Why has December become cyber-crime’s favourite month?

The festive season once meant a slowdown for businesses, but it has become one of the busiest periods for cyber-criminals. As organisations ease into the holidays, attackers ramp up their efforts, planning intrusions and disruptions when response teams are stretched thin. In December, even small oversights can escalate quickly because threat actors look for every opportunity the season creates.

 

 

A perfect storm of reduced staffing and operational blind spots

 

 

When staff take holiday leave, security teams operate with fewer people, giving attackers more time to move around undetected. In recent years, ransomware groups have often launched attacks during long holiday weekends, knowing that organisations cannot respond as quickly. In December 2022, more than 30 per cent of ransomware incidents occurred on weekends and holidays, according to Cybersecurity Ventures.

 

The average breach during this period cost about £7.5 million due to extended downtime and broader business disruption. A source has reported that major ransomware campaigns are frequently timed for national holidays and long weekends, when defenders are least prepared. CISA and the FBI have also warned that holiday periods are prime targets for disruptive attacks, particularly around Christmas, New Year and other high-leave windows.

 

Year-end IT change freezes add further risk. Many organisations pause updates to avoid disrupting key systems, but this also delays patch cycles and leaves known vulnerabilities exposed for longer.

 

Attackers benefit from this predictability: outdated systems and stalled maintenance give them a stable environment in which to operate. For many organisations, it is worth reframing the “freeze versus patch” dilemma as a strategic choice rather than a seasonal constraint. Options such as canary deployments for gradual updates, or segmented maintenance windows for critical patches, can make security more flexible and resilient throughout the year.

 

As the holidays approach, employees often rush to complete work and may skip standard security checks, respond hastily to emails or approve requests with less scrutiny. Attackers take advantage of this haste. Proofpoint has found that human behaviour remains one of the main drivers of successful attacks, with end-of-year fatigue increasing the likelihood of mistakes.

 

 

Seasonal commerce, charity scams and the economics of disruption

 

 

Even as internal operations slow, online activity intensifies. December is one of the busiest periods for e-commerce, offering attackers a wider surface area for credential-stuffing attempts, fraud schemes and bot-led attacks targeting both retailers and consumers. The Federal Trade Commission warns annually that fake shopping sites, delivery-notification scams and fraudulent online stores rise during the festive season, capitalising on high transaction volumes. 

 

Attackers also exploit the emotional tone of the period. End-of-year donation drives are commonly impersonated in phishing and smishing campaigns, mimicking legitimate charities to lure users into sharing payment information or credentials. Charitable appeals feel benign in December, making them an effective disguise.

Ransomware remains the most significant seasonal risk.

 

The final weeks of the year are operationally sensitive for many organisations, and downtime is far more expensive. This creates pressure to restore services quickly, which attackers understand. Disruption on 23 or 30 December can have an outsized impact on financial reporting, logistics and retail performance, making victims more likely to consider paying.

 

In today’s interconnected economy, the festive season also heightens supply-chain vulnerability. Logistics companies, delivery services, hospitality providers, and online merchants all depend on complex, interlinked systems. If any part of this chain becomes overloaded or insufficiently monitored, something that often happens in December, attackers can find a way in. Even a minor issue in a vendor’s environment can cascade into a wider outage or data breach.