As Santa starts his travels, experts are warning that his arrival could bring with it a range of cyber risks, from scams to insecure gadgets.
Whilst Santa prefers to deliver via chimney, most cybercriminals are looking for backdoors. In some cases, hackers prefer to deliver malicious communications via email. Worryingly, in 2025, scams are not just more common, they’re often harder to spot. Earlier this month, researchers from the team at Check Point detected 33,502 Christmas-themed phishing emails in the first two weeks of December, along with more than 10,000 fake advertisements being created daily on social media channels. Many mimic festive promotions, while others push fake Walmart or Home Depot deals, fraudulent charity appeals, and urgent delivery notices.
Why is this time of year so popular for cybercriminals? Ian Porteous, Regional Director, Security Engineering, UK & Ireland at Check Point Software, notes that “Cybercriminals love Christmas just as much as shoppers do, but for all the wrong reasons. This time of year, people are more exposed due to the sheer volume of digital interactions – shopping online, sending e-cards, and grabbing festive deals. That makes it the perfect opportunity for scammers.”
Which other types of attacks should consumers look out for?
Javvad Malik, Lead CISO Advisor at KnowBe4, highlighted a range of common festive scams that consumers should be alert to during the Christmas period. He warned that these include “fake courier messages – like texts from Royal Mail, DPD, Evri etc”, often claiming “we tried and failed to deliver” or asking recipients to “pay a small fee to release it”. Malik also pointed to deals that are too good to be true, such as “ridiculous savings, 90% off named brands”, as well as gift card scams and urgent favour requests, typically appearing as “a WhatsApp or email from your boss or family member usually”. Other tactics include charity scams involving “fake charities trying to pull at heartstrings during the season of giving”, fraudulent shopping emails claiming “your payment failed” or that “your Black Friday order couldn’t be processed”, and holiday job or side hustle offers that require victims to “pay an upfront fee for training or admin”, which in some cases can result in individuals unknowingly becoming money mules.
Many of us will hope to unwrap a new gadget tomorrow morning, but Anne Cutler, cybersecurity expert at Keeper Security, is warning that these gifts can come with hidden risks if left unsecured. “As smart, AI-enabled gadgets become some of the most popular gifts this holiday season, families are unknowingly expanding their digital attack surface,” she said. “From connected toys and wearables to voice assistants and home cameras, many of these devices are effectively small computers with microphones, sensors and constant internet access. To make matters worse, they are usually sold with minimal security settings as the default.”
Cutler warned that “the most common mistake families make is trusting default passwords and factory settings”, something cybercriminals actively exploit by scanning for unsecured devices. She added that while these products can appear harmless, “from behavioural tracking to hidden software vulnerabilities, these modern devices can seem harmless, but in actuality they can pose genuine threats to the privacy and security of families”.
Parents are being encouraged to review privacy and safety settings before children begin using new devices, including disabling unnecessary access to cameras or microphones and limiting data sharing, particularly where interactions may be used for “model improvement”. Experts also caution that AI-enabled toys introduce additional risks because they can behave unpredictably, with concerns ranging from “hallucinations or unsafe responses” to data leakage and breach-related cyber attacks, where stolen recordings, images or videos could be used for phishing, voice impersonation or deepfake content.
Cutler concluded: “Connected devices are now a permanent part of family life, and they should be treated with the same care as any other internet-facing system. By staying informed and vigilant, families can enjoy the holiday season with confidence, while balancing the fun of new tech with a secure and privacy-conscious digital home.”
“Digital security at Christmas starts with prevention,” adds Ian Porteous from Check Point. “Staying alert and cautious online can make all the difference – protecting your personal information and ensuring a stress-free festive season.”
Javvad Malik from KnowBe4, urges consumers to ask the following questions before taking action:
- Was I expecting this?
- Is this how we normally do it?
- Is this invoking an emotional response?
- Is it time-sensitive (rushing me)?
- Have I checked it somewhere else?
