Flashpoint’s 2025 Holiday Threat Assessment

The 2025 holiday shopping season is expected to bring record retail spending, with US sales projected to surpass $1 trillion USD for the first time. At the same time, this surge in online activity and spending creates a lucrative environment for financially motivated threat actors. Here’s what security teams and shoppers can expect as cybercriminals intensify their efforts to exploit the holidays:

1. QR Code Fraud

The rapid, global adoption of Quick Response (QR) codes for everything from promotions to payments has fueled a parallel growth in fraud, which Flashpoint assesses will continue to increase in both usage and sophistication. This attack vector relies less on complex technical exploits and more on social engineering, exploiting the consumer’s trust at the expense of the retailer.

The core technique involves creating convincing fake QR codes, often leveraging readily available public QR code generators that redirect victims to malicious sites. Here’s how it works:

• Code Creation and Placement: Threat actors create a malicious QR code that links to a phishing page, a site hosting malware, or a false payment portal. They then physically place fake QR code stickers over store displays and payment portals, or digitally distribute them via fake promotional emails or text messages sent to unsuspecting shoppers.
• Social Engineering and Scan: The victim is tricked into scanning the code, believing they are accessing a promotion discount, or a payment system. This is an effective phishing tactic because the hidden URL isn’t immediately visible, and the user is encouraged by convenience to act quickly.
• Compromise: The scanned code redirects the user to the malicious destination. This could be a fake login page (to steal credentials), a site that initiates a malware download, or a payment portal designed to steal credit card details or bank account information. In sophisticated QRLJacking attacks, the scan may hijack the user’s session, bypassing security controls like two-factor authentication.

2. Gift Card Draining

The widespread popularity of gift cards has made them a prime target for organized financial crime, specifically for financially motivated organized fraud groups. Known as gift card draining, this illicit operation is a high-volume, low-risk monetization channel for criminals that has since been dominated by Chinese nation-state actors.

The process is highly organized. Recruited affiliates, often Chinese nationals seeking employment who are lured in by high-paying job ads on Telegram and Chinese job sites, are tasked to physically tamper with gift cards in retail stores.

First, they lift and reseal the protective sticker to obtain the PIN and card number. Then, the fraud operators leverage specialized software to monitor the card’s status. The moment a consumer purchases and activates the card at the register, the funds are instantly drained. These stolen balances are then used to purchase high-value, easily resalable goods, such as smartphones, tablets, and luxury items. They are then usually trafficked back to China.

3. Phishing and Social Engineering

Phishing has always been a critical threat vector during the holidays. Flashpoint expects threat actors to deploy highly tailored phishing emails and text messages designed to steal sensitive information such as login credentials and financial details from unsuspecting retail employees and shoppers.

For retailers, these messages may masquerade themselves as:

1. Urgent vendor invoices or overpayment scams
2. Spoofed shipping or supply chain notices
3. CEO, Executive, or managerial requests for gift card purchases

For shoppers, they appear in the form of high-value discount offers or coupons for electronics and appliances, as well as fake order confirmations or bogus shipping and delivery notices from major carriers. During the holidays, the line between a legitimate promotion and a scam is increasingly blurred, as retailers often heavily incentivize online shopping by issuing similar coupon codes via email and text.

4. Crowds and Violence

While the digital domain encapsulates most of the threats in the 2025 holiday season, large holiday events and public gatherings—such as Black Friday doorbusters and the Macy’s Thanksgiving Day Parade in New York City and various European Christmas markets or Hanukkah events—may become targets, as global social and political tensions remain heightened. 

Large holiday events and public gatherings may become targets of opportunity for lone actors.Such events allow threat actors to target large groups of concentrated crowds. There are both symbolic and tactical considerations that draw threat actors to target these holidays, including the concentration of crowds at celebrations, the perceived vulnerability of those participating in festivities, and the inherent significance of holidays, both culturally and religiously.

Black Friday “doorbuster” events carry an inherent safety risk due to large and unruly crowds. Historically, these shopping events have led to serious injuries and even fatalities, as customers stampede to reach discounted items. Furthermore, retailers face the dramatic rise in violence against retail workers, which encompasses physical and verbal assault, harassment, and gun violence.

For a full list of safety and preparation steps, download Flashpoint’s Physical Protection checklist.

Protect Against Holiday Threats Using Flashpoint

To effectively combat these evolving digital threats, organizations need proactive, primary-source threat intelligence. Leveraging Flashpoint’s solutions, retail organizations gain unparalleled visibility into illicit communities, criminal TTPs, and access to the compromised data driving these attacks, allowing them to proactively manage risk and protect revenue. Request a demo today to ensure a safer holiday season.