Yep, here I am again: your annual voice of doom and gloom, warning you about this year’s biggest holiday phishing scams. (Look, someone’s gotta do it. And it’s why they pay me the…well…medium bucks.) Because unfortunately for us all, 2025 is already shaping up to be a goldmine for scammers. This year, cybercriminals are pulling out all the stops: really slick-looking fake stores, AI-powered phishing messages, delivery-impersonation texts, and account-takeover attacks that have already cost consumers millions.

And, sure. Maybe you are tech-savvy enough by now to know exactly how to spot even the slickest of tricks. But we all know someone who perhaps isn’t quite so well-informed about this stuff as us (lookin’ at you, Dad/Grampa/Auntie Bea). So maybe while you’re sharing those Christmas cookies you just baked (or let’s be real, bought at Trader Joe’s) you might consider also sharing a few “sprinkles” of your cyber scam know-how.

2025 by the Numbers

Frankly, the data gathered from security firms, federal agencies, and consumer-protection organizations paints a pretty grim picture:

• Phishing attempts targeting U.S. retailers surged 620% in the weeks leading up to Black Friday compared to October.
• The FBI has already logged 5,100+ account takeover complaints in 2025, totaling over $262 million in losses — much of it tied to holiday shopping.
• Fake online storefronts have exploded this year: thousands of cloned, AI-generated e-commerce sites popped up specifically to target holiday shoppers seeking deals.
• Consumer watchdogs annually report a major spike in “missed delivery” and “order confirmation” smishing texts, especially between November 20 and December 10.

Together, these statistics suggest that 2025 may be the most dangerous holiday shopping season yet. Ugh.

What’s New This Year: Beyond Classic Phishing

We all know cybercriminals are constantly evolving, but this year more rapidly than ever. 2025 has introduced us to several new (or significantly upgraded) tactics:

AI-Powered Phishing and Deepfake Lures

Emails, texts, and ads are now written or enhanced by AI tools, making grammar-perfect, brand-accurate scams incredibly hard to spot. (There goes all that cybersecurity training that tells us to be suspicious when there’s bad grammar or spelling involved!  I mean, you still should of course. But we are now seeing less and less of it, thanks to AI.) Some scams even include deepfake voices or videos imitating CEOs, delivery reps, or customer-service agents.

Fake and “Ghost” Retail Stores Built Entirely With AI

Many scam sites now feature AI-generated product photos, fake reviews, and dynamic chatbots — giving shoppers a false sense of legitimacy.

Delivery & Shipping-Related Smishing

As retail shipping volume skyrockets, scammers impersonate UPS, USPS, FedEx, and Amazon with frightening accuracy, sending messages about missed deliveries or “address issues.” Yes, these have been around for a while. But AI is making them more authentic looking and automated so they are more prevalent.

Marketplace & Social-Media Scams

Fake ads on Instagram, TikTok, Facebook Marketplace, and local-buy groups are at an all-time high — particularly for hot holiday items like PS5s, LEGO sets, and luxury goods.

Examples of 2025 Scam Messages

It often helps – especially when “training” those with less cybersecurity know-how – to show more than just tell.  So, below are a handful of fictional but true-to-life examples based on the scams dominating this season, including graphics. Hopefully these will help people to visualize exactly what scammers are doing — and pinpoint the red flags to watch for.

Example #1: Fake Amazon Black Friday “Order Confirmation” Email

Red Flags:

• Misspelled domain in the sender’s URL (“amaz0n”).
• URGENCY: “verify within 12 hours.”
• Links that do not lead to Amazon.
• Unexpected large/pricey order (scare tactic).
• Generic greeting instead of individualize to your account name.

Example #2: Fake Holiday Charity Request

Red Flags:

• Look-alike charity name (there is a real organization named “Holliday’s Helping Hands”. This isn’t it!)
• Unrealistic donation match.
• Crypto solicitation.
• Mismatched domains (holiday-helphands.org, not holiday-helpinghands.org).

Example #3: Fake Flash Sale Email (Ghost Store)

Red Flags:

• Impossible deals (90% off).
• Domain registered days ago (common in scam stores. You can look up domain registration on whois.com or godaddy.com).
• Inside the message you may see urgent 30-minute sale windows.
• “No returns accepted” often mentioned in the message body.

Example #4: Delivery Smishing Scam

Red Flags:

• Fake (non-standard) URL.
• Delivery-related scams surge every holiday season.

Example #5: Fake Gift Card Win Text

Red Flags:

• You never entered a contest.
• Suspicious URL.
• Short time window to act (forcing rash decisions).

Example #6: Fake Bank Fraud Alert

Red Flags

• Banks never resolve fraud via links.
• The dollar amount is intentionally anxiety-triggering.
• Scammers win whether you click “YES” or “NO.”

Why These Scams Work (Especially During the Holidays)

The holiday season creates the perfect environment for fraud for a bunch of reasons:

• Urgency + distraction → shoppers move quickly.
• High email/SMS volume → scams blend into legitimate messages.
• AI tools make bad actors dramatically more sophisticated.
• Increased shipping provides believable pretexts for fake delivery updates.

Scammers know you’re busy — and they weaponize that.

How Shoppers Can Stay Safe This Season

• Don’t click links in emails or texts. Go directly to the retailer’s website instead.
• Enable MFA on retail, email, and banking accounts. This stops most account takeovers.
• Be suspicious of unrealistic deals or pressure tactics.
• Verify charities before giving. Use Charity Navigator or IRS Tax-Exempt search.
• Monitor your accounts daily.
• Never provide personal info over text or unsolicited calls.

Wrapping Up

Holiday shopping should be about joy, not fraud. Right?  But the rise in AI-driven phishing, fake storefronts, delivery scams, and account-takeover attacks makes 2025 uniquely dangerous.

So by learning AND passing on to others what scams look like (and how to spot those red flags instantly) we can all do our part as a community to keep the season merry and fraud-free.

For forty-two years, CGNET has provided state-of-the-art IT services to organizations of all sizes, across the globe. We’ve done it all, from IT and cybersecurity assessments to cloud services management to generative AI user training. Want to learn more about who we are and how we might be able to help you? If so, check out our website or send us a message!