Cybersecurity Risks in Banking Surge During the Holiday Season

Cybersecurity Risks in Banking Surge During the Holiday Season

I was recently the target of a phishing attack, this time through a very well-crafted email. After doing some research, it appeared that the content indeed looked exactly like those originating from a legitimate banking institution. In this case, the criminals used typosquatting (using a .co domain instead of the .com original) to lure me to “open a bank account” with discounts on banking fees as a special offer during the holiday season.

The holiday season is a time of joy, generosity, and, for many, increased spending. From gift shopping to travel and festive meals, consumers often stretch their budgets in ways they do not during the rest of the year. For major consumer banks and online banking platforms, this seasonal surge presents not just a spike in transactions but also a host of cybersecurity challenges. Cybercriminals know that when spending is up, vigilance is often down, creating the perfect storm for fraudulent activity.

A Frenzy of Transactions: Opportunity for Fraud

During the holidays, the volume of transactions skyrockets. Online banking portals process payments for gifts, caterers, and airlines, while mobile apps buzz with the activity of users transferring funds or checking balances. Banks also ramp up marketing efforts, rolling out end-of-year promotions and charity campaigns to engage customers. All this activity expands the number of ways cyber criminals can attempt to compromise systems or steal data.

The huge number of transactions can also obscure fraudulent charges. Many consumers may not realize how much they have spent until January, when their bank statements finally catch their attention – if they ever check them. By then, small fraudulent charges, slipped in amidst legitimate purchases, may go unnoticed, and larger ones can be harder to trace. The perpetrators of these crimes count on this post-holiday financial fog to avoid detection.

Fraud in Plain Sight: The Most Common Tactics

Cybercriminals have refined their holiday season playbook over the years. One of their most effective tools is, of course, phishing. During this season, inboxes are flooded with promotional emails, charity appeals, and sale alerts. Among the legitimate offers, fake emails lure users to counterfeit login pages or entice them to share their credentials. Once criminals have access to the latter, account takeover attacks allow them to drain funds or make unauthorized purchases.

Payment systems used by retailers also come under heavy fire. Payment terminals, also known as point-of-sale (POS) systems, often integrated with banks, are frequent targets. Compromised systems can leak cardholder information or allow unauthorized transactions. Between Black Friday and Christmas 2013, credit card numbers of almost 40 million customers were stolen from 2000 Target stores around the U.S. by accessing data directly on POS systems. Meanwhile, mobile banking apps face threats like man-in-the-middle (MitM) attacks, where hackers exploit unencrypted public Wi-Fi networks to intercept sensitive data. Travelers, in particular, are vulnerable, as they rely on airport or hotel Wi-Fi during the busiest travel season of the year.

Why Customers and Banks Struggle to Catch Fraud

A major reason holiday fraud often goes undetected is that consumers are less likely to scrutinize their transactions during this time. Shopping sprees, frequent dining out, and gift-buying blur spending patterns, making unusual activity harder to spot. A small fraudulent charge, disguised as a legitimate purchase, may blend into a crowded bank statement. By the time consumers notice discrepancies, weeks may have passed.

Online stores exploit human psychology and its biases to make impulsive purchases. Time is of the essence: the faster a consumer takes a decision, the better for the seller. Once the payment is posted, it is too late for second thoughts. The success of fast fashion exemplifies this: nowadays, clothing is worn only an average of 7 to 10 times before being thrown away – if it was ever worn. In my case, I was curious enough to hover over the hyperlinks and spotted that I would indeed have been redirected to an illegitimate infrastructure. But how many consumers do this?

Banks face their own challenges. Many rely on customers to report fraud, which can delay response times. The burden of proof, in some cases, falls on the customer to identify and dispute unauthorized transactions. For banks, the cost of reimbursements can quickly add up, particularly when fraud becomes widespread. Beyond the financial loss, the reputational damage of being perceived as “unsafe” during the holidays can have long-term consequences on the brand’s image.

Fraud during the holiday season is not just an inconvenience: it is a significant financial and operational burden for banks. Reimbursing customers for unauthorized transactions is expensive, but it is often the reputational damage that stings the most.

A bank might have tightened its cyber defenses in an advanced way. Its e-banking might be extremely well-protected with robust security protocols. However, criminals, like in my case, may impersonate the bank by setting up a phishing infrastructure which control is out of the hands of the institution, with which the criminals will exploit human weaknesses to harvest credentials. Hence, a bank that is perceived to poorly manage its cybersecurity risks losing customers to competitors, especially in an era when digital security is a key part of customer trust and competition is fierce.

There is also the regulatory aspect to consider. Banks that fail to adequately secure their systems can face steep fines or additional scrutiny from regulatory bodies. With the growing emphasis on consumer data protection, particularly under regulations such as the General Data Protection Regulation (GDPR), the Network and Information Security Directive (NIS 2), and the upcoming Digital Operational Resilience Act (DORA) in the European Union or state-level privacy regulations, Federal Trade Commission (FTC) and Security and Exchange Commission (SEC) rules in the U.S., banks that fall short risk more than just monetary penalties.

Banks do not have to remain passive during the holiday fraud boom. Proactive measures can make a significant difference in reducing risk. One of the most effective strategies is, of course, encouraging customers to enable multi-factor authentication (MFA). Even if a user’s credentials are stolen, MFA or advanced options such as passkeys, add an extra layer of security, making account takeovers far more difficult. 

Banks using their bargaining power can also play a role in forcing their suppliers and partners to adopt more robust security measures, to avoid so-called “supply chain attacks”, such as in Target’s hacking in 2013 where the criminals penetrated Target’s network by stealing a HVAC supplier’s remote maintenance credentials.

Transaction-level fraud detection systems powered by artificial intelligence and machine learning can also help by identifying unusual transaction patterns in real time. For instance, if a customer’s card is used simultaneously in an unusual location or in two different locations, the system can flag the transaction and block it for further investigation.

Preemptive fraud detection (PFD) systems are currently on the rise. They can detect malicious infrastructures that are being set up to attack a banking institution and preempt the attack before it has ever been launched, so banking institutions do not have to deal with huge volumes of attacks anymore.

Educating customers is another vital step. Banks should run seasonal campaigns warning of phishing scams and advising users to avoid using public Wi-Fi for sensitive transactions. Simple reminders, such as urging customers to review their statements regularly, can help catch fraud before it escalates.

Finally, banks need to ensure the security of their own systems is robust. Regular security audits, timely software updates, and strong endpoint monitoring can go a long way in reducing vulnerabilities. A robust incident response plan is also essential: the faster a bank can respond to an attack, the less damage it is likely to cause.

Looking Beyond the Holidays

The vulnerabilities exposed during the holiday season are not unique to this time of year: they are simply amplified by the volume and velocity of transactions, coupled with the speed and emotions of decision making in purchases. By treating the holiday season as a stress test, banks can identify weak points in their processes and systems and use those insights to build more resilient infrastructure year-round. 

Needless to say, though, criminals regularly target banks throughout the year, simply because they need to prepare their holiday attacks beforehand. Hence, banks have to remain vigilant year-round. 

The holidays should be a time of celebration, not worry. For banks, safeguarding customer trust by staying ahead of cybercriminals is not just good business: it is essential to their survival in an increasingly digital world.