As the festive season approaches, South Africans are gearing up for celebrations, travel, and online shopping.
By Kerissa Varma, Microsoft chief security advisor: Africa
But, while we’re busy connecting with loved ones and hunting for holiday deals, cybercriminals are working overtime to exploit our goodwill and distraction.
Microsoft’s latest security insights, Cyber Signals and Digital Defence Report 2025, reveal a surge in sophisticated scams targeting individuals and businesses during this period.
Here’s what you need to know to stay safe.
Emerging holiday threats
Attackers are increasingly turning to techniques that exploit trusted systems and familiar behaviours.
These methods are not abstract risks, but concrete tactics that are already being deployed to compromise accounts and data.
- Device code phishing – Scammers may send messages asking individuals to enter a code on a website to “verify their identity” or “confirm a purchase”. Entering these codes can give attackers access to the victim’s accounts, without needing a password. Always be suspicious of unexpected requests, especially during online shopping.
- Fake CAPTCHA attacks – Individuals may receive emails with links to flight deals or holiday offers, only to land on a site with a CAPTCHA and instructions to copy and paste a command into their computer. This is a ploy to trick victims into running malicious software. The rule of thumb is to never copy commands from unknown sources.
- Tech support scams – Attackers impersonate IT support, urging individuals to grant remote access to “fix” non-existent problems. Remember: Microsoft will never contact anyone unexpectedly by phone or text. Treat unsolicited tech support offers as scams.
The top three threats in your inbox
Cybercriminals are getting smarter, and your inbox is their favourite playground. As the holiday season ramps up, attackers use sophisticated tactics to trick even the most cautious recipients.
Below are the top three threats you’re most likely to encounter – and what you can do to stay safe.
- AI-enhanced phishing: Our 2025 Microsoft Digital Defence Report highlights that AI-enabled phishing emails are 4 and a half times more likely to be clicked on than traditional ones because they appear credible. These emails are now perfectly written and highly personalised, often leveraging information from social media or previous data breaches. They may seem to originate from trusted sources such as retailers, delivery services, or even colleagues, making detection increasingly difficult. To mitigate risk, always verify sender addresses and avoid clicking on suspicious links. If an email creates urgency around financial transactions or credentials, pause and confirm its legitimacy through an alternative channel.
- Fake shipping notifications: Expecting packages? Scammers exploit this by sending fake delivery updates, often requesting payment or personal details. Legitimate carriers rarely ask for sensitive information via email or text. Always check tracking numbers directly on the carrier’s official website.
- Charity and donation scams: The holidays inspire generosity, but fraudsters take advantage by sending heartfelt appeals for donations to fake charities. Conduct your own research before you donate and use trusted verification resources. Be wary of requests for payment via gift cards, direct transfers, or cryptocurrency.
Your holiday security checklist
South Africa’s rapid digital growth has created new opportunities, but it also makes individuals and businesses prime targets for cyberattacks, ranging from banking fraud to identity theft.
The reassuring news is that fundamental practices such as using strong passwords, enabling multi-factor authentication, and pausing before clicking suspicious links can significantly reduce risk and protect personal data.
Yet, as threats become more sophisticated, basic measures alone are not enough. AI isn’t just a weapon for attackers; it’s also a powerful ally in defence.
Microsoft leverages AI to process over 100-trillion security signals daily, enabling faster threat detection and predicting attacks before they occur.
By turning on AI-powered security features and keeping devices updated, you can benefit from advanced, proactive protection against evolving cyber threats.
- Update devices: Install pending software updates before travelling or logging off for the holidays.
- Enable AI-powered security features: Turn on AI-powered security features and keep software and devices updated so you benefit from the latest AI-driven protections.
- Enable Multi-Factor Authentication (MFA): On all accounts, it’s one of the simplest and most effective defences against unauthorised access.
- Shop smart: Always shop on secure websites, verify URLs, and use trusted payment methods. Avoid deals that seem too good to be true.
- Protect work credentials: Never use work credentials for personal accounts or store them in personal password managers.
Keep the holidays joyful, not stressful
Everyone plays a critical role in strengthening South Africa’s digital ecosystem.
While AI makes phishing emails more convincing, the most effective defence remains simple: verify before clicking, enable multi-factor authentication, and stay alert.
Awareness beats AI-powered scams.
The holidays should be enjoyable, not stressful. By staying vigilant, verifying unexpected communications, and reporting anything suspicious, you help protect yourself and your organisation.
Remember, the real cost of “just one click” can be severe – compromised credentials, exposure of sensitive data, and even unauthorised access to customer information or intellectual property.
False alarms have no negative consequences, but missing a real threat can be costly.
Security is a shared responsibility. Simple steps, combined with the advanced protections built into modern technology, can help keep your accounts, devices, and data safe.
By staying informed and proactive, we can ensure the only surprises this season are the good ones.