Online shopping scams to avoid this holiday season

Nearly 85% of consumers are worried about running into artificial intelligence-based fraud this holiday shopping season, according to the Prove Identity 2023 Online Shopping & AI-Based Fraud Report.

And that’s with good reason. AI-technology means the days of phishing emails filled with broken English or phone calls from individuals clearly based outside the country are now few and far between.

Today, fraudsters can use technology to create polished messages that look the real thing and even clone voices to make it sound like your bank or employer is on the other end of the line.

“While scams are common year-round, we’re more likely to fall victim at a time when we’re busy, stressed and preoccupied,” Mike Steinbach, head of financial crimes and fraud prevention at Citi, said in an email. “For many of us, that time is the holiday season.”

A quarter of consumers globally say they have been targeted by a scam when shopping online, according to the 2023 Cyber Safety Insights Report from security firm Norton. Half of the victims were caught up in online shopping scams while nearly a third fell for a phishing scam.

“Cyber scammers are utilizing readily available and existing data through social engineering to understand user behavior and gain access to credentials and assets,” Tami Hudson, a cybersecurity client officer at Wells Fargo, said in an email.

Here are some common scams you might see fraudsters use this holiday season:

1. Sham order confirmations.

2. Bogus shipping notices.

3. Fraudulent fraud alerts.

4. Shady email scams.

5. SIM swapping.

6. Cloned websites.

7. Fly-by-night businesses.

8. Disappearing packages.

9. Fake charities.

10. Sob stories on social media.

11. Unreal relatives in distress.

12. Phony classified ad listings.

13. Intercepted data.

14. Card skimming and shoulder surfing.

1. Sham Order Confirmations

Although no longer a new scam, emails about fake online orders continue to make the rounds. Victims receive an email that appears to be from a reputable retailer or a payment service like PayPal confirming a purchase.

Often, these order confirmations are for heart-stopping amounts of money, and scammers will helpfully included a link in the email that people can click to dispute or cancel the order. After clicking on that link, victims will be asked to provide personal or payment information that will be used for identity theft or to make fraudulent purchases.

If you receive an email like this and are concerned someone has gained access to your shopping account, don’t click any links in the email. Instead, go to the retailer’s or payment service’s main page, log into your account from there and check for any fraudulent activity.

2. Bogus Shipping Notices

A variation of fake order scams involves messages purportedly from FedEx, UPS or the post office that notify recipients of a delayed shipment. The message may include a link to track the package. However, clicking the link could download a virus onto your computer. If you’re expecting a package, visit the merchant site to receive tracking information, rather than clicking a link in an email.

There’s also an offline version of this scam involving missed-delivery notices left in mailboxes. Victims who call the number on the notice may then be asked to provide a credit card number or other information. However, any request for payment or personal information is a clue that something is not right.

3. Fraudulent Fraud Alerts

Banks have become increasingly proactive when it comes to fraud detection, and some send texts or make calls when suspicious activity on an account is detected. Unfortunately, some scammers are replicating these contacts to gain access to accounts.

“They can call you as if they are your bank and that something is wrong with your account,” says Avi Turgeman, CEO of IronVest, which offers security and privacy services such as masked emails and single-use virtual cards.

Often, they will say they are sending you a one-time password in your email and ask you to read it back to them. In reality, the person on the line is trying to hack your account and needs the password to get in.

A legitimate bank representative will never ask for your password, and you shouldn’t give out any other sensitive information such as your birthdate, account number or Social Security number to unsolicited callers. If you aren’t sure whether a call is real, hang up and dial your bank directly.

4. Shady Email Scams

Phishing scams are a tried-and-true method to steal personal information. They involve sending emails that look like official communications from trusted websites but are actually forgeries.

“It’s very easy for criminals to create convincing phishing scams,” says technology expert Burton Kelso.

AI has made it possible for scammers to avoid the signs of a scam — such as the clunky language in the emails from Nigerian princes promising you riches. Today’s emails may direct people to download apps that look legitimate but are harvesting data from unsuspecting users instead.

