Black Friday, Cyber Monday and Christmas: when digital security is put to the test

E-commerce breaks new records every season, especially as dates like Black Friday, Cyber Monday and Christmas approach, surpassing previous highs in sales, web traffic and transactions. But as these figures rise, so too do technological incidents and fraud attempts. The risk curve spikes, forcing companies to react. Strengthening digital security has never been so essential.

In this regard, RibéSalat, a global insurance and reinsurance broker with over 35 years of experience, analyses why digital security is so critical during these weeks, the types of incidents that recur each year, and the role of cyber insurance as a financial safety net to keep going when everything fails.

Increased traffic and technological pressure

At the end of the year, digital commerce plays “the match of the season”. The figures speak louder than any theory: global digital sales on Black Friday 2024 exceeded €64.282 billion, with projections for 2025 to grow between 5% and 11.6%, according to Webloyalty. 

At the same time, traffic surges. Cloudflare data shows that e-commerce websites recorded an approximate 30% global increase during the Black Friday–Cyber Monday weekend, a figure that is expected to rise 25–35% in coming years. This surge in demand directly impacts digital security because:

• The web infrastructure is under strain: more simultaneous sessions, more cart and checkout operations, more database queries.
• Payment gateways are operating at full capacity: peaks in card validations and anti-fraud systems.
• The cloud and hosting absorb excess load: CPU, memory, bandwidth, and storage are approaching critical thresholds.
• APIs and microservices are multiplying: inventory, logistics, recommendations, coupons, loyalty programmes, etc.

Even without an attack, failures appear:

• 500 errors during peak traffic periods.
• Checkouts that fail to complete the payment process.
• Carts that “disappear” due to session issues.
• Integrations with logistics leaving orders unrecorded.

Here, digital security is no longer just about preventing intrusions; it must ensure that key systems withstand the load and that, if something fails, the disruption does not sink the year’s results or the teams responsible for business and security.

Critical dependence on external providers

For high-volume campaigns, the picture is clear: very few companies control their entire technology chain from start to finish. Most depend on multiple specialists:

• CDN and WAF (e.g., Cloudflare).
• Cloud and hosting providers (AWS, Azure, etc.).
• Payment gateways (Redsys, Stripe, Adyen).
• Authentication platforms.
• Marketing automation and CRM tools.
• Logistics and last-mile providers.

From a digital security perspective, this means that a failure in an external link can completely halt the flow of sales.

When the provider goes down… the cash register stops

Some situations repeat campaign after campaign:

• CDN or hosting failure
  The website or app stops loading, or loads so slowly that the experience becomes frustrating.
  Meanwhile:
  • Investment in paid campaigns continues.
  • Users abandon their cart and go to the competition.
  • Support channels become overloaded.
• Payment gateway failure
  When Redsys or another gateway experiences an incident:
  • Payments are rejected or left “in limbo”.
  • Duplicates and ghost carts increase.
  • Fraudsters take advantage of the confusion.
• API and integration errors
  Problems between the e-commerce platform and:
  • ERP and inventory.
  • Coupon systems.
  • Logistics platforms.
  • Authentication mechanisms.
• The result: products marked as out of stock, duplicated orders, delivery delays, and customers unable to log in at key moments.

Most common incidents during these periods

Digital security faces heightened risks during high-traffic seasons such as Black Friday and Christmas:

Cyberattacks during peak season

During Black Friday, Cyber Monday, and Christmas, attackers know that every minute of downtime is costly. The most common patterns are:

• DDoS attacks against the website or APIs, aiming to take the digital channel offline during peak hours.
• Scraping bots and stock abuse to deplete key items artificially or steal pricing and promotion data.
• Account takeovers using credentials leaked in other incidents.
• Payment fraud by testing stolen card numbers during the highest-traffic campaigns.
• Ransomware targeting e-commerce, ERP, or POS servers, capable of halting both physical and digital sales during the most profitable days of the year.

Seasonal phishing and smishing

Phishing “masquerades” as Black Friday or Christmas: 

1. Fake websites in retail campaigns (phishing and typosquatting)

During Black Friday and Cyber Monday, fake websites imitating well-known brands proliferate. Typical examples in global campaigns:

“amaz0n–deals.com”

“blackfriday-nike.shop”

“outlet-zara.sale”

These are mirror pages created to:

• Steal cards.
• Steal passwords.
• Place fraudulent orders.
• Install malware.

There is also an increase in typosquatting (registering domain names that are common misspellings of popular websites to redirect users to malicious sites):

amaz0n.com

zarra.com

blackfridday.es

These domains are sold on the dark web or in closed forums as a quick entry point for fraud campaigns.

