The holiday shopping season is in full swing. It involves a seemingly endless few weeks of shopping mayhem as we rush to take advantage of bargains and buy gifts for our friends and family. Despite the rising cost of living, Deloitte is forecasting a 10% to 13% increase in 2023 holiday e-commerce sales in the US versus the same period in 2022. That amounts to over $1.5 trillion up for grabs, plus more across Europe and its biggest online market, the UK. But its not just retailers who are after your money – malicious hackers are too.
So before you get carried away, take a minute to check out the most common scams and cyberthreats, and how to stay safe online.
What’s at stake when you shop online?
Global e-commerce is on fire. The market is predicted to grow at a CAGR of 12% during 2021–25, to exceed $8.5 trillion by 2025. But with this much money up for grabs, it’s no surprise that scammers and fraudsters are primed to pounce. And they’re particularly ready to take advantage during busy periods like the run-up to Christmas, when it may be easier to hide fraud in the surge of purchases and when shoppers are arguably more distracted.
So what do they want? Put simply, your money and/or your personal information, including logins to relevant accounts, which can then be sold on to others to commit identity fraud. Here’s a quick rundown of some of the most common threats to look out for this holiday season.
- Fake sellers: These operate on legitimate sites like Facebook Marketplace, and attract buyers by listing in-demand products at outrageously low prices. They may also generate fake reviews of their “store” in order to add legitimacy. Users will be asked to pay via instant payment apps like Zelle, Venmo or Cash App. But they never receive their purchase, because it was all a scam.
- Account takeover (ATO): Cybercriminals are always looking for ways to hijack customer accounts. That’s because they can use stored cards to make fraudulent purchases, or else find personal information in the accounts which can be sold to others. The most common way to commit ATO is via stolen or phished logins. Sometimes fraudsters will use logins they obtained from other sites (via a data breach), which victims are using across multiple accounts. This is known as credential stuffing.
- Bogus online stores: This is a similar threat to the fake seller scams listed above. However, fraudsters go to more extreme lengths to appear legitimate. They will spoof the website of a real retailer or brand. Not only will victims not receive their item, or possibly be sent a counterfeit version, but the scammers will also capture their card details for future fraud.
- Fake apps: These are similar to fake online stores and are often peddled on unofficial third-party app stores or phishing sites. Users may end up there after clicking through on a scam link on social media or via email/text.
- Phishing: Still one of the most popular ways for scammers to get hold of personal and financial information, which can then be used in identity fraud such as purchasing items or applying for loans in your name. Fake emails, social media messages or texts are crafted to appear as if sent by a legitimate company.
- Fake gift cards: Similar to fraudulent deals involving electronics or high-end fashion, you might encounter an enticing offer for a substantial gift card balance or a card sold at a significantly discounted price compared to its face value. However, clicking on the link provided in the email or text, supposedly to claim your gift card, may result in malware installation, the compromise of your personal data, or receiving a stolen card.
At this time of year, they might be fake messages from delivery companies which require extra information or payment for a ‘tax’ or ‘customs’ charge. You might have ordered so much online, that’s it hard to keep track of the legitimate orders. Sometimes clicking on a link will install malware designed to flood your screen with ads or steal personal/financial information.
12 ways to stay safe when shopping online
With the above in mind, here are 12 tips for staying safe – one for each “day” of Christmas:
- Ensure you secure your PC and mobile phone with multi-layered security software from a reputable provider. This will go a long way towards preventing the damage that info-stealing and other malware can do.
- Always use strong and unique passwords on all accounts (via a password manager) and switch on two-factor authentication (2FA). This will help mitigate the risk of password theft and account takeover.
- Beware of too-good-to-be-true bargains. If an item or special offer looks too good to be true, it probably is.
- Always use secure websites for any purchases. Look for the padlock in the browser bar and an HTTPS address. This will limit the opportunity for hackers to eavesdrop on your communications and steal your card info.
- Check your bank and credit card accounts regularly during the shopping season, and contact your provider immediately if any transactions look suspicious.
- Try to shop only with brands you trust. If you haven’t heard of one before, do some research on it first – try Googling the name plus “scam” or “fraud,” and check out customer reviews, to assess its reputation.
- If you buy from an online marketplace, always pay by credit card (as there are more buyer protections that way) or even consider using a disposable virtual card for one-time purchases.
- Only download mobile apps from a trusted source; i.e., the App Store and Google Play.
- Never purchase items or log into accounts (especially not your bank account) when connected to public Wi-Fi, as these may be risky. Use a virtual private network (VPN) in these cases if you absolutely need to grab a bargain while not using your home network or data plan.
- If you receive an unsolicited email or text, think twice about clicking on it. Separately check with the sender if it is legitimate (but not by replying to the message).
- Consider checking out as guest when buying from a legitimate company. If you save your details there’s always a chance they could end up in the hands of a cybercriminal if that company is breached.
- Never click on pop-up ads, even if they’re offering tremendous shopping bargains, as the ads are often malicious.
Keep these simple steps in mind and you won’t go far wrong. Now the only risk is you spend more than you intend to this holiday season.
Happy and safe online shopping!
For 30 years,
has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security, to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real-time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET becomes the first IT security company to earn awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information visit or follow us on , and .