Woburn, Mass.-based Kaspersky Lab experts expect the number of financial phishing, malware and POS terminal attacks to rise during the holiday shopping season and affect financial institutions, retailers, and customers.

Kaspersky Lab security specialists expect that in 2016 the trends, including a higher than average percentage of financial phishing and scams, will continue their development as phishing remains one of the main sources of credit card data for criminals. And phishing is still one of the easiest ways to set up a fraud scheme.

Both in 2014 and 2015, Kaspersky Lab researchers witnessed a significant increase in phishing attacks against payment systems and online stores during the gift-giving season, which includes Black Friday and Cyber Monday. Attacks against financial institutions also grew, but at a lower rate.

On the holiday menu for these cybercriminals:

Phishing. During the holiday period, users are eager to find the best goods at the best price and expect to see special offers. Cybercriminals know that and try to exploit this as much as possible. When attempting to steal payment data, criminals may create a bogus payment page of a well-known payment system, duplicate legitimate online retailer websites, or even create fake shops with incredibly attractive offerings. Cybercriminals also tend to exploit the Black Friday theme itself. While doing research into the threat landscape, Kaspersky Lab researchers spotted a Black Friday-themed phony internet shop offering products at attractive prices.

Kaspersky Lab threat statistics show the share of financial phishing during the fourth quarter is noticeably higher than the typical yearly result. In 2015, the financial phishing total was 43.38% during this time as opposed to 34.33% for all of 2015. Kaspersky Lab noted similar upticks in the three major types of financial phishing during the last quarter: banking (18.90% during the last quarter), e-payment (12.19%), and e shopping (12.29%).

Financial malware. Banking Trojans aim specifically at users of internet and remote banking systems have started to decrease, most likely due to criminals largely switching their attention from clients of financial institutions to the financial institutions, because a sophisticated attack against a credit union or bank can bring much more profit. Another reason is the rise of encryption ransomware which has proven itself a relatively effective way of getting money illegally.

What has not changed is criminals’ attention to the high sales season. Last year showed an increased criminal interest surrounding Black Friday, Cyber Monday and Christmas.

Criminals invest many resources in the development of banking Trojans and cultivate different sophisticated techniques to avoid detection and spread the malware. There are 30 species of banking malware families now in the Kaspersky Lab collection such as ZeuS, SpyEye, Carberp, Citadel, Emotet, and Lurk.

POS malware. Infecting point of sales operating systems and then stealing card credentials is a lesser-known threat. Kaspersky admitted, “We don’t yet have relevant statistics on the number of detections during the holiday period.” However, it estimated the threat by counting the number of threat families starting with just four in 2013 and growing to at least 36 types of malware capable of stealing data from POS terminals in the wild today. Kaspersky also warned ATM skimming attacks would happen during Black Friday and continue through Christmas and New Year.

Cyber Monday. Kaspersky pointed out cybercriminals are more excited about Cyber Monday than Black Friday. “This may be because Cyber Monday is more about online sales. There will be a lot of online advertising of special deals and it will be easier for them to hide phishing scams inside the stream of legitimate offers,” Kaspersky suggested. It added Cyber Monday is more convenient than Black Friday, which is more about offline sales. “Criminals don’t have to deal with physical access to ATMs in order to set up, and later collect a skimmer. Instead they could use a phishing or malware attack in order to collect credentials and then monetize them in a number of ways.”