Halloween tricks aren’t reserved for trick-or-treaters — cybercriminals are preying on the Halloween spirit to enact malicious spam.
While Halloween spam can be benign (37%), a majority were designed to steal money and/or credentials (63%).
According to Bitdefender Labs, threat actors are leveraging “multiple fraud tactics into one seasonal wave” in order to focus on nearly every user on the internet. The research found that this year, threat actors are employing fraudulent retail sales, fake brand giveaways, cryptocurrency cons, and even dating scams, with an increase in Halloween-themed phishing and scam campaigns noted between Sept. 15 and Oct. 15, 2025.
67% of this themed spam originated from United States servers. Targets included users in the U.S. (73%), Germany (13%) and Ireland (6%). Other, less frequent targets were in the U.K., France, Canada, Romania, Australia and Italy. Spam email subject lines were designed to be attention-grabbing, promising limited-time deals, free items or exclusive gifts. Furthermore, many will impersonate legitimate brands (such as Walmart of Amazon).
Why is Halloween such a prime time for cybercriminals? The research asserts that promotions are expected around the holidays, and so users often lower their guard — especially as legitimate brands increase their promotions, which makes it easier for false impersonations to blend in. Furthermore, the scams are filled with emotional language, emphasizing urgency and too-good-to-be-true rewards, which can lead victims to make rash decisions and blindly trust these emails.
If employees are falling for these scams on work emails or devices, the organization itself could be put at risk. Therefore, security leaders must ensure their employees understand these scams and how to avoid them.
Source: Security Magazine