Learn

Business Resource Center

Holiday Scams: 'Tis the Season to Be Wary

target icon
Bot attacks are most often targeted at Hardware/Software/Electronics; Health and Wellness; and Sports and Recreation businesses.6

In 2021, bad bot usage increased more than 106% year-over-year. Bot attacks are most often targeted at Hardware/Software/Electronics; Health and Wellness; and Sports and Recreation businesses.6 But any business is fair game.

Card Skimming
Fraudsters place malicious code within sites to steal card data. This “card skimming” is an old trick but with some new flavors to exploit popular open-source plugin WooCommerce.7

  • Slect Skimmer
    Here, the word “select” is purposely misspelled in script to search for form fields from which the fraudster doesn’t want to pull data. Then a listener awaits the click of a button.

  • WooTheme Skimmer
    Compromises third-party themes and technologies used in WooCommerce pages.

  • Gateway Skimmer
    Contains an inordinate amount of code and uses the terms “gate” or “gateway” to hide or make malware processes unclear.

Each of these Magecart skimmers work to avoid detection while stealing.

Ransomware
Some thieves aren’t happy with simply stealing, they want to shut down your entire operation and extort a large payment. Their tactic of choice is ransomware. Over a four-year period, Global cybersecurity AI firm Darktrace detected a 70% spike in attempted ransomware attacks during the months of November and December. Incidents between Christmas and the New Year are also increasing.8

Phishing-as-a-Service
Every innovation seems to have a dark side. Phishing-as-a-Service (PhaaS) perpetrators use their skills to recruit and/or assist others to commit cybercrimes. They usually sell their products and services — including kits with code, stolen personal information, fake domain and email templates, target lists, and more — on the dark web. PhaaS enables aspiring criminals to cheaply, easily, and frequently commit cyberattacks. This scam is usually targeted at major brands and is popular leading up to Black Friday. Seventy-three percent of organizations have been victimized in the last two years.9

Brick and mortars aren’t safe from holiday scams either.
Though online fraud is the “crime du jour,” physical retailers aren’t exempt and should be particularly careful to protect assets during the holidays. Tried and true threats include:

  • Shrinkage
    Most retailers have come to expect some shrinkage throughout the year. However, shoplifting, fraud and employee theft often rises by more than 15% during the holidays, with 37% of retailers’ annual shrinkage occurring during the holidays.10 Criminals count on employee absences, a more relaxed office environment, and high foot traffic to go unnoticed during this time.

  • Organized Retail Crime
    Crime rings are also busy during the holidays. Early on, they may confiscate goods anywhere in the supply chain before delivery to the store. This “cargo theft” accounts for up to $30 billion in losses each year.11 “Push out” theft is akin to shoplifting, but on a much larger scale. Criminals cart up larger items and take them without paying. The average loss for this crime is $1,342 and 10% of these acts end in violence.12

Fraud is unbelievably expensive.
To say that fraud is harmful to the bottom line is an understatement. Fraud costs are enormous. According to a PwC survey, of the 52% of businesses with annual global revenues of more than $10 billion that experienced fraud, 20% said their “most disruptive [fraud] incident” cost more than $50 million.13

Early detection and prevention are key to protecting your business during the holidays and always.
The first critical step in protecting your business from criminal activity during the holidays is conducting an assessment. Evaluating your risk for theft, cybercrime and occupational fraud reveals weak spots and vulnerabilities and allows you to create systems and processes to protect your assets.

Every industry has unique fraud challenges, and different channels require different solutions. Seek the advice of professional advisors who can help you identify and reduce fraud risk for your specific business circumstances. Also consider a few best practices.


  1. Layer fraud prevention tools.
    Because there are so many diverse channels and criminal tactics, businesses should adopt a layered approach to fraud prevention. IBM recommends a comprehensive digital security plan that addresses the system, network, application, and transmission levels individually. Then document how the levels will integrate with each other.14

    Whatever fraud mitigation steps you take, keep in mind that you don’t want to create additional “friction” – slow or unpleasant interactions – with customers. Fraud prevention tools should be a seamless part of the customer experience.

