You’d Better Watch Out: ‘Tis the Season for Holiday Shopping Scams

It’s always a mad scramble to find the perfect gifts in time for the holidays. And like the Grinch gazing down at Whoville, cybercriminals are watching, and they’re ready to take advantage of your haste.

Whether it’s pilfering personal information or duping consumers into scams to steal their financial or personal information, there’s a lot more at stake than presents and a roast beast. Thanks to declines in COVID cases and deaths, many people have returned to malls and big box stores this year, but analysts still expect some growth in online sales this holiday season, with many of those sales coming over the Black Friday weekend. 

Complicating things, tough economic conditions and inflation have many people watching their spending closely and searching for the best deals they can get.  Couple all of that with the usual holiday rush to get shopping done, and it’s likely that some consumers will jump on what, at first glance, looks like a great deal or do business with a website they haven’t before, even if it looks a little shady, said AJ Nash, vice president of intelligence for the cybersecurity company ZeroFox.

“You get into the holiday season people let down their guard a bit,” Nash said. Meanwhile, cybercriminals are more than ready to take advantage of that heightened desperation in hopes of stealing credit card numbers, login credentials and other personally identifiable information from consumers.

Fortunately, just a few precautions can go a long way toward ensuring your holiday season remains merry and bright. Here are a few recommendations from experts on how to shop safely for the holidays:

Check your list (and credit card and bank statements) more than twice

Keep an eye on your bank and credit card accounts. It’s good not only for security but also for keeping track of your spending. 

You can make this task easier by limiting your holiday shopping to a single credit card and email address. Doing so will also reduce the risk of falling for a phishing scam if one comes to your other email accounts. Don’t use your debit card for purchases.

Your bank will help you recover money if your account is compromised, but it’s a lot easier to get charges reversed when a credit card number is stolen. Don’t be tempted to pay for your purchase with cryptocurrency. By design, crypto is intended to be anonymous and extremely hard to track.

If someone steals it, it’s probably gone. Requests for payment with retail gift cards should also be looked at with suspicion. They also can’t be tracked and can be easily converted into cash or merchandise by cybercriminals.

Don’t be a feast for the phishers

In the runup to Black Friday, researchers for the cybersecurity company Check Point spotted a spike in fake shopping-related sites.

In addition, they say that 17% of all malicious files distributed in emails they analyzed in early November were related to orders or deliveries and shipping. The fear is that shoppers could click on a link in a malicious email that would take them to a fake website that would then collect their personal or financial information, putting them at risk of financial fraud or identity theft. Big jumps in phishing emails during the holiday shopping season aren’t a new thing.

What concerns experts most is that they’ve become much more sophisticated and customized in recent years. Low-cost, automated technology can make phishing emails both more natural sounding and more contextually relevant. Though security technology has also improved, it can’t do much to stop people from clicking on things they’re convinced are legitimate. 

gettyimages-1047653558

Be smart as you shop online this holiday season.

Getty Images

In recent years, some of the most convincing phishing emails have taken the form of shipping notifications complete with barcodes that look like they’re from FedEx or UPS.

According to Check Point, some of the most convincing scam emails so far this November impersonate the likes of luxury retailer Louis Vuitton and shipping company DHL. Black Friday was also frequently mentioned in the scam emails spotted by Bitdefender earlier this shopping season. Those emails touted deep discounts on Oakley and Ray-Ban sunglasses, as well as free £500 Home Depot gift cards. 

When it comes to all of those shipping notifications, if you’re worried about authenticity, go directly to the shipper’s website and copy and paste the tracking number into it. Don’t click on links or open attachments, no matter how tempting or urgent they might seem. Just a heads-up: Phishing isn’t limited to email these days.

It also increasingly comes in the forms of text messages, social media posts, phone calls and even QR codes. If they’re unsolicited, ignore those, too.

Is that Santa? Or just the Grinch in disguise?

Sure, you can Google around if the major retailers don’t have what you want in stock, but make sure you’re dealing with a legitimate business.

Be especially skeptical of ads that pop up in your social media feeds touting amazing, limited-time offers. Like the saying goes: If something seems too good to be true, it probably is. As busy as people are this time of year, taking five or 10 minutes to make sure that a “great deal” actually is one could save you a lot of time, money and grief in the long run, Nash said.  

“Ask yourself, ‘Would this make sense on a Wednesday in August?'” he said. “Take an extra moment and make sure.”

Elf on the Shelf isn’t the only one watching, but does that really matter? 

The internet has changed a lot in recent years. Any site worth its salt is now encrypted, which means if someone did intercept your web traffic, for instance by logging on to the same Wi-Fi as you at the neighborhood coffee shop, it would be scrambled and useless. For that reason, many security experts say a virtual private network, or VPN, which masks people’s location in addition to encrypting their data, is overkill for most folks.

Basic cybersecurity precautions, which you should be doing all year round, is all you need to ward off a visit from a cyber Krampus. Make sure your devices and online accounts — bank and credit cards, emails, social media, shopping-website logins, and so on — are locked down before you start shopping. Update your operating systems, antivirus software and all your apps.

Strong, unique passwords for all online accounts are a must. If you need help, use a password manager. Two-factor authentication, which requires a second identifier like a biometric or push notification sent to your phone, should always be enabled when available.  If you’re still worried about the security of the free internet at your local store, use the cellular connection on your smartphone instead.

It’s a lot more secure than just about any Wi-Fi connection out there.