Holiday Mobile Threats Quadrupled in 2024 — What to Expect This Season

Mobile phishing and malware attacks quadrupled during the 2024 holiday shopping season, with over 120,000 fraudulent retail apps identified this year, according to a report from Zimperium zLabs. Security experts warn that AI-powered scams will pose even greater threats to both retailers and consumers during Black Friday and Cyber Monday 2025.

"Where there's money and momentum online, cybercriminals invariably follow — Black Friday and Cyber Monday deliver both in abundance," says Anne Cutler, Cybersecurity Evangelist at Keeper Security. With retailers already targeted by several major cyberattacks this year, security professionals are bracing for another surge as the holiday shopping season approaches.

The evolving landscape of holiday scams

The sophistication of holiday shopping scams continues to increase, with threat actors leveraging artificial intelligence to create more convincing deceptions. This year's threats are expected to be more advanced than ever before.

"This year we're guaranteed to see ever more sophisticated scams, primarily fueled by artificial intelligence, whether that be convincingly forged order confirmations, spoofed retailer sites, and even AI-generated customer service messages designed to steal login details or payment information," Cutler explains.

Among the fraudulent retail apps identified in 2025, approximately 65% impersonated legitimate brands. This trend is particularly concerning as more consumers rely on mobile shopping experiences, creating additional opportunities for cybercriminals.

Mika Aalto, Co-Founder and CEO at Hoxhunt, points out why these scams remain effective: "Holiday scams continue to exist because they're extremely successful. The holidays contain more travel and gift-buying activity, along with heightened emotions, so there are a lot more psychological buttons available to cyber criminals during this season of giving."

Common tactics include package delivery-themed phishing campaigns and spoofed websites that harvest credentials. The emotional nature of the holiday season makes people more vulnerable to making hasty decisions when faced with urgent messages about canceled flights or delayed packages.

For retailers, the stakes are particularly high. Nick France, Chief Technology Officer at Sectigo, notes: "From a business standpoint, the stakes are extremely high during Black Friday and Cyber Monday. This short window represents a critical revenue opportunity, and any website security hiccup — like an expired or misconfigured certificate causing browser warnings — can result in thousands of dollars in lost sales."

Historical perspective on holiday scam evolution

The escalation of holiday mobile threats represents a significant shift in criminal tactics. According to research from the Cybersecurity and Infrastructure Security Agency, holiday-themed attacks have evolved from simple email phishing to sophisticated multi-channel campaigns that target consumers across email, SMS, social media, and mobile applications simultaneously. This coordinated approach makes detecting and avoiding all potential threat vectors increasingly challenging for the average consumer.

Mobile shopping vulnerabilities

The shift toward mobile shopping has created new security challenges. Nivedita Murthy, Senior Staff Consultant at Black Duck, highlights this growing concern: "The online shopping experience has changed in recent years, and many users are now relying on the quick-click shopping experience on their mobile device."

This mobile-first approach creates perfect conditions for "mishing" (mobile phishing) attacks. Users searching for deals are more likely to download unknown apps that promise significant discounts, especially during Black Friday sales. App stores often cannot thoroughly verify the authenticity or security of all mobile applications due to the sheer volume being hosted.

Another significant vulnerability comes from the blending of work and personal activities on mobile devices. "Many employees use the same mobile devices for work as they do for personal use, therefore, opening a malicious link in a seemingly personal message could have disastrous consequences for the company," Aalto warns.

The rise in sophisticated mobile malware attacks has created an urgent need for enhanced security awareness, especially as these threats continue to evolve in complexity and scale during peak shopping seasons. Organizations must implement comprehensive mobile malware prevention strategies and detection systems to protect both corporate and customer data from exploitation.

The consequences of successful attacks can be severe, including data loss, financial damage, and reputation harm. For businesses, a security breach during the critical holiday shopping period can be particularly devastating.