2. Increase in cyberattacks on retail during Black Friday

The 2023–2024 reports confirm:

30% rise in DDoS attacks against e-commerce during Black Friday (Cloudflare).

22% rise in fraud attempts at checkout (Forter, Riskified).

35% more “order update” phishing campaigns (IBM X-Force).

17% rise in bots that lock up stock and saturate shopping carts (Kasada Security).

The main targets? Payment and checkout screens, inventory and logistics APIs, integrations with CRM and ERPs.

3. What happens on the dark web during these campaigns 

November and December see an increase in sales of:

• Leaked e-commerce databases.
• Stolen Shopify, Magento, WooCommerce accounts.
• Administrator credentials.
• Payment cards (Carding).
• Scripts to clone retail websites.
• Bots to attack payment gateways.

There is also a greater supply of “fraud as a service” (FaaS). Criminal groups rent out:

• Ready-to-use phishing campaigns.
• Website duplication kits.
• Bots that automate fake returns.
• Tools to bypass basic anti-fraud measures.

 4. How much is the stolen data worth? (Real, public and 100% secure ranges)

According to 2024 reports from Kaspersky, Trend Micro, Comparitech and Privacy Affairs:

• Credit card (numbers only): €10–25.
• Full card + CVV: €15–40.
• PayPal account: €30–120 depending on balance.
• E-commerce credentials: €1–10.
• Access to Shopify/Magento/Woo panel: €70–500.
• Full details (name + ID + email + phone): €2–7 per record.
• Filtered retail database: €150–1,000 depending on size, country and sensitivity.

5. “Cyberattacks on demand” (services sold to criminal enterprises)

These are services contracted by third parties:

– Ransomware as a Service (RaaS): a criminal gang sets up the attack, the affiliate carries out the intrusion, and everyone receives a commission.

– DDoS on demand: pay per hour to take down rival websites (illegal, typical during BF/CM).

– Stolen corporate credentials: sale of usernames and passwords of retail companies for subsequent attacks.

– Compromise of gateways: scripts to manipulate real payment pages (Magecart, Skimmer JS).

6. Why does it go up so much on Black Friday and Cyber Monday?

Because it’s the “perfect storm”:

• Peak traffic.
• Overloaded devices.
• More transactions.
• Less attention.
• Sense of urgency (buy NOW).
• Many external providers at the same time.
• Dependence on gateways.
• More marketing = large attack surface.

Third-party and digital supply chain incidents

Even if the incident involves a provider, the retailer suffers the impact. For example:

• Mango, El Corte Inglés, Tendam: breaches at marketing or loyalty providers with an impact on customer and club data, which are precisely the engine of digital sales.
• Auchan / Alcampo: incidents affecting internal and ordering systems, with an impact on daily operations.
• Blue Yonder: ransomware in a supply chain software provider impacts inventory and product availability for global retailers.

Internal fraud and financial manipulation

The peak sales season also multiplies internal risks. According to ACFE (Association of Certified Fraud Examiners):

• 37% of internal fraud is committed by entry-level employees.
• 41% is committed by middle managers.
• 19% of cases are perpetrated by owners/executives (senior management).

The most common schemes are:

• Forged cheques.
• Invoice manipulation.
• Impersonation of suppliers.
• CEO fraud through false payment instructions.

Why vulnerability is higher between October and January

Half of retailers (≈52%) feel more vulnerable to cyberattacks in the last months of the year than at any other time. Let’s look at the reasons:

• Revenue concentration: November and December can account for 18–20% of annual retail sales, and even more in sectors such as fashion, electronics, or toys.
• Operational peaks: more orders, more returns, greater pressure on logistics and back-office systems.
• Staff under pressure: longer shifts, less rest, quick decisions… and a higher likelihood of human error in response to suspicious emails or calls.

Real incidents: when the campaign goes wrong

Theory comes to life when looking at specific cases. Here are some examples that had a direct impact on revenue and reputation: 

• IKEA (Fourlis Group – Greece, Cyprus, Romania, Bulgaria)
  A ransomware attack just before Black Friday affected physical stores and the digital channel. Estimated losses were around €15–20 million in sales, including disrupted online orders and logistical issues.
• Marks & Spencer (United Kingdom)
  A ransomware attack forced the suspension of online and app orders for weeks. The retailer itself estimates up to €340 million in impact on operating profit and a notable reduction in digital business during the affected period.
• Victoria’s Secret (United States)
  A security incident forced a temporary website shutdown and limited in-store services, suspending online orders and returns. Estimated losses were close to €17.3 million due to the impact of the incident.

Behind each case, there is a common denominator: digital security failed at the moment it was needed most, and the absence of an adequate financial buffer amplified the damage.

