risk of becoming a headline in the new year.