via Security Boulevard
Fraud isn’t waiting for Black Friday. Our team analyzed holiday fraud trends 2025 and found that attackers are moving earlier, automating faster, and blurring the line between bots and humans.
KasadaIQ analysis shows that adversaries have already begun pre-positioning for the 2025 holiday period with new levels of automation, earlier configuration sales, and more adaptive attack patterns. Across retail, hospitality, and quick service restaurant (QSR) sectors, we expect this year’s threat environment to exceed all previous benchmarks for scale and speed.
Fraud is being increasingly industrialized. Configs, account data, and automation kits are now traded with the same efficiency as legitimate software services. Generative AI has further accelerated this trend, enabling attackers to mimic authentic consumer behavior and operate around traditional detection.
View the full 2025 Holiday Cyber Threat Trends Report in partnership with RH-ISAC.
Trend 1: Fraud Campaigns Are Starting Weeks Earlier
KasadaIQ has tracked a 92% increase in malicious configurations targeting retail and a 400% increase targeting accommodation industries between January and October 2025.
Configurations, the pre-built scripts used for credential stuffing, scraping, and automated checkout, are being sold and deployed 10 to 14 days before Black Friday, not during it.
This shift indicates adversaries are moving their campaigns earlier to test infrastructure, refine attack scripts, and sell working configs to others before the main event. In practice, this means defenders must begin their heightened monitoring period in mid-November, not Thanksgiving week.
What it means:
Fraud detection tuned only for peak event days will miss the preparatory phase when attackers validate credentials and infrastructure. Threat models should now assume “holiday mode” begins around November 10.
Trend 2: Account Takeover Is the Fastest-Growing Fraud Channel
Kasada’s telemetry shows more than 311 million stolen accounts listed across underground marketplaces in 2025 – and 63% of them belong to retail brands.
Adversaries are using large-scale credential-stuffing operations to obtain account access ahead of sales, reselling them in batches days before major shopping events. In the last month alone, Kasada observed over 1,100 credential-stuffing incidents across 133 retail organizations, compromising roughly 265,000 accounts.
These campaigns are being timed with precision. Access is gained in the week before Black Friday, when accounts hold stored payment data, loyalty points, and holiday shopping carts ready to use.
What it means:Credential reuse remains a key enabler of retail fraud. Security and fraud teams must treat ATO as an intelligence-driven, ongoing campaign, not a one-off attack. Look for repeated hits from the same infrastructure clusters and monitor post-compromise resale patterns.
Trend 3: Gift Cards Remain the Most Efficient Monetization Tool
Gift card fraud is the simplest and most profitable conversion channel for attackers. In 2025, Kasada identified 8.9 million stolen retail gift cards and 7.5 million QSR cards for sale across criminal forums – a higher rate than any previous year.
Gift card theft and resale follow a predictable pattern. Retail card listings spike immediately before Black Friday and Cyber Monday, then rise again in mid-December. QSR cards peak later in December and remain elevated through New Year’s.
What it means:Gift card systems are the preferred post-compromise target once an account is breached. Fraud and cyber teams should monitor for rapid redemption velocity, repeated balance checks, and API calls that test card validity. Defensive automation should prioritize these indicators throughout the month of December.
Trend 4: AI-Powered Bots Will Dominate Traffic
For the first time, Kasada predicts that the majority of holiday web traffic will be automated, with AI-generated requests up 520% compared to last year.
Retail bots are now using AI agents capable of dynamic behavior – hesitations, variable movement, and input randomness – that resemble legitimate human shoppers. These bots are being used to:
- Enroll fake loyalty accounts for early-access promotions.
- Scrape pricing and inventory data from APIs.
- Execute automated checkouts within milliseconds of product releases.
The line between “helpful automation” and malicious automation is vanishing. Both legitimate and adversarial agents now query backend APIs directly, bypassing website controls and inflating traffic loads.
What it means:Traditional bot mitigation based on rate-limiting or uniform pattern detection is no longer sufficient. Organizations should focus on behavioral fingerprinting, API-level defense, and adaptive countermeasures that can detect high-entropy agent behavior in real time.
Trend 5: Adversaries Are Monetizing Faster Than Ever
Kasada’s monitoring of criminal forums shows that compromised data now moves from breach to resale in under 5 days. Adversaries are maximizing value before credentials are invalidated or gift card balances are drained.
This speed reflects a mature ecosystem where automation handles both the theft and resale processes. The fraud cycle has compressed from weeks to days, reducing defenders’ window for response and investigation.
What it means:Incident response processes must evolve to match the adversary’s speed. Security teams should integrate fraud telemetry into SOC workflows and use automated alerts tied to KasadaIQ or industry feeds to identify brand-specific activity faster.
Preparing for the 2025 Fraud Season
The 2025 holiday period will challenge existing fraud prevention and bot management programs across every layer of the eCommerce ecosystem. Defenders should prepare for a convergence of consumer-driven traffic, AI-assisted automation, and monetization pipelines operating in parallel.
Recommended Actions
- Start Monitoring EarlyShift fraud readiness windows two weeks earlier than in previous years. Baseline legitimate traffic before mid-November to spot anomalies.
- Focus on Account IntegrityApply adaptive MFA triggers and anomaly detection for logins that originate from automated tools or new device types.
- Defend APIsMany bots now bypass web protections by directly targeting APIs. Implement authentication, rate controls, and anomaly scoring at the API layer.
- Integrate Fraud and Security OperationsUnify fraud analytics, ATO telemetry, and bot detection feeds under one operational view. Cross-functional collaboration enables faster triage.
- Track Criminal MarketplacesUse external threat intelligence to monitor configuration sales and brand mentions. Early detection of active configs can provide advance warning of fraud campaigns.
Looking Ahead
Fraud this holiday season is not just a retail problem – it’s a data and automation problem. Attackers are scaling faster than organizations can react, using AI to exploit the same digital efficiencies that retailers depend on.
