Holiday Fraud Trends 2025: The Top 5 Cyber Threats to Watch This Season

The 2025 Holiday Fraud Landscape

Fraud isn’t waiting for Black Friday. Our KasadaIQ team analyzed holiday fraud trends 2025 and found that attackers are moving earlier, automating faster, and blurring the line between bots and humans. 

Since 2022, Kasada has consistently observed increased bad bot traffic during major sales events in the holiday period. The 2025 holiday period will be defined by an unprecedented scale of automation. With genAI traffic predicted to grow 520% in the 10 days leading up to Thanksgiving, the lines between good bot, bad bot and human will be significantly blurred. KasadaIQ analysis shows that adversaries have already begun pre-positioning for the 2025 holiday period with new levels of automation, earlier configuration sales, and more adaptive attack patterns. 

Across retail, hospitality, and quick service restaurant (QSR) sectors, we expect this year’s threat environment to exceed all previous benchmarks for scale and speed. The boom in legitimate traffic and fraud during the 2025 holiday period creates additional challenges for staff on the floor, particularly in telling legitimate complaints and fraudulent claims apart. 

This blog outlines Kasada’s key predictions for the 2025 holiday period. These predictions can be used by organizations and their defenders to ensure they are in the best position to meet the impending threats.

View the full 2025 Holiday Cyber Threat Trends Report in partnership with RH-ISAC.

Malicious Configurations to Surge Higher and Earlier than 2024

---

---

In the 2024 holiday period, advertised configs surged throughout November and December. Configs are pre-built scripts that contain all the settings and parameters necessary for launching an attack, like ATO.

• In the 2024 holiday period, KasadaIQ observed a ~1.7x surge in configs during the 10 days prior to Black Friday.
• Advertised configs spiked the week leading up to Black Friday and over Cyber Monday.
• The most significant spikes  in advertised configs were observed December 7-12 and December 23-26. 

For the 2025 holiday period, KasadaIQ expects advertised configs will surge in the 10 days prior to Black Friday, but at a larger scale for retail and accommodation. Throughout 2025, KasadaIQ has observed significant increases in configurations available for the retail and accommodation industries.

KasadaIQ has tracked a 92% increase in malicious configurations targeting retail and a 400% increase targeting accommodation industries between January and October 2025.

QSR configs have remained relatively consistent in 2024 and 2025. In 2025, KasadaIQ has observed spikes in configs prior to, and in the first few days, of major sales events. Configs surged 17x during Afterpay Day in August this year.

What it means:
Fraud detection tuned only for peak event days will miss the preparatory phase when attackers validate credentials and infrastructure.  Configurations, the pre-built scripts used for credential stuffing, scraping, and automated checkout, are being sold and deployed 10 to 14 days before Black Friday, not during it. This shift indicates adversaries are moving their campaigns earlier to test infrastructure, refine attack scripts, and sell working configs to others before the main event. In practice, this means defenders must begin their heightened monitoring period in mid-November, not Thanksgiving week.

Unprecedented Account Takeover Attempts

---

---

In the 2024 holiday period, retail account sales on criminal marketplaces surged in he lead up to key sales events. The 2024 holiday period (Nov-Dec) accounted for ~36% of all account sales in 2024.

• From as early as November 5 2024, KasadaIQ observed retail account sales intermittently surging, with the most significant spikes occurring the week prior to Black Friday and Christmas.
• On Black Friday and Cyber Monday, account sales dropped. This reflects criminal marketplaces needing to supply its buyers with accounts before the peak period to maximize account value, avoid lockouts and ensure they can use them on the sale days.
• Over the Christmas period (December 24-26), retail account sales surged again and QSR account sales surged to the highest level for the entire 2024 holiday period. This is likely in part to holiday and shopping fatigue, as well as gift cards gifted at heightened levels over the holiday period.

