Beware of Holiday Shopping Scams, Says the US Cybersecurity and Infrastructure Security Agency

The US Cybersecurity and Infrastructure Security Agency (CISA) warns shoppers to be alert to holiday scams and malicious cyberattacks this holiday season. According to the agency, criminals may send fraudulent emails or e-cards with malicious links or attachments. Learn 12 tips to better detect and avoid holiday shopping scams, and better protect your identity and finances while searching for the perfect gifts online.

Holiday Scams Come in Many Forms—Fraudulent Ads, Emails, Calls, and Texts

Fraudsters frequently take advantage of the holidays to push themed scams through online ads, misleading calls, phishing emails, and text messages. The worst part? These scams are often carefully crafted and branded to look like they came from a legitimate retailer or other organization and for a legitimate purpose.

For example, in 2018, attackers reportedly sent holiday-themed phishing emails designed to look like Amazon order confirmations. If the victim took the bait and opened the link or attachment, the emails infected the victim’s computer with malware that logged keystrokes and attempted to steal account credentials.

In other instances, cybercriminals may tout fraudulent mobile apps or web pages related to holidays or current events, such as Black Friday, with the goal of convincing victims to enter personal or financial data.

Yet another holiday scam used the messaging platform WhatsApp to try to lure victims by promoting popular products at deep discounts, sometimes from seemingly authentic retailers like Amazon.com.

Even Gift Cards Can Be Targeted for Cyber Scams

Gift card fraud is becoming more common among financial scammers, according to reports.

Scammers can use bots to test millions of combinations of gift card numbers and PINs on retailer websites. Once they find an active card, they drain the money—either by purchasing items for themselves or selling the card’s credentials on the dark web. When the recipient attempts to use the card, they discover that it has little to no funds available.

Other scammers target legitimate sites that people use to resell gift cards or purchase cards at a discount, where it can be difficult for buyers to discern if the cards are being sold legitimately or belong to a scammer.

12 Tips to Better Protect Your Identity and Finances This Holiday Season

Fortunately, there are some steps you can take to better protect your identity and your finances while filling your holiday gift lists.

  • Stay alert to phishing attacks - Be wary of phishing emails that are often designed to look like an authentic message from a well-known brand. Avoid clicking on links in unsolicited emails, and be wary of email attachments. Do not provide sensitive information through email. If you receive an unsolicited email from a business but wish to learn more about the offer, log on to the authentic website directly by opening a browser and typing the web address yourself. Don’t click on the link provided.
  • Do your homework on unfamiliar retailers - One of the best ways to avoid online shopping scams is to make your purchases on the websites of retailers you already know and trust. If you find an unfamiliar retailer that has an item you just can’t find anywhere else, Consumer Reports provides a list of ways to research the retailer including: searching the BBB website for prior complaints, examining the URL, and looking for seals of approval from organizations that vouch for the retailer’s reputation. Make a note of the retailer’s phone number and physical address in case there is a problem with your transaction or your bill.
  • Check websites for the https and padlock – Look for indications that your information will be encrypted on online shopping websites. This is typically identified by a URL that begins with "https:" (instead of "http:") and a padlock icon. Remember that some attackers may try to trick website visitors by displaying a fake padlock icon, so be sure that the icon looks authentic and is in the appropriate location for your browser.
  • Use a credit card – The CISA recommends that shoppers choose a credit card over debit for their purchases. There are laws that limit an individual’s liability for fraudulent credit card charges, but debit cards may not have the same level of protection. Additionally, because a debit card draws money directly from a bank account, unauthorized charges could leave the victim without funds to pay bills or other necessities. It’s also a good idea to use a credit card for payment gateways, such as Apple Pay, PayPal, and Google Wallet.
  • Choose shopping apps wisely - Be aware that some mobile shopping apps could be a scam, and other legitimate shopping apps may collect a lot of personal information. Look for apps that tell you what they do with your data and how they keep it secure. Keep in mind that there may be no legal limit on your liability with money stored in a shopping app or on a gift card. Unless otherwise stated in the terms of service, you may be responsible for all charges made through your shopping app.
  • Don’t overshare - No retailer needs your date of birth or Social Security number in order to do business. However, if crooks are able to get your credit card number plus some personal information, they could potentially do a lot of damage to your identity and credit. When possible, provide as little personal data as possible.
  • Purchase gift cards from a reputable source - The Retail Gift Card Association recommends purchasing gift cards only from trusted sources and known brands, especially when buying online. If you purchase a gift card in-store, check the card to see if the wrapping has been tampered with, or if the PIN has been revealed. If a gift card looks suspicious, take it to an employee and pick a different card. If the gift card is digital, store it in an online account or mobile wallet that requires a password. If you receive a gift card this holiday season, use it as soon as possible to avoid loss or theft, or alternatively register the gift card and change the PIN.
  • Deliver gifts securely - It’s a good idea to have packages delivered to a secure location. If you won’t be home, send them to your place of work, or ask a neighbor to watch for deliveries. Consider requiring a signature for delivery, or look for options to pick up your package at a nearby store or mailing center. If you plan to send a gift card by mail, use a method that allows you to track the delivery. If it's being sent online, use a means that is password protected.
  • Check privacy policies – Before providing personal or financial information, check the website's privacy policy to make sure you understand how your information will be stored and used. If a site doesn’t have a privacy policy, that’s a big red flag that it may be a scam.
  • Verify the sender before opening ecards - The Better Business Bureau offers advice on how to distinguish a friendly ecard from a scam. It advises recipients to: make sure that the sender's name is visible, be wary if you are required to enter personal information in order to access the card, and avoid opening suspicious emails but especially those with an attachment that ends in “.exe” which could download a virus.
  • Install and update antivirus software on all your devices - Install firewall, anti-virus, and anti-spyware software on your computer, tablet, and smartphone. Check for and install the latest updates, and run virus scans regularly.
  • Check your online statements – Keep a record of your purchases and copies of confirmation pages, and compare them to your bank statements. If there is a discrepancy, report it immediately. Go online regularly during the holiday season to check electronic statements for fraudulent charges to your credit card, debit card, and checking accounts.

What to Do in Case of Suspected Fraud

If you believe that you have been a victim of fraud or theft, report it immediately to your bank or credit institution as well as to the proper authorities in order to minimize your losses and begin working toward resolution.

  • File a complaint with the FBI's Internet Crime Complaint Center (IC3).
  • Report the incident to your local police and file a report with the Federal Trade Commission.

Report suspected identity theft to the Federal Trade Commission on their website IdentityTheft.gov.