Common mobile attack vectors

Mobile shoppers face multiple threat vectors specifically designed to exploit holiday shopping behaviors:

• Fraudulent shopping apps that mimic legitimate retailers but steal payment information
• SMS phishing campaigns featuring fake delivery notifications with malicious links
• Public WiFi exploits targeting shoppers using unsecured connections in malls and coffee shops
• QR code scams redirecting to malicious websites through tampered physical or digital codes
• Account takeover attempts through credential stuffing attacks on retail accounts

Agentic AI: The new frontier in retail security

The introduction of agentic AI into retail brings both opportunities and new risks. These AI systems that shop on behalf of consumers create an additional layer between retailers and their human customers, potentially opening new avenues for exploitation.

Will Glazier, Head of CQ Prime Threat Research Team at Cequence Security, explains this emerging concern: "Many retailers are looking to see how 'agentic commerce' will truly look in the burgeoning era of AI. As we humans begin to let agents shop on our behalf, it will leave retailers one step removed from their human customers."

These AI shopping agents could become targets themselves, as Glazier notes: "The applications and agentic frameworks humans will delegate their shopping experience to will be vulnerable to the same type of spoofing that we see currently where malicious actors impersonate trusted brands or applications."

For retailers already struggling with cybersecurity after a wave of attacks throughout the year, the addition of agentic AI introduces even more potential vulnerabilities if proper protections aren't implemented.

The rise of AI-powered defense systems

As threats evolve, so too must defensive capabilities. Leading retailers are investing in AI-powered security systems that can detect and respond to anomalous behaviors in real-time. These systems analyze patterns across millions of transactions to identify potential fraud before it impacts customers. The implementation of comprehensive mobile application security measures has become essential for retailers seeking to protect their digital storefronts from increasingly sophisticated attack methods.

Protecting yourself this holiday season

With the increased threat level, both consumers and businesses need to take proactive measures to protect themselves during the holiday shopping season. Here are essential steps to consider:

For consumers:

• Verify app authenticity before downloading by checking reviews, developer information, and permissions requested
• Use credit cards instead of debit cards for online purchases to leverage better fraud protection
• Enable multi-factor authentication on all shopping and financial accounts
• Avoid clicking on unexpected links in emails or texts about orders or deliveries
• Shop directly through official websites rather than following links from emails or social media

For retailers:

• Strengthen authentication systems before the holiday rush
• Implement advanced threat detection tools that can identify AI-generated attacks
• Ensure all security certificates are up-to-date and properly configured
• Train employees on holiday-specific phishing threats
• Create incident response plans specifically for high-volume shopping periods

France emphasizes the shared responsibility: "Ultimately, security is a shared responsibility. Consumers can benefit by staying vigilant and shopping wisely, while businesses must maintain their security posture to promote trust and confidence."

Enterprise mobile security considerations

For organizations managing a mobile workforce, the holiday season presents additional risks as employees increasingly shop on corporate-connected devices. Implementing secure BYOD policies and comprehensive mobile device management becomes crucial during high-risk shopping periods when personal and professional boundaries blur. Security teams should consider temporarily enhancing monitoring for suspicious network activities and implementing additional authentication requirements for sensitive systems during peak shopping days.

Looking ahead

As we approach the 2025 holiday shopping season, the cybersecurity landscape continues to evolve rapidly. The combination of increased online shopping activity, the emotional nature of the holiday season, and the introduction of new technologies like agentic AI creates a perfect storm for cybercriminal activity.

By understanding these threats and taking appropriate precautions, both consumers and businesses can help protect themselves from becoming victims of holiday scams. The key is remaining vigilant, verifying the authenticity of communications, and maintaining strong security practices even during the busy holiday period.

Emerging defensive technologies

The security industry is responding to these escalating threats with innovative protective measures:

• Behavioral biometrics that analyze how users interact with their devices to detect unusual patterns
• AI-powered fraud detection systems that identify suspicious transactions in milliseconds
• Secure payment enclaves that isolate financial data from potentially compromised applications
• Cross-platform threat intelligence sharing between retailers to rapidly identify new attack vectors

As you prepare for Black Friday and Cyber Monday shopping this year, remember that the best defense is awareness. Taking a few extra moments to verify a website's legitimacy or an app's authenticity could save you from significant headaches and financial losses during what should be a joyful season.