‘Tis the season for joy, giving and…ransomware? Unfortunately, it’s true: Cyber criminals are working around the clock like devious little elves, wrapping up scams like they’re stocking stuffers and increasing cyberattacks by about 30% around the holidays. To top it all off, 40% of organizations aren’t adequately prepared to face off against phishing attacks. As a managed service provider (MSP), this means the holidays are a great time to bolster your cybersecurity efforts with awareness training and proactive measures to help your small and medium-sized business (SMB) clients stay safe.
1. The Lump of Coal: “Your Package Is Delayed”
Looks like: A text claiming your delivery hit a snag. Click here to fix it! (Don’t.)
Reality check: That link probably doesn’t lead to your package; it can lead to credential theft or malware. In fact, the FTC reports this is the most common form of text scams or “smishing.” Unlike email, text messages don’t have spam filtering, making them a prime target for attackers.
Pro tip: You should always verify delivery updates on the carrier’s official site. If it feels urgent, that’s the scam talking.
Protection you need: Email security with advanced phishing detection and link scanning.
Vendor spotlight: Vade for M365 offers AI-powered email security that blocks phishing and business email compromise before they hit the inbox. Plus, there’s integrated awareness training for users.
2. The Cheap Knockoff: AI-Generated “Too Good to Be True” Deals
Looks like: You get a slick email or social ad offering 70% off the hottest tech gadget or fancy-schmancy athleisure wear. Everything looks legit…sort of.
Reality check: These ads look real by design. They’re scams that use generative AI to mimic real brands and craft copy that’s eerily similar to the real thing. You hand over your card info, then it’s done. No package coming in the mail, just buyer’s remorse. In fact, the FTC estimates consumers lost $432 million to online shopping fraud in 2024. Some of these malicious sites also serve malware through drive-by downloads or infected ads. Leaked Meta documents even predicted that up to 10% of its ad revenue in 2024 came from scam ads.
Pro tip: Stick to trusted retailers, not just trusted platforms. If the deal feels too good to be true, it’s likely a trap.
Protection you need: Web filtering and endpoint protection to block malicious domains and prevent drive-by downloads.
Vendor spotlight: Bitdefender GravityZone delivers multilayered endpoint security with EDR/XDR and real-time threat intelligence.
3. The Lousy Gift Card: Surprise, It’s Malware!
Looks like: You get a festive email from “a friend” with a cute e-card. Who is this friend? Doesn’t matter, there’s a gift card attached! Sure, it’s to a chain restaurant that’s 30 minutes away, but free is free, right?
Reality check: Unfortunately, the old adage that “there’s no such thing as a free lunch” holds true here. That click could download malware or steal your credentials faster than you can say “season’s greetings.”
Pro tip: If you weren’t expecting an e-card, don’t click. This is especially important to remember in the working world, when sales reps regularly send gift cards to customers and prospects. If in doubt, just ask.
Protection you need: While user training is the best way to prevent clicks on malicious links, no amount of training guarantees perfection. MDR steps in when someone inevitably slips up. Unlike EDR, which provides telemetry and signals, MDR adds human-led threat hunting and contextual analysis for 24/7 coverage.
Vendor spotlight: ConnectWise MDR gives organizations human-led threat hunting plus AI-powered detection, available through Pax8 for MSPs who want enterprise-grade protection without the overhead.
4. A Donation to The Human Fund: Fake Charity Scams
Looks like: That heart-tugging appeal to donate to much-needed holiday relief. Surely, someone wouldn’t fake a charity to get your credentials, right?
Reality check: Unfortunately, this is a pretty common practice. So much for the holiday spirit, eh?
Pro tip: Verify charities through sites like Charity Navigator or Give.org before donating. Be especially wary of charities you’ve never heard of, and visit reputable charities’ sites if you’d like to donate, rather than click those links.
Protection you need: Email authentication and anti-phishing controls to prevent spoofed domains. Don’t want to get spoofed? Make sure domains you control — and those you manage for partners — have proper DMARC, DKIM and SPF settings. If that sounds overly complicated, use a DMARC management platform that helps automate the process.
Vendor spotlight: EasyDMARC and Valimail help simplify domain management and authenticate sender identity to stop phishing and protect brands.
5. The Last-Minute Gift: An “Urgent Request”
Looks like: An email from your “boss” asking you to buy gift cards for clients — ASAP.
Reality check: It’s probably not your boss. It’s a scammer who just scored free money. Naughty cyber criminals can do this by spoofing your boss’ email address or even hacking it.
Pro tip: Just ask your boss if it’s legit — through a known phone number or in person. No one should be buying gift cards over email.
Protection you need: Security Awareness Training to teach employees how to spot social engineering.
Vendor spotlight: Sophos offers security awareness training specific to phishing, in addition to a full suite of security solutions, while the aforementioned email authentication solutions can help you verify the emails you or your clients send.
Why Security Training Is the Best Gift of All
Tech can only do so much. People are ultimately the last line of defense, and they need to know what to look for and what to avoid. Phishing accounts for more than 90% of breaches, and human error drives most security incidents. The fix? Security awareness training paired with coaching. Engaging security awareness programs that reduce risk by up to 70%, according to industry reports.
And when it comes to your business? Give yourself and your employees the best gift of all with training that helps you sell, build and support a strong security sales strategy (say that five times fast!). Pax8 Academy offers expert guidance for building a highly effective security program, helping you create a security sales strategy that works. Visit Pax8 Academy to learn more — we promise, it’s legit.
