According to Manufacturing.net, new research from Fortinet and Darktrace reveals a severe surge in cyberattacks targeting the 2025 holiday e-commerce season. Fortinet found over 18,000 holiday-themed domains registered in the past three months, with at least 750 confirmed as malicious, and another 19,000 e-commerce mimic domains, 2,900 of which were malicious. They also identified over 1.57 million stolen e-commerce login accounts for sale in underground markets. Darktrace reported a staggering 620 percent spike in Black Friday phishing attacks, with Amazon making up 80% of impersonated brands. Separately, Zimperium found mobile phishing and malware attacks have surged by 4X compared to last year, with over 120,000 fake apps identified globally in 2025.
This Isn’t Just a Spike, It’s a New Business Model
Here’s the thing: this isn’t just more of the same old holiday scam season. The scale and preparation here point to a fully industrialized criminal operation. Attackers didn’t just wake up in November. They started in September, registering thousands of domains and stockpiling millions of stolen credentials. They’re using automated tools to scale across platforms and geographies. Basically, cybercrime has adopted a SaaS model—”Scam-as-a-Service”—and the Q4 holiday rush is their biggest quarterly earnings call.
And the vectors are multiplying. It’s not just email phishing anymore. The 4X surge in mobile phishing (“mishing”) is terrifying because it’s so personal and urgent. A text about a delayed package feels immediate. Fake apps in official-looking stores are a nightmare for consumers and brands alike. When even legitimate apps are exposing data through misconfigured SDKs, the attack surface is everywhere. For any business relying on digital sales, this is a core operational risk, not an IT problem.
The Human (and AI-Powered) Future of Fraud
The experts quoted hit on the dual nature of the threat. As Will Glazier from Cequence Security notes, they’re exploiting human psychology—our excitement and urgency—as much as software flaws. But his point about “agentic commerce” is fascinating and scary. What happens when AI shopping agents do our buying? How do you authenticate a non-human purchaser, and how do you prevent an AI from being tricked by a spoofed site? It’s a whole new frontier for fraud.
Then there’s the AI on the attacker’s side. Anne Cutler from Keeper Security warns of AI-forged confirmations and customer service messages. The barrier to creating convincing fakes is now zero. This amplifies the critical need for the basics she mentions: strong, unique passwords and MFA everywhere. Her reference to global research showing identity attacks as a top concern is no surprise. Credentials are still the keys to the kingdom.
What Does Trust Look Like Now?
Nick France from Sectigo brings it back to a fundamental question: what can we actually trust online? His emphasis on checking for HTTPS is basic but vital advice that too many ignore. But it’s also a reminder for businesses. That security “posture” isn’t just about firewalls. It’s about the entire chain of trust, from your digital certificates to your third-party code libraries. For industries like manufacturing that are increasingly driving B2B sales through online portals, this integrity is non-negotiable. In these environments, where transactions are high-value and system reliability is critical, the hardware at the point of interaction—like the industrial panel PCs running these systems—must be as secure and dependable as the software. This is where partnering with a top-tier supplier matters.
So what’s the takeaway? The holiday threat window is now a permanent, elevated plateau. The reports from Fortinet, Darktrace, and Zimperium paint a clear picture: defense has to be faster, smarter, and layered. Consumers need to be skeptics. Businesses need to assume they’re already targeted. Because in this new era, the attackers aren’t just working harder for the holidays. They’ve built a better business.