KasadaIQ expects the scale of ATO during the 2025 holiday period will be larger than the 2024 holiday period, especially for retail. KasadaIQ has increased its visibility into criminal marketplaces and online communities in 2025. However, we have also observed increased stock for, and sales of, accounts on criminal marketplaces, particularly for the retail industry. In the last 6 months, KasadaIQ has observed the retail industry as the top target for credential stuffing and ATO. 

• In the last 10 months, Kasada has observed 311,592,512 accounts available on criminal marketplaces. Retail accounts represented 63% of these. 
• In Q3 alone, stolen account sales rose ~16%, with the retail industry being the number one target overall. 
  • This is in part due to the massive availability of stolen credentials in 2025, with over 1.8 billion credentials compromised in the first half of 2025, an 800% increase year-on-year. Anecdotally, the adoption of AI by adversaries has also assisted in scaling ATO operations in 2025. 
• In the last month, Kasada is aware of at least 1,130 credential stuffing incidents against 133 retail companies, with 264,921 accounts compromised.

Credential stuffing and account theft is usually part of a campaign. Following the first initial successful compromise, adversaries often continue to target the organization multiple times for the 1-3 months after. In one instance against a US-based retailer, an adversary targeted an organization in 23 distinct incidents between August and October. 

Adversaries are also quick to monetize stolen accounts.

• This rapid monetization occurs because adversaries are profit-driven and operate in a highly competitive ecosystem.
• Compromised accounts are the product. The quicker they are sold, the sooner the adversary realizes the return on their investment.
• There is also risk of delaying account listing on criminal marketplaces as compromised accounts have a limited lifespan. Victims or retailers will notice and invalidate the credentials.
• It also carries a “first-to-use” advantage, with the buyer acting the fastest having the best chance of successfully exploiting the credentials before they are detected and invalidated. 

What it means:

These campaigns are being timed with precision. Access is gained in the week before Black Friday, when accounts hold stored payment data, loyalty points, and holiday shopping carts ready to use. Credential reuse remains a key enabler of retail fraud. Security and fraud teams must treat ATO as an intelligence-driven, ongoing campaign, not a one-off attack. Look for repeated hits from the same infrastructure clusters and monitor post-compromise resale patterns.

Gift Cards to Remain the Most Efficient Monetization Tool

---

---

In the 2024 holiday period, gift card sales for retail peaked in the lead up and immediately after major events (Thanksgiving, Black Friday, Cyber Monday). This is likely linked to retailer promotions as well as gifting preparation.

• Sales dropped following Christmas then rose again in the New Year.
• QSR gift cards also spiked throughout December, including over Cyber Monday, and remain elevated before dropping again over the Christmas period.
• The volume of gift card sales during the 2024 holiday period should not be understated, noting there were 28% more gift card sales in the 2024 holiday period than the entirety of 2025 to date (Jan-Oct).

In the 2025 holiday period, KasadaIQ expects to see increased gift card availability for QSRs and retail when compared to the 2024 holiday period.

• While we have expanded our collection coverage since 2024, we have also seen significant growth in the amount of gift cards available on criminal marketplaces for retail and QSRs throughout 2025.
• Each month in 2025, retail gift cards have had the highest average of availability on criminal marketplaces (30,173), followed by QSRs (25,481). Accommodation gift cards sit far lower, with an average of 34 available each month.

What it means:
Gift card theft and resale follow a predictable pattern. Retail card listings spike immediately before Black Friday and Cyber Monday, then rise again in mid-December. QSR cards peak later in December and remain elevated through New Year’s. Gift card systems are the preferred post-compromise target once an account is breached. Fraud and cyber teams should monitor for rapid redemption velocity, repeated balance checks, and API calls that test card validity. Defensive automation should prioritize these indicators throughout the month of December.

AI-Powered Bots Will Dominate Traffic

---

---

In the 2024 holiday period, bot checkouts surged from 24-28 November, with a subsequent spike on Black Friday. This suggests bots were actively exploiting early access deals and loyalty member discounts.

