The top holiday shopping scams this year — and how to avoid them

News
By Paul Wagenseil
published

Crooks are out to get your money and your personal data

Woman's hands type on MacBook with Christmas tree and holiday decorations all around.
(Image credit: Voloshyna Anna/Shutterstock)

It's holiday shopping time, which means scammers and identity thieves are waiting to snare people eager to find deals or hard-to-find items online. Fortunately for us, there are tried-and-true ways to avoid being taken in by online holiday-shopping scams.

"Scammers use the holiday season to swindle unsuspecting victims through fraudulent emails and other schemes," Bitdefender's Alina Bizga warned in a recent company blog post that detailed the rise in shopping-related phishing emails as the holidays approach. "There's no shortage of fake deals and promotions for keen shoppers to fall for."

Bitdefender found that holiday-shopping phishing emails predominantly targeted the United States, and the email messages' subject lines promised great deals on top-brand sunglasses like Ray-Ban and Oakley as well as Walmart and Amazon exclusives. 

Meanwhile, Kaspersky  saw shopping-related phishing emails more than double from September to October as the holiday shopping season approached, with Amazon and eBay leading the list of spoofed brands.

The FBI warned recently  that hard-to-find gaming consoles, such as the PS5, were being used as lures by online criminals as people try to hunt down PS5 restocks. But people taken in by such scams may find that the promised items never arrive, that their credit-card numbers get used by crooks, or that their personal information ends up being stolen

"Victims may receive nothing except a compromised identity or fraudulent card charges," said the bureau, warning shoppers to beware "untrusted websites and ads promoting unrealistic discounts and bargains."

Even the IRS  is joining the chorus of doom, putting up a blog post warning of end-of-year shopping scams and identity theft. 

"We urge people to be extra careful with their personal and financial information during this period while shopping online or getting suspicious emails or text," said IRS Commissioner Chuck Rettig. 

Cute puppies, free iPhones and dream getaways

One category that seems to attract a lot of online swindlers, according to the FBI, is pets. People looking for just the right puppy or kitten for the holidays may be extra-ripe for the taking, as there's so much emotion and expectation bound up in the purchase. It's easy to overlook red flags when you've fallen in love with a picture of an adorable fur-baby.

"Criminals will use legitimate website photos to promise the non-existent pet to multiple buyers," said the FBI, but the price may quickly ramp up due to surprise shipping fees, vaccination expenses or even sales tax. "If purchasing a pet online, consider meeting the animal and owner via video chat before buying to reduce the chances of being scammed."

Scams in which the paid-for item never shows up are called non-delivery scams by the experts. But there are also delivery scams, which is what happens when an item you didn't buy suddenly seems to be ready for you.

Security firm Proofpoint  detailed such scams in a recent blog post, explaining how crooks will send text messages to random numbers saying that a package is about to be or has been delivered. Because these combine SMS messages with phishing, they're called "smishing" attacks.

The item that's being delivered is often something expensive and desirable, such as an iPhone 13. Even if you didn't order the item, or don't even have the same name as the person being messaged, you might be tempted to collect the item. That's how the crooks use your own darker impulses against you.

But there's always a catch. In order to get the prized item into your hands, you've got to go to a website and fill out some personal information, pay a small fee, or both. Sometimes the website will even try to infect your phone with malware, just because.

These delivery scams don't just happen around the holidays, but they sure seem to ramp up toward the end of the year. Finland just saw a massive wave of such attacks involving the FluBot Android malware, which gets installed via bogus delivery notifications and then spreads to more phones by sending out smishing messages to your entire address book.

Another big lure is a scam involving holiday travel. Bitdefender has seen a rise in phishing emails promising great deals on flights and hotels. It's easy to be tempted by the promise of cheap hotel rooms in a destination you were planning to visit anyway, or by amazing ticket prices to a fabulous destination you thought you couldn't afford to travel to.

How to avoid holiday shopping scams

So how can you avoid becoming a victim of one of these sinister seasonal shopping scams? As we outlined in our previous guides for safe shopping on Black Friday and Cyber Monday, common sense should be your guide.

"If the deal sounds too good to be true, chances are it is a scam," the FBI said. That random online store you've never heard of almost certainly doesn't have a truckload of PS5s, and doesn't it seem funny that it wants you to pay with gift cards instead of a regular credit card?

Here's what else you need to do and watch out for. These are not ranked in order of importance, because they're all important.

  • Don't click on links in email messages or social-media posts that promise fantastic savings. Those links could take you God-knows-where, even if the message or post looks legit. Instead, go to the retailer's website in your web browser and then look for the deal there. 
  • Don't click on search-engine results for the best deal on whatever you're shopping for. Crooks can "poison" search-engine algorithms to make sure their bogus links rise to the top. Again, go to the retailer's site and search for the deal from there. 
  • Don't click on deal links that are texted to your phone.
  • Don't do business with a retailer that uses a free email service, like Gmail or Yahoo or Outlook.com. 
  • Don't trust third-party transactions, in which you're buying something from one person or company but are being asked to pay a different person or company.
  • Stick to familiar, well-known retailers when shopping online. They don't all have to be Amazon, but you don't want to give your credit-card number to Crazy Ivan's House of Electronics just to save $25 on a gaming controller.
  • Use only credit cards while shopping online. Debit cards tied directly to your bank account offer far less protection against fraudulent charges, and crooks can infect retail web servers with malware designed to steal card numbers. The FBI goes a step further and says you should designate one credit card for online purchases only.
  • Don't pay with wire transfers, gift cards, cryptocurrency or cash. These offer no protection at all, and if anyone asks you pay for items using one of those methods, that's a big red flag. 
  • Carefully check your credit-card statements every few days during the holiday shopping season. Because there's a lot of spending happening, you might miss a fraudulent transaction nestled in among all the real ones.
  • Make sure there's a padlock icon next to the site's web address in the browser address bar when you're using a desktop or laptop. This shows there's a secure, encrypted connection. The site could still be run by crooks, but you should never send financial or personal information over a connection that isn't secure.
  • Use a retailer's own app rather than your browser when shopping on your smartphone or tablet. It's hard to "spoof" an entire mobile app, unless you happened to download that app from outside the Google Play Store or Apple App Store.
  • Use a secure Wi-Fi network to get online if you're away from home or work. Don't use a totally open Wi-Fi network such as you might find in a cafe, park or restaurant. When in doubt, fire up one of the best VPN services to make sure your local connection is secure.
  • Check the retailer's website address, even if there's a padlock. Crooks are very good at mimicking legitimate retail websites, so make sure the address isn't something like "amazzon.com", "wa1mart.com" or "bestbuy.su".
  • Don't let websites save your credit-card information. You'll have to type it in again next time you visit (unless you're using one of the best password managers), but your credit-card data won't be stolen when the site suffers a data breach. Also, don't let your web browser store your credit-card info, as browsers are far too easy to hack.
  • Don't create an account on a retail website just so you can shop there. Use the "continue as guest" option instead, if available. There's no need to increase your risk of being caught up in a data breach. If you do have to create an account, as you do with Amazon, then use a password manager to create and remember a strong, unique password.
  • Make sure your PC, Mac, smartphone or tablet is fully updated with the latest version of the operating system, and use the best antivirus software appropriate to Windows, Mac or Android.

"Taking a few simple steps can keep people from becoming victims of identity theft and protect their sensitive personal information needed for tax returns and refunds," said the IRS' Rettig.

Paul Wagenseil
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.