Scams to look out for this holiday season

‘Tis the season to be wary – be on your guard and don’t let fraud ruin your shopping spree

As the mercury starts to dip and the Halloween decorations are cleared away, it can mean only one thing: the countdown to Christmas has begun. But the festive season – or Golden Quarter if you’re a retailer – is not just a boon for online stores. It’s also a time of plenty for digital thieves and con artists.

To make sure you’re not their next victim, it pays to understand what holiday season scams look like, and how best to stay safe.

Why is there more fraud during the festive season?

  • A perfect storm of factors come together at this time of year to elevate the risk of online scams. Most obviously:
  • More of us shop online, meaning more potential victims if we’re targeted in the ‘right’ way
  • More online purchases also mean more opportunities for fraudsters to hide their fraudulent transactions among legitimate ones
  • Online retailers may focus on profits over security and thus relax their fraud filters, which scammers can exploit
  • More of us are looking for special deals, and are therefore susceptible to scams advertising big discounts
  • The holiday season means more marketing spam from retailers; providing the perfect cover for more nefarious missives
  • More of us are minded to give to charity, which threat actors can also exploit
  • We’re always in a rush during holiday season. That makes us more liable to make the wrong decisions

Top 10 holiday season scams

Fraudsters are resourceful, determined and have ready access to cybercrime services, enabling them to run scam campaigns relatively cheaply, at scale and with little effort. Among the main conduits for these efforts are phishing emails, texts and social media messages, malicious advertising – often on social media – and marketplace listings. Watch out for the following:

Gift cards

Given that they’re a popular Christmas present, gift cards are sought-after at this time of year. Scammers know this, and may try to sell you fake or stolen ones at knock-down prices, or offer them as a ‘prize’ as part of another scam.

Fake websites

Phishing sites that mimic legitimate retail or brand sites are a common vector for festive fraud. They’ll be set up either to harvest personal and financial details, or to receive funds into a bank account controlled by the scammer.

These sites usually lure in victims with too-good-to-be-true deals, discounts, or limited-time offers, particularly on popular products, such as electronics, toys, or clothing. Once you land on such a site, you might be prompted to enter personal information, such as your name, address, phone number, email, and credit card details. This data is harvested and either used by the criminals themselves for fraudulent transactions or sold on the dark web to other malicious actors. In some cases, they may use this information to commit identity theft or access other accounts.

Too-good-to-be-true deals

Fraudsters might put up for sale in-demand items at a knock-down price, advertising them through social media or marketplace listings. Payment is usually requested via instant payment apps like Zelle or Cash App. However, the victim soon finds out that there is no item and their money has now gone for good.

Fake shipping

In the run-up to Christmas, we buy gifts for friends and family in a flurry of online orders. That makes it hard to keep track of the subsequent deliveries. Scammers know this, and send fake emails or SMS messages from popular shipping providers (UPS, FedEx, DHL etc) requesting you enter your personal details to confirm a delivery. Sometimes the link could covertly install malware.

A variation on this theme involves fake receipts from big-name retail brands like Amazon. The goal is to trick the user into clicking on links or call the number on the receipt, after which they’ll be asked to share their personal/financial information.

Fraudulent e-cards

Digital cards have become a beloved tradition, offering a quick, creative, and eco-friendly way to send seasonal greetings. But they can also be hijacked with malware, or used as an attempt to harvest personal information, all while using convincing logos and email formats to trick you into believing that the e-card is the real deal.

Ne’er-do-wells can send e-cards with links or attachments that claim to offer a personalized card. When clicked, however, these links may direct users to malicious websites or download malware that compromises your device. Other schemes may ask you to “verify you identity" or provide personal details to view the card.

Phone/vishing scams

During the holiday season, scammers may cold call you pretending to be representatives of retailers, delivery companies, charities and other entities, in a bid to trick you into handing over personal/financial information. They may ask direct for charity donations, if you want to enter a prize draw or survey, or to confirm delivery details.

Holiday season prize draws

Scammers advertise gift giveaways and prize draws online. All you have to do is fill in your personal details, which they’ll sell on to other cybercriminals or use themselves in follow-on fraud. There is no prize.

Fake charities

Scammers might try to trick you into handing over card details, personal information and/or cash by impersonating a charity and soliciting funds. They’ll use a legitimate-looking phishing site and may also run phishing/social media campaigns to funnel victims towards it.

Fake seasonal jobs

Fake job listings promise big salaries for little work. For example, they might tout "work-from-home" opportunities where you can earn hundreds or even thousands of dollars per week by doing tasks like data entry, mystery shopping, or simple online surveys. These roles are typically advertised with no required experience or minimal qualifications, which makes them seem particularly attractive to job seekers.

However, there is no job, and all the bad guys want to do is steal your personal information, or charge you a ‘fee’ for signing up. This data is then used to steal your identity, commit financial fraud, or sell your information on the dark web.

Vacation/travel scams

The festive season is also a popular time to get away, or to plan to do so in the new year. To take advantage, criminals advertise fake flights, accommodation, car hire and other services which don’t really exist. Often the first the victim finds out is when they get to the airport/hotel/car hire shop etc.

How to stay safe from festive scams

As long as scammers continue to monetize their campaigns, they will stick to the same tried-and-tested tactics. Fortunately, that means the same best practice advice is still relevant. Consider the following to keep your personal and financial information out of their hands:

  • Use strong, unique passwords and switch on two-factor authentication (2FA) or passkeys on all online accounts
  • Be skeptical of anything you read online, including offers that seem too good to be true
  • Never hand over personal or financial information after being contacted via an unsolicited message or phone call
  • Use websites that start with “HTTPS" or display a locked padlock (but be aware that this alone is not enough to keep you safe)
  • Update your software and OS regularly to keep it as safe as possible from malicious exploits
  • Install security software on all devices from trusted provider
  • Avoid making payments via bank transfers or instant cash apps. Use your credit card where possible for extra protection
  • For travel bookings, ensure the offer is ABTA or ATOL covered
  • Double check website and email sender URLs as well as content for typos and grammatical mistakes which could indicate a fake
  • Double check delivery notifications direct with the logistics firm, but not by contacting the details on your text or email

What do I do if I’ve been scammed?

If the worst happens and you think you’ve been scammed, there are still a few steps you can take to minimize the impact. They are:

  • Report the scam immediately to authorities like Action Fraud in the UK or the FTC in the US
  • Tell your bank and, if relevant, freeze your cards – requesting new ones
  • Stop contact with the scammer and don’t tell them why
  • Change any passwords that may have been compromised
  • Freeze your credit to prevent scammers opening new credit lines in your name. You'll need to contact each of the three major credit bureaus separately: Experian, TransUnion, and Equifax
  • Gather evidence of the scam in case it is required

As generative AI becomes more widespread, the means to launch convincing scams in perfect English en masse will increasingly be democratized among the cybercrime community. Take care out there this holiday season.

About ESET

For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security, to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real-time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET becomes the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information visit www.eset.com or follow us on  FacebookYouTube and Twitter.