- Christmas emails often hide scams that steal personal and banking information
- Mass marketing-style messages are used to disguise fraudulent financial requests.
- Redirect chains collect increasingly sensitive identity details from unsuspecting victims
Holiday email traffic spikes late in the year, creating an environment that scammers actively exploit.
According to X-Labs, via ForcePoint, recent scam campaigns rely on messages that resemble ordinary holiday promotions or order notifications rather than obvious phishing attempts.
These emails seem routine enough to avoid scrutiny from recipients managing overcrowded inboxes.
Marketing emails designed to look legitimate
Many of the scam messages are sent through mass mailing systems that mirror standard commercial email campaigns.
The formatting is usually clean, with light markings and free of common spelling or grammatical errors.
Tracking links and unsubscribe options appear in messages to reinforce the impression of legitimate marketing activity.
This design helps emails avoid basic spam detection systems that rely on older threat patterns.
When recipients click on embedded links, the messages redirect them through a series of pages that appear linked to seasonal financial offers.
The interaction usually begins with neutral questions, such as the loan amounts requested or basic eligibility details.
As the process progresses, the forms request increasingly sensitive information, including personal identifiers, employment history, income details, and banking credentials.
After users submit information on the initial site, the flow often redirects them back to additional financial-themed pages.
These secondary sites request similar data and promote other loan-related offers, increasing exposure.
This structure allows scammers to reuse collected information while pushing victims to share even more details across multiple domains without realizing the larger scheme.
Another group of campaigns targets corporate recipients by posing as document notifications and order confirmations from DocuSign.
The emails claim that holiday purchases or wine orders require verification, using DocuSign branding to build credibility.
Any links in these messages are routed through unrelated hosting infrastructure before leading to credential harvesting pages targeting corporate email logins.
Malware removal tools offer limited protection against these scams because the attacks rely on data collection rather than malicious software installation.
How to stay safe
- Check sender domains carefully and treat unexpected or mismatched addresses as untrusted until they are independently confirmed.
- Examine link destinations before clicking, especially when emails refer to documents, loans, or holiday shopping.
- Access financial and document services directly through official websites instead of using integrated email buttons.
- Use identity theft protection tools to monitor suspicious activity and alerts about compromised personal information.
- Use antivirus software as a backup check, not as a primary defense against phishing-based attacks.
- Slow down routine email handling during periods of high volume and check messages before interacting.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
