Top scams to look out for over the holiday period – don't let the Grinch grab your data

From cozy winter weather and bright Christmas lights to time off work and watching festive classics with family, there’s a lot to love about the holiday season.

Still, it isn’t without its bad apples, particularly the rise in scams this time of year, with criminals looking to take advantage of unsuspecting people.

At Tom’s Guide, we want you to shop smarter, not scared. This article breaks down the most common holiday scams to watch out for, explains how they work, and shares practical tips to help you protect your personal information and stay safe throughout the festive season.

1. Unsupervised AI shopping agents

AI chatbots are no longer limited to acting like search tools. They’re increasingly being used as full-blown shopping assistants, with people asking for everything from color coordination and gift ideas to direct links to products.

While this certainly makes online shopping more convenient and personalized, the fact that these chatbots are largely trained on forum-based data, such as Reddit, means they can sometimes dish out scammy or malicious websites. Clicking on these links and logging in could put your personal information at serious risk.

Tomas Stamulis, Chief Security Officer at Surfshark, explains: “Always review what AI suggests before purchasing, and never grant unlimited access to your financial details.”

2. Phone snatching in busy areas

Digital privacy invasion isn’t the only cybersecurity risk you need to worry about this holiday season. Even with the best VPNs, password managers, and antivirus software in your online toolkit, you could still end up losing sensitive data to street criminals who snatch mobile phones straight from people’s hands. The risk is particularly high in crowded places, like shopping malls or Christmas markets, and it’s even worse if your phone happens to be unlocked.

Tomas Stamulis at Surfshark advises staying vigilant in public and keeping your phone out of sight when not in use. Additional protective measures include using an “anti-spying screen so people around you can't easily see what you're doing.” And to safeguard against the worst, make sure you’ve enabled Stolen Device Protection (on iOS) or Theft Protection (on Android) and that your home and work addresses are set correctly.

3. Hidden phishing links in Christmas greetings

Phishing scams are unfortunately far too common, and the increasing use of e-greeting cards has given scammers yet another avenue to exploit. Malicious actors may hide phishing links inside what appear to be innocent holiday wishes.

Our advice is to rein in your holiday excitement a little when you receive an e-greeting and avoid clicking on links, even if they seem to come from someone you know. If you do end up clicking on a link, never provide any personal information on the site it leads you to.

To the uninitiated, this is exactly how phishing scams work: they lead you to websites designed to lure you into entering sensitive information. While these sites may look almost identical to the real ones, they’re fake and controlled by scammers.

Entering details such as your real name, email address, phone number, home address, or, worse, your banking information could leave you vulnerable to identity theft or result in malware being installed on your device.

4. Phony deals and fake websites

Companies and online shops often spread the holiday cheer by rolling out exclusive discounts and end-of-year deals. However, this also opens the door for scammers to create fake offers for popular or hard-to-find items and trick shoppers into falling for them. So, just like with sneaky links, avoid being tempted by a mouth-watering deal without double-checking it first. Worse still, entering your personal information on the site it leads to can put you at serious risk.

Spotting fake shops isn’t all that difficult once you know what to look for. Check the website’s URL closely for odd text, typos, or unusual characters – for example, using the digit “0” instead of the letter “O.” Other good practices include looking up the deal on social media, checking the domain extension, and searching for online reviews of the website.

5. Unsecured public Wi-Fi

Public Wi-Fi in cafes, airports, hotels, and on public transport sure is convenient, but under the hood it’s often a breeding ground for privacy nightmares. These networks are frequently open and unsecured, meaning you don’t need a username or password to log in.

That leaves a real chance that a perpetrator could be lurking on the same network, waiting to intercept communication between your device and the Wi-Fi router. By exploiting the network’s slim security measures, they could gain access to your sensitive data, including account credentials, email addresses, passwords, and even financial information.

While our general advice is to avoid public Wi-Fi as much as possible, if you do need to use it, always have one of the best VPN services turned on. “Without an active VPN, using public Wi-Fi is insecure; it’s like gifting your personal data to total strangers,” Stamulis explains. A VPN encrypts your internet traffic, making your data unreadable to would-be interceptors.

6. Apps secretly harvesting your data

This holiday season, sweeping a digital broom through your device won’t just help free up some space, but also improve your privacy. On the surface, it might seem harmless to download apps, especially shopping apps, and then forget about them, assuming they do little more than occupy a bit of storage space on your device. But that’s not all they do.

Many of these apps are also data-collection machines, with a recent Surfshark study revealing that U.S. shopping apps, including the likes of Amazon, Walmart, and Costco, collect vast amounts of customer data.

This includes your name, payment information, physical address, device IDs, phone numbers, and location data.