Attackers plan for the holidays. So why don’t we? asks Andy Fielder, CTO, MetaCompliance.
Most organisations, regardless of sector, approach the holiday period with broadly the same expectations: staffing levels are lower than usual, approvals and sign-offs take longer, and normal oversight is harder to maintain. This is widely accepted as part of doing business at this time of year. What receives far less attention is what this means for cyber risk, particularly the risks that emerge when pressure, fatigue and staff absence begin to overlap.
This blind spot is reflected in the same types of incidents recurring year after year. Ransomware, phishing and fraud activity consistently increase during holiday periods, and this is rarely the result of a sudden failure in technology. More often, problems take longer to surface and even longer to act on because organisations are operating with reduced capacity and slower response times.
Last year, Christmas-themed phishing rose 327pc, an example of attackers planning around predictable slowdowns while many organisations continued to treat those slowdowns as temporary inconvenience rather than a meaningful change in risk.
How work changes when people are away
When organisations move into holiday mode, work continues, but under different conditions. People often find themselves covering unfamiliar responsibilities, making decisions with far less context, and with a shift in focus towards keeping activity moving rather than scrutinising every detail.
Data from events platform Tagvenue suggests that in 2025, Friday, December 12 would be the least productive workday of the year, due to the night before being a popular time for office Christmas parties. While most businesses treat this as a light-hearted seasonal issue, from a security point of view it illustrates something more important – that attention often drops well before systems or processes do.
As a result, messages may be skimmed rather than read carefully and requests that would normally prompt a follow-up question are more likely to be accepted at face value. This doesn’t happen because people are careless, but because they’re tired, distracted, or working outside their usual rhythm.
Why attackers take advantage
Cybercriminals design their campaigns to fit the context organisations are operating in. Holiday-themed phishing and payment fraud work precisely because they exploit disrupted approval processes and slower responses, rather than weaknesses in security controls.
When escalation is delayed and normal oversight is reduced, attackers gain time, which is all that’s needed for a relatively minor issue to develop into something far more serious before anyone intervenes. At that point, the problem is no longer just technical but organisational.
Despite this, human risk is often still treated as static. Cyber security education delivered earlier in the year is assumed to carry through unchanged, and incident response plans rely on specific individuals being available even though holiday periods make that much less certain. The result is an increased reliance on individual judgement at a point when pressure and fatigue are at their highest.
Organisations that cope better pay attention to how people actually behave during the holiday period. They reinforce messages at the moment they’re most needed and use simple, timely reminders that reflect how work is done in December, alongside clear guidance on what to do when something doesn’t feel right and usual decision-makers are unavailable. Teams that take the time to talk through realistic holiday scenarios or run short exercises can help remove uncertainty and make it easier for people to pause before acting when a request feels unusual.
Everyone has a role to play
Resilience during holiday periods depends on people across the organisation understanding what to look for, knowing when something doesn’t feel right, and being clear on what to do when usual decision-makers are unavailable.
This isn’t about asking people to be more vigilant, or placing blame when mistakes happen. It’s about recognising that behaviour changes under pressure and putting simple, practical support in place to account for that.
Bend to the bad
However well prepared an organisation is, holiday periods rarely run smoothly. Attention drops, decisions are sometimes taken with incomplete information, and mistakes happen. The mistake is assuming these conditions can be removed, rather than accepting them as a normal part of operating at this time of year.
The aim isn’t to prevent every error, but to ensure that systems, processes and learning are able to absorb them. Clear guidance and realistic preparation help reduce the impact when things go wrong, while technical controls are most effective when they support people rather than attempt to compensate for predictable human behaviour.
A resilience issue, not a seasonal nuisance
Attackers already plan for these periods. Until organisations do the same, the same problems will continue to surface at the same points every year. The challenge isn’t to eliminate holiday slowdowns, but to recognise how they affect human decision-making and to plan accordingly.
