We’re in the thick of the holiday shopping season, but it isn’t only retailers who want your money. Scammers and hackers are looking for ways to crack into your accounts and make off with your…
We’re in the thick of the holiday shopping season, but it isn’t only retailers who want your money. Scammers and hackers are looking for ways to crack into your accounts and make off with your cash or your identity.
The good news for consumers: Holiday shopping scams often follow a predictable script. “A lot of hackers are lazy,” says Jacob Lehmann, managing director of Friedman CyZen LLC, a practice that helps clients safeguard against security risks. “They are looking for a quick win.” In other words, scammers are more interested in finding easy targets than creating complicated ruses.
That can make it relatively easy to avoid losing your money in a scam. “You can be safe by doing some very practical things,” says Kelvin Coleman, executive director of the nonprofit National Cyber Security Alliance.
Here are nine common shopping scams — and tips for protecting yourself from cybercriminals and fraudsters this season.
Shady email scams. Phishing scams are a tried-and-true method to steal personal information. They involve sending emails that look like official communications from trusted websites, but are actually forgeries.
“We’re seeing some real creative ones this season,” Lehmann says. Some emails might appear to be confirmations for expensive purchases and include a link for people to dispute or cancel the transaction. Others may warn that a failure to confirm personal details could result in an account being closed. People who click on links in phishing emails are asked to enter information that is harvested and then used fraudulently or sold on the dark web. Scammers seem to be particularly interested in rewards accounts this year, according to Lehmann.
The best defense against phishing scams is to never click links in an email. Instead, manually type the web address into your browser to visit the site and confirm whether a requested action is legitimate.
Bogus shipping notices. A variation of phishing scams involves messages purportedly from FedEx, UPS or the Post Office that notify recipients of a delayed shipment. The message may include a link to track the package. However, clicking the link could download a virus onto your computer.
“Be leery of any emails that appear to come from the U.S. Postal Service about lost packages,” says Matt Dworetsky, president of advisory firm Dworetsky Financial in Wall Township, New Jersey. If you are expecting a package, visit the merchant site to receive tracking information, rather than clicking a link in an email.
Cloned websites. People need to be wary of all unsolicited emails they receive, says Peter Zaborszky, founder of BestVPN.com. “You should never go to a store from an email,” he explains. It’s easy for scammers to clone a website to make it resemble a site you know and trust.
Criminals aren’t necessarily looking for your credit card information either. The cloned site might simply ask you to login and then redirect you to the real website so you never realize you were on a cloned page. Once a thief has your login credentials, they can access your account to make unauthorized purchases.
“Make sure the URL is the one you’re looking for,” Zaborszky says. Cloned site URLs will look similar, but if you’re paying attention, it’s easy to spot the differences between Amazon.com and Amazon-12345.com.
Fake charities. The spirit of the season makes people feel generous, and scammers capitalize on that. They may create fake GoFundMe pages for a seemingly good cause or impersonate legitimate charities on the phone.
To avoid charity scams, be deliberate about your giving. Do your research and don’t make phone donations to unsolicited callers. Any request to wire money overseas should be a red flag. If you want to give money to a GoFundMe account, it may be best to stick to those with a personal or local connection in which you can verify that the organizer is authorized to raise money for the recipient.
Disappearing packages. Not every holiday scam happens online. Some criminals steal the joy of the season off people’s front porches. They may cruise through neighborhoods looking for deliveries left while residents are at work. The stolen goods are then sold online or locally.
In certain markets, Amazon will deliver orders directly to a vehicle trunk or even inside your house if you are a Prime member and have an Amazon Key entry system. For everyone else, having packages delivered to a workplace or scheduling them to arrive on the weekend may be a more feasible option.
Phony classified ad listings. Scams on Craigslist, Facebook Marketplace and similar online venues can be a problem year-round, and you should use the same precautions during the holiday season as you would at any other time. Always meet in a public place to make a transaction and test any electronic devices before paying. The lobby of a local police department or city hall can be a good meeting place.
If a seller has posted an item on a local classifieds site but says it needs to be shipped, that should be a red flag. The same goes for any situation in which a person wants you to cash a money order or cashier’s check and wire money to another party. Tickets to concerts and events can also be risky on classified ad sites since they may be fake or canceled.
Fraudulent Santa letters. Sadly, you could get ripped off by doing something as simple as ordering a personal letter from Santa for your child. “If you want to get a letter from Santa, use a reputable company,” Dworetsky says. Look for online reviews and check to see if the website or its parent company have a positive score with the Better Business Bureau.
Even better, don’t bother to pay for a letter from Santa. The U.S. Postal Service offers a Letters from Santa program in which the government agency works to ensure all children receive a personal response from the North Pole. There is no cost for the service, and you can find more information about the program on the USPS website. Letter requests much be received by the Postal Service by Dec. 8.
Intercepted data. Think twice before doing your Christmas shopping on the public Wi-Fi network at the library or coffee shop. “That’s always going to be riskier that using your internet at home,” Zaborszky says. Hackers in the area can intercept data over public systems, giving them access to account passwords, payment information and more.
While home networks are often more secure, they too can be prone to breaches. Use a virtual private network, or VPN, to add a layer of encryption and protection to all your browsing and online shopping activity.
While there are dozens of VPN providers, ranging from free services to those with fees that can range from $2 to 15 per month, not all are created equal, Zaborszky says, so it’s important to do your homework and read guest reviews and service details to ensure you get a quality product.
Tech system vulnerability scams. Hackers take advantage of system vulnerabilities to breach computers and install viruses. The easiest way to avoid becoming a victim is to immediately install system updates, which often have enhanced security measures. “That’s the low-hanging fruit,” Coleman says. “It’s the easiest thing you can do.”
Computer systems will automatically prompt users when an update is available. However, 51 percent of 1,004 people surveyed by the National Cyber Security Alliance say they delay initiating updates. As you keep an eye out for other holiday shopping scams this year, make sure you first update your computer and phone so they can do their part to keep your data safe.