Black Friday and Cyber Monday are often framed as moments of elevated fraud risk. Traffic surges, attackers become more active, and systems are pushed to their limits. That framing isn’t necessarily wrong, but it is incomplete.
When we analyzed data flowing through Elephant Trust during the recent Black Friday-Cyber Monday period, a different pattern emerged. Attack activity did increase, but it was overshadowed by an even larger surge in legitimate consumer behavior. The defining challenge of the weekend wasn’t a broad rise in fraud rates. It was identifying high-velocity, coordinated attacks hidden inside unprecedented volumes of good traffic.
Peak events don’t just test whether systems can block risk. They test whether trust decisions can scale when both risk and legitimacy rise at the same time.
Note on terminology: In this analysis, “trusted” and “risky” refer to transaction-level classifications produced from observed identity and behavior signals at decision time, rather than post-hoc outcomes or confirmed fraud. The patterns below reflect how activity was evaluated by trust systems during Black Friday to Cyber Monday, not final results.
It’s also worth noting that many teams only see fraud once it becomes loss, dispute, or alert volume. The patterns surfaced here come from observing how identity and behavior present before outcomes are known.
The most important signal from the Black Friday-Cyber Monday period appears immediately in the aggregate data.
The imbalance is clear. Trusted activity didn’t just grow, it grew more than twice as fast as risky activity, both in volume and in dollars.
This reframes the operational problems teams face during peak events. Black Friday is not primarily a moment of runaway fraud. It’s a moment of compressed, high-confidence consumer intent, where large numbers of legitimate users attempt to transact in a narrow window of time.
In that context, the challenge shifts. The question becomes less about blocking more bad behavior and more about accurately recognizing and approving good behavior at scale, without allowing sophisticated attacks to blend into the noise.
If you see this in your system: resist the reflex to tighten controls. Instead, question whether peak success is being measured only by what was blocked, or by whether legitimate demand was accurately recognized and approved at scale.
Peak events amplify not just volume, but the consequences of relying on static context. During Black Friday-Cyber Monday, we observed clusters of activity that differed from typical consumer patterns. In isolation, these behaviors appeared unfamiliar. At scale, that unfamiliarity compounded even as demand surged.
Paradoxically, unfamiliar behavior was associated with meaningful legitimate volume; within this behavioral segment, trusted transaction volume was roughly 2.4x higher than risky volume.
The takeaway isn’t that these patterns were wrong or suspicious on their own. It’s when behavior shifts rapidly at scale, distributions change faster than fixed expectations can adjust. In peak moments, nuance becomes expensive, increasing the likelihood that legitimate behavior is misinterpreted as risk precisely when demand is the highest. That ambiguity is what makes distinguishing true coordination from background noise so difficult during peak events.
If you see this in your system: pause before treating unfamiliar behavior as an emerging risk. Ask whether the underlying distribution of legitimate activity shifted faster than your definition of what "normal" could adapt.
Against a backdrop of unprecedented volume, alerting behavior remained largely stable throughout the Black Friday-Cyber Monday period, even as total traffic increased 73% WoW.
In many fraud systems, this pattern would raise a concern. A sudden surge in unfamiliar behavior often leads to spikes in alerts, overwhelmed review queues, or broad upstream tightening to maintain control. In those environments, stability can mask blind spots or deferred risk.
But in adaptive, globally informed systems, stable alerting under peak load reflects something different. It indicates that the system absorbed a large influx of legitimate demand without escalating proportionally, while still isolating concentrated, coordinated risk when it appeared.
This distinction matters because alert volume only captures the moments when uncertainty becomes loud enough to interrupt workflow. During peak events, a system that recognizes trust at scale may look deceptively quiet, not because nothing changed, but because it didn’t need to ask for help.
If you see this in your system: don't assume stable alerts or loss metrics mean nothing changed. Use apparent calm as a prompt to examine whether trust recognition kept pace with demand or whether nuance was silently absorbed.
Fraud risk does rise during peak events. That’s expected. What’s easier to miss is that legitimate demand rises even faster, concentrating trust, revenue, and long-term customer value into a narrow decision window.
Some systems are designed to respond to calendars, tightening controls when risk is expected. Others are designed to respond to signals, adapting as behavior actually changes. Black Friday exposes the difference.
When trusted traffic grows 85% week over week, even marginal shifts in decision thresholds can affect tens of thousands of legitimate interactions, many of which never surface as alerts, appeals, or measurable loss.
Black Friday and Cyber Monday don’t force teams to choose between safety and growth. They force systems to recognize trust at scale, under conditions where behavior shifts quickly, signal reliability degrades, and assumptions are most likely to misfire.
For teams reflecting on the weekend, the most useful question isn’t whether fraud was blocked. It’s whether the system was designed to notice trust when it mattered most. As peak events become more frequent and less predictable, the ability to recognize trust dynamically may matter more than any single control put in place ahead of time.