Other fake apps may use Open Authorization, known as OAuth, to connect to Google or Facebook accounts and access information there. Another common phishing scam involves emails warning that a failure to confirm personal details could result in an account being closed.

According to the Norton report, 32% of scam victims say email is the primary way in which they were contacted. The best defense against phishing scams is to never click links in an email. Instead, manually type the web address into your browser to visit the site. That way, you can confirm whether a requested action is legitimate.

5. SIM Swapping

SIM swapping is a scam that involves multiple steps, according to Turgeman. It usually starts with phishing or a fraudulent phone call to gain information about a person. A criminal then uses that information to contact the victim’s wireless phone company to report their SIM card as lost or stolen.

If successful, the scammer will have the victim’s phone number transferred to another SIM card for a phone in their possession. Once they have that, they can use the phone to break into multiple accounts by requesting two-factor authentication codes to log-in or reset passwords.

Nearly a quarter of consumers surveyed for the Prove study say they have been the victim of a SIM swap attack. The best defense against this scam is to be vigilant of phishing emails and fake phone calls that harvest the information fraudsters need to convince a mobile carrier to transfer a number.

6. Cloned Websites

Consumers need to be wary of all unsolicited emails they receive since it’s easy for scammers to clone a website to make it resemble a site you know and trust. They may send you a sale coupon that, when clicked, takes you to a fake website that looks just like the real site.

Keep in mind, criminals aren’t necessarily looking for your credit card information. The cloned site might simply ask you to log in and then redirect you to the real website so you never realize you were on a cloned page. Once a thief has your login credentials, he or she can access your account to make unauthorized purchases.

You can avoid cloned sites by paying attention to the URL address. Cloned site URLs will look similar to the site they’re replicating but aren’t exactly the same. For instance, scammers might use a web address like if they are trying to trick people into thinking they are on

Even better, stop using the web to make online purchases. “Order directly from an online retailer’s app,” Kelso says. Many major retailers have apps, and these are a more secure way to shop from home.

[Read: Best Discount Shopping Apps.]

7. Fly-by-Night Businesses

It’s not hard to set up a website nowadays, and the holiday shopping season is a perfect time for scammers to set up shop and advertise on social media. They may promise deep discounts on fabulous items to encourage sales. In fact, Prove found that two-thirds of consumers would buy from an unknown website if the discount is more than 40%.

To avoid sending your money to a criminal who has no intention of shipping out the goods, do some research first. “If you’re buying from a company for the first time, check for reviews of that company or seller to confirm that it’s a legitimate business,” Steinbach says.

8. Disappearing Packages

Not every holiday scam happens online. Some criminals steal the joy of the season by swiping deliveries from front porches. They may cruise through neighborhoods looking for deliveries left while residents are at work.

Installing a home security camera could help law enforcement identify and catch the thieves, but it might be easier to make arrangements so your packages won’t be left unattended by the door.

For instance, Amazon offers several special delivery options. Those with Amazon Key smart lock systems can have packages delivered directly to a vehicle trunk or inside a house. There are also Amazon Hub Lockers at various locations throughout the country, which can receive packages for you to pick up at your convenience. For other retailers, having packages delivered to a workplace may be a more feasible option.

9. Fake Charities

The spirit of the season makes people feel generous, and scammers capitalize on that. They may create fake GoFundMe pages for a seemingly good cause or impersonate legitimate charities on the phone.

Chad Hetherington is global vice president and general manager, head of product for NICE Actimize, a financial crime and fraud solutions provider.

“Charity scams increase in popularity this time of the year,” he said in an email. “While there are many legitimate, worthy organizations, consumers need to be on the lookout for imposters, fake web sites and robocalls (that) sound like charities (but) are clearly scams.”

To avoid charity scams, be deliberate about your giving. Do your research and don’t make phone donations to unsolicited callers. Any request to wire money overseas should be a red flag.

[Read: Top 5 Donation Sites and How to Budget for Charitable Giving]

10. Sob Stories on Social Media

Social media sites make it easy for people to share appeals for assistance, and that can make it a breeding ground for scammers. As the holidays approach, be aware that not every story shared on social media may be accurate.