  2. Maintain tight internal controls.
    Firmly manage accounting controls such as segregation of duties, audits and management review of expenses, bank statements and collections. Set thresholds and limits for customer and employee purchases, with oversight for above-limit purchase and too-frequent return attempts. Examine commission policies to ensure that employees are not rewarded for selling to friends, family or fraudsters who will return merchandise in the post-holiday period.

  3. Continually update systems and software.
    Fraudsters change their techniques and technologies often, seeking new vulnerabilities to exploit your systems and processes. Start with a comprehensive plan, but always test your network, systems, and software to ensure they support a strong security posture. “If-then” logic programs recognize patterns that are already identifiable. Newer technologies with machine learning recognize data associated with fraud patterns and automatically react to new outcomes and patterns via a feedback loop.

  4. Establish consistent training and processes.
    Consistency exposes anomalies. Regardless of channel, with uniform training and fraud prevention procedures, your team will be more likely to recognize inconsistencies that point to fraud and cost you money. Implement training that drives home standardized practices, despite holiday chaos.

  5. Immediately report suspicious activity.
    If you experience application pop-ups, error messages, unfamiliar login screens, suspicious emails, or other unusual activity, report them to your security team right away. Do not click on suspicious links. The FBI hosts a comprehensive cybercrime site, where you’ll find tips to protect your business, news, and instructions for reporting a claim if you believe you’ve been a victim.

  6. Staff up – especially security professionals.
    If you have brick-and-mortar locations, be sure you’re staffed at an appropriate level to protect your store. You might consider limiting the number of customers in the store at any one time. For online retailers, staffing up IT and customer service teams can help relieve holiday fatigue and make it easier to deter fraudsters using web, chat, and phone channels. No matter how you do business, ensure that your employees are properly trained to quickly identify, escalate, and mitigate fraud attempts.

Beware — and be aware
Holiday scams do lasting damage during the holidays, stealing profits at a time when many businesses are counting on their biggest sales of the year. With so much at stake, business owners and executives can’t afford to neglect holiday fraud. Beware of fraudsters — and be aware of the steps you can take to thwart their schemes.

Synovus is on your side in the fight against holiday fraud. Let us help you protect, manage, and grow your business. For more information, simply complete a short form and a Synovus Treasury & Payment Solutions Treasury Consultant will contact you with more details. You can also stop by one of our local branches.

You might also be interested in:

Payment Fraud: Spot It and Stop It
How to Protect Against Ransomware
Three Ways the Pandemic has Changed Business Fraud
How to Protect Your Business from Pandemic-Related Fraud
Employee Theft: The Whys and Hows

Important disclosure information

This content is general in nature and does not constitute legal, tax, accounting, financial or investment advice. You are encouraged to consult with competent legal, tax, accounting, financial or investment professionals based on your specific circumstances. We do not make any warranties as to accuracy or completeness of this information, do not endorse any third-party companies, products, or services described here, and take no liability for your use of this information.

  1. TransUnion, “Suspected E-Commerce Fraud Attempt Rates Between Thanksgiving and Cyber Monday Increase 25% Compared to the Rest of the Year,” December 2, 2021 Back
  2. Insider Intelligence/eMarketer, “US Ecommerce Forecast 2022,” July 26, 2022 Back
  3. Arkose Labs, “6 Hottest Fraud-Fighting Trends,” Q4 2021 Back
  4. ibid Back
  5. Federal Bureau of Investigation, “Internet Crime Report 2020” Back
  6. PerimeterX, “Automated Fraud Benchmark Report,” 2022 Back
  7. CSO, “Security Lessons from 2021 Holiday Shopping Fraud Schemes,” December 21, 2021 Back
  8. Darktrace, “Darktrace Reports 30% More Ransomware Attacks Targeting Organizations During the Holiday Back
  9. CPO Magazine, “Phishing-as-a-Service Brings Cybercrime to the Masses,” January 20, 2022 Back
  10. Security Today, “Billions on the Line: Keeping Stores and Shoppers Safe During the Holidays,” November 15, 2021 Back
  11. Ibid Back
  12. ibid Back
  13. PwC, “PwC’s Global and Economic Crime Survey 2022” Back
  14. IBM, “The Layered Approach to Security,” April 14, 2021 Back