Holiday Cybersecurity Threats

What Public Safety & Local Governments Should Know

The holidays bring more than travel, celebrations, and year-end tasks.

They also bring a spike in cyberattacks.

Intelligence from industry monitoring consistently shows holiday-themed phishing, ransomware attempts, and scam activity jump sharply in late November and December, taking advantage of reduced staffing and operational distractions.

In 2024 and heading into 2025, threat actors also increasingly leveraged AI-generated phishing emails, fake login pages, and impersonation scams, making this year’s seasonal threat landscape even more dangerous.

Public safety agencies, PSAPs/ECCs, and local governments remain high-value targets during these periods.

Attackers know that:

• Staff rotates or operates at minimum levels

• IT teams delay patches and non-critical work

• Response times lengthen during holidays

• Increased public-facing activity fuels social engineering

This combination creates an ideal window for attackers looking to deploy ransomware, steal credentials, or exploit dormant vulnerabilities.

Common Holiday-Themed Attack Tactics

Threat actors consistently rely on holiday-themed lures and timing. The most common patterns include:

1. Holiday-Themed Phishing Emails

Examples include:

• Fake package-delivery notices (UPS/FedEx/USPS)

• False holiday bonuses or HR updates

• Fraudulent invoices labeled “year-end” or “budget rollover required”

• “Urgent” password resets for commonly used platforms

These messages now often appear more legitimate due to AI-driven copywriting and impersonation.

2. Fake Retail, Travel, or Government Websites

Attackers spin up convincing spoof sites to:

• Harvest credentials

• Distribute malware

• Capture payment information

• Trick staff into downloading infected “receipts,” “order confirmation PDFs,” or “annual tax notices”

3. Ransomware Deployed During Low-Staff Windows

Ransomware groups often strike:

• Late nights

• Weekends

• Long holiday breaks

The reason is simple: the longer an attack goes undetected, the more damage is done — increasing the ransom leverage.

4. Vendor & Third-Party Compromise

Holiday periods often mask:

• Compromised vendor credentials

• Unauthorized access through external IT partners

• Exploitation of unpatched vendor software

If you rely heavily on outside providers, holidays increase risk.

5 Immediate Actions to Take Before the Holidays

These are the highest-impact steps agencies can take right now to reduce cyber risk heading into Thanksgiving and December holidays:

1. Verify Backups — Offline, Tested, and Recoverable

Run a quick check to ensure:

• Backups exist outside the production network

• They have been successfully restored at least once

• Documentation is updated and known by on-call staff

Backups often make the difference between recovery and catastrophic data loss.

CISA

2. Enable MFA Everywhere: Especially Admin & Vendor Accounts

Phishing-resistant MFA dramatically reduces the probability that a credential compromise becomes a system compromise. Prefer:

• App-based authentication

• Hardware tokens

• Passkeys

Avoid SMS where possible..

NIST

3. Confirm 24/7 Monitoring Coverage

Whether in-house or outsourced, ensure:

• Someone is watching alerts 24/7/365

• Escalation paths are clear

• Contact numbers are documented

• Paging/on-call rotations are locked in for holidays

If your team can’t cover this, consider managed detection and response (MDR) or a standby incident team.

4. Conduct a 15-Minute Incident Response Drill

Run one fast scenario:

• Phishing email

  • suspicious login

  • isolating device

  • notifying leadership

This ensures people know:

• Who calls who

• How systems get isolated

• Who contacts vendors

• Who documents the event

Tabletops significantly reduce mistakes during live incidents.

5. Remind Staff About Holiday Scams

A quick internal bulletin or roll-call reminder should highlight:

• Fake shipping/delivery texts

• Fake “budget rollover” or “invoice correction” emails

• Too-good-to-be-true seasonal offers

• The “three-second pause” rule before clicking

Holiday-themed scams often bypass normal skepticism because they blend into seasonal workflow.

Before you leave for the holiday confirm the following:

1. Backups

   • Offline backup verified

   • Successful restore test completed

2. Access & Authentication

   • MFA enabled on admin accounts

   • Vendor access reviewed/limited

3. Monitoring & Escalation

   • 24/7 monitoring in place

   • Escalation tree updated

   • On-call schedule confirmed

4. Incident Response

   • IR plan accessible to all necessary staff

   • One short tabletop drill conducted

5. Staff Reminders

   • Watch for shipping/invoice/vendor scams

   • Avoid clicking seasonal “urgent” emails

   • Have an incident response plan and team in place ready to act if a threat happens. Watch our on-demand webinar to learn how.

   • Employ third-party monitoring services that work 24/7/365 to cover your gaps

   • Provide cyber awareness training for all staff members

   • Phishing scams are still the most prevalent form of attacks to gain access to a network

   • Understaffed organizations may be more likely to fall victim to phishing attacks during this time of year

   • Always follow the 3-second rule before clicking on anything and never click on any attachment you weren’t expecting

Vigilance and awareness are the first steps to securing your network. Remember that accidents do happen and reporting them immediately before an incident escalates is critical in order to minimize the damage, as is giving your staff grace so they feel comfortable reporting incidents quickly.

SecuLore Is Here If You Need Us: 24/7/365

If you suspect an incident — even if you aren’t a SecuLore customer —Our US-based SOC and incident response experts are available to guide containment and mitigation immediately.

Learn more: Read CISA’s StopRansomware guide and RH-ISAC’s Holiday Trends report for specific indicators and mitigation steps. CISA

Your operations can’t pause. Neither do we.