Cybersecurity 5 min read December 5, 2024

Holiday Season Phishing Scams: How to Protect Your Team

Cybercriminals ramp up phishing campaigns during the holidays. Learn the latest tactics they're using and how to train your employees to spot and report suspicious emails.

Security Research Team

Security Expert

Every holiday season, cybercriminals capitalize on the increased volume of online transactions, shipping notifications, and end-of-year business communications to launch targeted phishing campaigns. This year is no exception.

Common Holiday Phishing Tactics

Fake Shipping Notifications

With more packages in transit than ever, attackers send convincing emails mimicking Canada Post, FedEx, UPS, and Amazon. These emails contain malicious links disguised as tracking updates or delivery failure notices.

Year-End Account Notifications

Emails claiming your account needs urgent verification before year-end, often impersonating banks, Microsoft 365, or payroll services.

Charity and Gift Card Scams

Fraudulent charity solicitations and gift card purchase requests, sometimes appearing to come from executives within your own organization (CEO fraud).

Holiday Bonus Phishing

Emails claiming employees need to click a link to claim their holiday bonus or update direct deposit information.

Red Flags to Watch For

  • Urgent language demanding immediate action
  • Sender email addresses that don't match the claimed organization
  • Generic greetings instead of your name
  • Links that don't match the expected domain when hovered
  • Attachments you weren't expecting
  • Requests for sensitive information via email

Protecting Your Team

1. Awareness Training

Run a brief holiday-specific phishing awareness session. Share examples of current scams and remind employees of reporting procedures.

2. Phishing Simulations

Send test phishing emails to see how your team responds. Use the results to identify who needs additional training.

3. Technical Controls

  • Ensure email filtering is up to date
  • Enable link protection in your email gateway
  • Block known malicious domains
  • Enforce MFA on all accounts

4. Reporting Culture

Make it easy and safe for employees to report suspicious emails. Praise reports rather than punishing clicks β€” people who are afraid to report are your biggest risk.

What to Do If You Click

If an employee clicks a suspicious link:

  1. Disconnect the device from the network immediately
  2. Report the incident to your IT team or NPC Data Guard support
  3. Change passwords for any accounts that may be compromised
  4. Monitor accounts for unusual activity

Our 24/7/365 support team is always available to help investigate suspicious emails. Call 1-855-667-2642 or forward suspicious emails to our security team for analysis.

Filed under: Cybersecurity
← Back to Resources