The most glaring example of this is a couple who raised more than $400,000 on the crowdfunding platform GoFundMe using a false story about helping a homeless man. Both the couple and the man were prosecuted for the scam when it came to light.

If you want to give money to a GoFundMe account, it may be best to stick to those with a personal or local connection. That way, you can verify that the organizer is authorized to raise money for the recipient.

11. Unreal Relatives in Distress

Although not limited to the holidays, another common scam involves fraudsters impersonating a relative facing a crisis. Seniors are commonly targeted, and they may get a call allegedly from a grandchild in trouble. This child may have supposedly been arrested or have some other urgent need to have money wired to them.

If you get a call like this, hang up the phone and call a family member to confirm. Be equally cautious about emails outlining similar scenarios, such as a relative whose wallet and passport have been stolen while traveling. Make contact with the relative through another means before offering any financial assistance.

Another sign that this is a scam: if the person on the other end of the line insists on cash or gift cards for payment.

“Generally speaking, scammers prefer to get paid in methods that lack traceability,” Hudson says. “Scammers rarely prefer credit cards because the transactions are tracked.” Instead, they want gift cards that can be easily redeemed or sold for cash.

[READ: 8 Sites to Sell Gift Cards Online.]

12. Phony Classified Ad Listings

Scams on Craigslist, Facebook Marketplace and similar online venues can be a problem year-round. Always meet in a public place to make a transaction and test any electronic devices before paying. The lobby of a local police department or city hall can be a good meeting place.

In the past, if a seller posted an item on a local classifieds site but said it needed to be shipped, that would be a red flag. Now, however, shipping items is acceptable on Facebook Marketplace and similar sites. Still, to avoid possible scams, it may be best to stick to purchases from people you can meet locally.

If you do opt to have something shipped, be sure to vet the person selling. If you are buying on Facebook, check the person’s profile to see if they have an established presence. An empty profile that was just created could signal a fake account. And walk away if the seller wants you to cash a money order or cashier’s check and wire money to another party.

“Quite frankly, there may not be a ‘safe’ way to shop private party social media or online marketplace purchases,” Hetherington says. “So, use your credit card — and a digital account number instead of the real card number. If there’s a scam, it’s easier to pursue your complaints through the chargeback process.”

13. Intercepted Data

Think twice before doing your Christmas shopping on the public Wi-Fi network at the library or coffee shop. Hackers in the area can intercept data over public systems, giving them access to account passwords, payment information and more.

And don’t assume that just because you shopped from a public Wi-Fi in the past without incident that you are in the clear.

“Sometimes the fraud doesn’t happen (right away),” Turgeman says. “It can have an impact on you six months later.” That’s because your information wasn’t used immediately but rather sold on the dark web for others to use in the future.

While home networks are often more secure, they too can be prone to breaches. Use a virtual private network, or VPN, to add a layer of encryption and protection to all your browsing and online shopping activity.

14. Card Skimming and Shoulder Surfing

While more than half of U.S. consumers plan to do the majority of their holiday shopping online, according to Norton, many people will also be buying gifts in brick-and-mortar stores. Don’t let your guard down there.

“Credit card skimmers are still a huge thing,” Kelso says. Scammers affix these attachments to card readers to steal data during a transaction.

Shoulder surfing is also a problem. Kelso advises against ever using your PIN at the register since people nearby can observe you entering it. Known as shoulder surfing, criminals may then physically steal your card and use it.

Using touchless payment methods such as tapping a card or using a digital wallet can be effective way to avoid both card skimming and shoulder surfing scams, according to Kelso.

More from U.S. News

Why You Should Start Your Holiday Shopping Early This Year

What You Should (and Shouldn’t) Buy on Black Friday 2023

The Best Time to Buy Everything

Online Shopping Scams to Avoid This Holiday Season originally appeared on

Update 11/30/23: This story was published at an earlier date and has been updated with new information.

Federal News Network Logo
Log in to your WTOP account for notifications and alerts customized for you.

Sign up