In Catalonia, the figures are equally striking: in 2024, 71,772 reports of cyber scams were recorded, according to the Agència de Ciberseguretat de Catalunya and ACCIÓ, making Catalonia the region with the most cases in the entire country. The National Cybersecurity Institute (INCIBE) reinforces this scenario: fraud attempts increase by more than 20% in November, coinciding with discount campaigns.

The decisive role of cyber insurance during these periods

What does good cyber insurance cover?

The cover offered today is crucial to protect end-of-year campaigns:

1. Loss of income (business interruption)
   • Due to a security breach or cyberattack.
   • Due to a system failure, even without an attack.
   • Due to failure of a critical provider (payment gateway, cloud, CDN, logistics, APIs), whether technological or not.
2. Incident management
   • Digital forensics and containment.
   • System restoration and data recovery.
   • Negotiation in ransomware cases.
   • Operational support to recover orders and processes.
3. Data breaches and legal liability
   • Cover against claims related to personal data.
   • GDPR and other applicable regulations.
   • Legal defence and, where permitted by law, insurable fines.
4. Reputation and crisis communication
   • Specialised communication teams.
   • Messages to clients, press releases, and social media management.
   • Specific actions to restore trust in the digital channel.
   • Consequential loss due to reputational damage.
5. Protection against fraud and social engineering
   • Employee fraud.
   • Impersonation of suppliers.
   • Fake banking instructions and misleading transfers.

In other words, cyber insurance becomes an integral part of the overall digital security strategy: it covers the economic impact, while the technical and business teams focus on restoring normal operations.

Why these dates are the “moment of truth”

The annual risk curve is compressed into just a few weeks. If an incident occurs during this period, the impact can be equivalent to months of activity. Without an adequate policy:

• The company alone bears the combination of:
  • Loss of sales on key days.
  • Technical and legal response costs.
  • Reputational damage and loss of trust.
• A simple provider outage can translate into millions lost:
  • Website inaccessible during Black Friday.
  • Payment gateway blocked on the busiest weekend.
  • Logistics provider paralysed in the last week of Christmas.

Attackers know that a 20-minute outage is worth millions…

How to calculate what a 20-minute outage costs you 

The simplest way to calculate it is as follows:

Step 1 — Calculate your sales per minute

Take your sales from Black Friday, Cyber Monday, or a major campaign day. Realistic example:

If you sell €180,000 a day, do the following: €180,000 / 1,440 minutes = €125 per minute (1 day = 1,440 minutes)

But during campaigns, sales usually triple, so adjust:

On Black Friday, you could sell:

€500,000 / 1,440 = €347 per minute. That’s what “your minute is worth”.

Step 2 — Multiply by the number of minutes lost

If your website, payments, or CDN goes down for 20 minutes: €347 × 20 = €6,940 lost directly (not including unrecovered carts).

Step 3 — Add the “invisible” (but real) effect

An outage isn’t just about what you don’t sell; you also need to consider:

• Permanently abandoned carts.
• Of 100 customers who leave… only 20–30 return.
• Loss of reputation.
• Paid campaigns (SEM/Meta/Ads) wasted.

• Cost of the incident.
• IT emergencies.
• Human hours.
• Customer support.
• Logistics penalties.
• Corrections of duplicate orders.

Guideline based on studies by IBM and Gartner:

Every euro lost in direct sales generates an additional 3 to 5 euros in derived costs.

What does this look like in real numbers?

Conservative estimate: 

• Direct loss → €6,940
• Indirect costs (x3) → €20,820
• Actual total → €27,760 for 20 minutes

Very conservative estimate:

If your peak sales are higher, multiply. If you are in the fashion, electronics or food sector, the figure doubles.

In addition, it is important to note that we have not factored in potential multi-million euro penalties from legal liabilities or claims that a regulator or customer might make.

Without cyber insurance, a provider outage can cost millions

Year after year, Black Friday, Cyber Monday, and Christmas campaigns will continue to break records in sales and traffic. Mature organisations understand that the key is not to ask whether something will fail, but to identify in advance where the next disruption might occur: the website, the checkout, a critical provider, integrations, or the systems supporting customer data.

A solid digital security strategy combines technical reinforcement, operational discipline, anti-fraud controls, and cyber insurance coverage that responds when something fails. You can count on RibéSalat for this: we help businesses manage these risks by designing cyber insurance solutions tailored to the reality of each business and its digital channel.Now is the time to review your level of digital security and ensure your financial protection is up to standard. We invite you to speak with our specialised team, who, together with our network of strategic partners, will analyse your exposure, review your coverage, and design a bespoke solution so you can face these risks with greater confidence.