Holiday hackers strike: AI scammers exploit end-of-year fatigue and online shopping

The end-of-year fatigue is a biological reality that cybercriminals bank on. While December is traditionally associated with winding down, for the digital underworld, it is the busiest quarter of the year. The combination of high transaction volumes, skeleton crews at the office, and a collective psychological state of distraction creates the perfect storm for social engineering.

This year, however, the threat landscape has shifted yet again. According to Anna Collard, SVP of content strategy & CISO advisor at KnowBe4 Africa, we are facing what can be termed "Social Engineering 2.0" – attacks weaponised by artificial intelligence (AI) to be more personalised, more convincing, and harder to spot.

Collard explains that while consumers are busy hunting for deals, criminals are hunting for credentials.

"We are rushed, emotional and distracted, exactly the mental state scammers exploit," says Collard. "Urgency, generosity, overload, fatigue or excitement override our critical thinking. Many of us also feel overwhelmed getting everything done before the end of the year, are actively on the hunt for holiday bargains or gifts and are more exposed to being scammed."

The evolution of the ‘Smish’

Smishing (SMS or chat-based phishing) has become the weapon of choice for holiday scammers because it targets our most intimate device: the smartphone. Unlike emails, which often go through robust spam filters on corporate servers, SMSes or WhatsApp chats arrive directly in our pockets, often bypassing security layers entirely.

"By using deceptive text messages, attackers trick you into revealing personal information like passwords or credit card numbers," Collard explains. "These messages, which use AI to mimic legitimate communications from organisations, often contain malicious links that lead to fake websites or install malware on your device."

This exploits the ‘delivery anxiety’ many South Africans feel during December. A notification claiming a package is delayed or held at customs triggers an immediate emotional response – especially when so many are expecting packages both from local e-retailers and popular overseas ones. In 2024, fake delivery messages were the most common form of text scam, costing consumers over $470 million globally. 

"These alerts succeed because we are expecting packages and want instant updates," comments Collard. "On phones, warning signs are easier to miss."

The Global Anti-Scam Alliance’s (GASA) 2025 report that surveys consumers across 42 countries estimates that worldwide more than $400 billion was lost to scams in the last year. More than half of surveyed respondents had been targeted by some form of scam (usually shopping or investment related), and only 0.05% of the perpetrators were brought to justice.

Gift cards are the currency of digital crime

Perhaps the most pervasive threat this season is the evolution of the gift card scam. While gift cards are a convenient present for legitimate consumers, for criminals, they are the equivalent of unregulated, untraceable cash.

"The rise of e-gift cards has created a lucrative opportunity for criminals because these vouchers’ function much like unregulated, untraceable cash," states Collard. "Once redeemed, they are difficult to reverse, making them an attractive target for organised crime syndicates looking for fast, low-risk ways to launder money or acquire high-value goods."

The modern iteration of this scam often targets employees in a corporate context. Criminals scrape public data to identify reporting structures, then use AI to spoof the WhatsApp profile or mobile number of a senior executive. An employee might receive a message from their CEO claiming to be stuck in a meeting or traveling, urgently requesting the purchase of digital gift cards for a client or to resolve a crisis.

"Criminals even pose as family members in distress, using AI-generated voice notes to create a false sense of urgency," notes Collard. The psychology of the holiday hack.

Understanding why these scams work requires looking at human risk management. It is not a matter of intelligence; it is a matter of cognitive load. Scammers know that a distracted parent trying to finish holiday shopping between work meetings is less likely to scrutinise a URL. They know that a junior employee manning a quiet office is more likely to comply if they receive an urgent request from a director.

Technology filters can catch malware, but they cannot always catch a decision made by a stressed human being. Protecting organisations and families requires a shift in mindset – from passive clicking to active verification.

Your 2025 holiday scam-safe cheat sheet

To navigate this high-risk period, Collard suggests adopting a ‘zero-trust mindset’ approach to unsolicited communication. She provides the following core protocols for a secure December:

• The six-second pause: If a message demands urgent action (payment, login, or personal info), stop. Urgency is the biggest red flag.
• Verify out-of-band: Never click the link or call the number provided in the message. If you receive a delivery notification, close the message and open the retailer’s official app or website to track the order manually.
• The ‘boss’ test: If a senior manager messages you with an unusual financial request on a personal channel (like WhatsApp), verify it through a different channel. Call them or email their official work address.
• Separate church and state: Keep personal shopping and work emails separate. Using corporate devices for holiday shopping increases the risk of a personal compromise becoming a network breach.
• Practice digital hygiene: Before logging off for the holidays, ensure all software is updated and multi-factor authentication is enabled on all critical accounts.

"By taking a moment to double-check unexpected messages, verifying unusual requests and sticking to reputable retailers and known links, consumers can significantly reduce their risk," says Collard.

The goal is not to become paranoid but to become harder to hack. By verifying unusual requests and sticking to reputable retailers, South Africans can significantly reduce their risk profile.

"Staying alert is the best gift you can give yourself," concludes Collard. "And it ensures that your festive cheer remains exactly where it belongs: with the people who matter most."