• Bots will generate accounts for loyalty members or early access lists, aging these accounts to use them to gain access to gated URLs and members-only pre-sale windows. This can allow them to bypass the public sale queue entirely.
• Bots also conduct elevated scraping activity in the weeks leading up to Black Friday to configure the purchase script for the exact moment limited inventory is made available. A similar pattern was observed in the weeks leading up to Christmas and the three days directly prior to Christmas day.

In the 2025 holiday period, KasadaIQ expects to see increased retail bot activity, particularly the 2 weeks before Black Friday. In 2025, KasadaIQ has observed major bot checkout spikes from the first day of a sale event, for the duration of the sale period.  For example, during both the March and August Afterpay Day Sales events we observed notable spikes in bot checkouts.

Botters are already talking about strategies and plans for Black Friday and Cyber Monday in online communities. Notably, Black Friday is getting far more attention from botters than Cyber Monday, with Black Friday mentioned 12x more.

• Some botters go into a quiet period in the lead up to Black Friday and Cyber Monday, with the core advice across different communities to hold off for Black Friday.
• Some groups offer special deals and discounts in the lead up to holiday sales in online communities. These groups use Black Friday to create a sense of urgency and demand 

The potential scale of retail botting in the 2025 holiday period is significant, and it will be harder to differentiate between bot and human. Since 2024, agentic AI has significantly expanded. Adobe Analytics has predicted that AI traffic to US retail sites will grow 520% in the 10 days leading up to Thanksgiving, compared to 2024.

• Traditional detection systems look for non-human speed or perfectly consistent actions. An Agentic AI, however, is designed to introduce natural-looking variances, delays, and mistakes, making it appear indistinguishable from a consumer who is using a legitimate AI-powered shopping assistant. This carries a number of potential risks, including increased operational expenses. Agents, both good and bad, bypass the frontend website to query backend APIs for real-time inventory and pricing.
• Retailers must over-provision cloud resources to handle the surge. The cost of serving AI traffic (especially bad bot traffic) will cut into holiday profit margins.

What it means:

Traditional bot mitigation based on rate-limiting or uniform pattern detection is no longer sufficient. Organizations should focus on behavioral fingerprinting, API-level defense, and adaptive countermeasures that can detect high-entropy agent behavior in real time.

Preparing for the 2025 Fraud Season

The 2025 holiday period will challenge existing fraud prevention and bot management programs across every layer of the eCommerce ecosystem. Defenders should prepare for a convergence of consumer-driven traffic, AI-assisted automation, and monetization pipelines operating in parallel.

Recommended Actions

1. Start Monitoring Early
   Shift fraud readiness windows two weeks earlier than in previous years. Baseline legitimate traffic before mid-November to spot anomalies.
2. Focus on Account Integrity
   Apply adaptive MFA triggers and anomaly detection for logins that originate from automated tools or new device types.
3. Defend APIs
   Many bots now bypass web protections by directly targeting APIs. Implement authentication, rate controls, and anomaly scoring at the API layer.
4. Integrate Fraud and Security Operations
   Unify fraud analytics, ATO telemetry, and bot detection feeds under one operational view. Cross-functional collaboration enables faster triage.
5. Track Criminal Marketplaces
   Use external threat intelligence to monitor configuration sales and brand mentions. Early detection of active configs can provide advance warning of fraud campaigns.

Looking Ahead

Fraud this holiday season is not just a retail problem – it’s a data and automation problem. Attackers are scaling faster than organizations can react, using AI to exploit the same digital efficiencies that retailers depend on.

Kasada assesses that the most resilient organizations will be those that combine real-time visibility, adaptive defenses, and cross-team coordination. This holiday period will test the boundary between human and bots not only in customer experience, but in security itself.

About KasadaIQ

KasadaIQ provides real-time intelligence on automated threats and online fraud targeting eCommerce, retail, and digital businesses. The Kasada Threat Intelligence team continuously tracks adversary infrastructure, marketplace activity, and evolving automation tactics to support proactive defense.

To access KasadaIQ insights or connect with our team:
📧 team-threat-intel@kasada.io