Scammers may be ever present online, but when the holidays roll around, they go into high gear.
That’s because “all of the stars align” for bad actors, said Mark Ostrowski of Check Point Software, an online security company. The shopping rush, big sales and charity appeals create a slew of opportunities for scammers to entice people to click on malware boobytraps, reveal sensitive personal information and cough up cash in response to deceptive emails and texts.
You don’t have to be a Grinch to protect yourself against these fraudsters, but you do have to treat the unsolicited emails and texts you receive skeptically — something you should be doing year-round, frankly. While you’re at it, keep in mind what scammers like to do during the holidays, and how your actions online will inevitably expose you to more risk.
Here are some tips from Ostrowski, Norton researcher Kevin Roundy, and other experts about the holiday scams to be on the lookout for and the sorts of practices that can keep you safe.
In the days before Amazon, holiday shopping meant shouldering your way through the crowds at the mall or local shopping district. And for the hard-core bargain-seekers among us, it meant spending hours in line before dawn, hoping for a chance at an insanely low-priced TV or game console.
Some of that still happens — witness the frenzy two years ago by people trying to land a Sony Playstation 5 — but a good chunk of the in-person holiday shopping has given way to online sales. That means more people are looking for deals online and having packages shipped to their homes, which means more chances for scammers to pretend to be new online retailers or to impersonate well-known shipping services.
Check Point’s research arm estimated that 1 of every 6 malicious emails sent in the first 10 days of this month were shipping scams. These often convey urgency to get you to click on a link heedlessly — for example, by saying there’s a problem with your delivery that you need to address right away. And by clicking on that link, you’ll either download malware onto your device or be taken to a site that tries to wheedle sensitive personal information out of you.
These scams are common because they are effective. Is there anything harder to resist than a text supposedly from UPS offering a link to a tracking number? Or from FedEx saying you have a “delivery exception”? I think not. But resist you must.
You can try to identify fraudulent emails by carefully checking the sender’s address for a domain that doesn’t match the shipping company’s, or by combing the email for spelling and grammatical errors. Better yet, just ignore the emails and go instead to the shipping company’s website, where you can enter the tracking number the retailer provided with your purchase. Any information you’ll need about your package can be found, safely and easily, that way.
You’ve probably grown tired of the phrase, “If the deal seems too good to be true, it probably is.” But just because it’s hackneyed, that doesn’t make it any less true. And it’s especially important this time of year, when scammers are creating traps specifically for bargain hunters.
The problem, Roundy said, is that we tend to let our guards down during the holidays. “A little over 1 in 3 American adults admit to taking more risk in the holiday season,” he said; not surprisingly, more than a third have fallen victim to shopping scams, with an average loss of $387.
Here’s an example of the kind of scam you may encounter this year. In just the second week of November, Check Point Research found, nearly 15,000 bogus websites were created to offer discounted designer handbags. In addition to stealing sensitive personal information like credit card numbers, such sites may also be trying to sell you overpriced Louis Vuitton, Dior and Balenciaga knock-offs.
Black Friday “doorbuster” sales from retailers like Best Buy and Walmart encouraged people to suspend their disbelief about prices that seem impossibly low. Nevertheless, Roundy said, when you see a popular product being offered at a huge discount, you have to ask yourself whether it makes sense for a legitimate retailer to do that.
Nor can you assume that an unfamiliar retailer is on the up-and-up just because it has an elaborate website with thousands of products. “Scammers invest a tremendous amount of effort in their sites,” Roundy said. “A lot of our intuitions fail us, so we have to be pretty careful this time of year.”
The wisdom of crowds can help protect you from fake online retailers. Roundy suggested copying an unknown website’s domain name from the address bar in your browser, then searching for that term along with the word “scam” or “review.”
Users are quick to share their suspicions on sites such as Reddit and ScamAdviser. And established sites are likely to have plenty of reviews from customers, Roundy said, although that, too, can be gamed. Scam sites typically have either a lot of bad reviews or chunks of bad reviews mixed with a series of short and highly positive ones, presumably posted by the scammer.
He said it’s also important to check the ratings of individual sellers on platforms such as EBay and Amazon Marketplace, which can help distinguish the reliable ones from the unreliable.
Social Catfish, which offers a scam-detection service for a fee, said deeply discounted gaming consoles and gift cards are two common lures used by ripoff artists who will take your money and deliver … nothing. Check the URL to make sure you’re buying electronics from a retailer’s site and not a knockoff with a similar spelling, Social Catfish says, and get your gift cards directly from the source.
(Even if the discounted gift card you buy is a real card, Roundy said, the seller may be laundering money for an illegal enterprise. After all, why would a legitimate business sell you something with a cash value of $100 for less than $100?)
Reverse image searches like the one offered by Social Catfish or Google’s free Google Lens can also help protect you from scams on specialized websites or selling platforms such as eBay, Craigslist and Facebook Marketplace. If the seller posts a photo of what is supposed to be the actual item — a puppy, say, or a designer dress — save a duplicate of the image on your computer or smartphone, then upload it to a reverse image search site. The search can reveal if the seller copied the photo from someone else’s site, which would be a giant red flag.
Another issue for bargain hunters is counterfeit goods and “gray market” products — versions that companies sell outside the United States at lower prices, but whose warranties may not be valid here. Amazon has a well-documented history of counterfeit goods being sold on its site, although the ecommerce giant said in June that it is spending more on the problem and seeing better results.
Launched in 2012, Giving Tuesday is a global effort by a network of nonprofits to promote charitable giving. Countless organizations now appeal for donations on our around the Giving Tuesday organization’s annual celebration, which will be on Nov. 29 this year.
Many of those appeals will land in your email inbox. Unfortunately, your inbox may also collect messages from scammers, who use emails as their primary tool for finding victims, Roundy said.
According to AARP, you’re more likely to encounter a charity-related scam this holiday season than any other type of con. Almost 40 percent of the people surveyed said they’d received a pitch from a bogus charity.
One scammer technique, Roundy said, is to send you an email in the name of a popular charity, thanking you for donating in the past and asking for your help again. The link in the email will take you to the scammer’s bogus site, not to the charity’s, where they may try to steal sensitive personal information as well as money.
Scammers may also tie their appeals to a recent, headline-grabbing tragedy or emergency, and may set up a fraudulent GoFundMe site to siphon money away from the real victims, Roundy said. Or they may use fraudulent social media accounts to make bogus pitches based on a celebrity’s real-life charitable work.
The best defense against this type of scam, Roundy said, is to not try to make a donation through a link in an email, text or social media post. Instead, go to the charity’s website and give directly.
You can also look for the same sorts of clues in charity-related emails that you would in any unsolicited message, he said, such as misspellings, grammatical errors and odd phrasings. Fake charities often try to fool you by using names similar to those of legitimate organizations, Roundy said: “It might sound official, but it isn’t quite the real thing.”
To promote safe giving, some employers create Giving Tuesday portals on their websites to direct donations (and possibly matching contributions) to the charities they’ve verified.
Alternatively, you can also do your own research on unfamiliar charities. The Internal Revenue Service’s database of tax-exempt organizations is one data-rich resource. The more user-friendly search tools offered by Charity Navigator, Charity Watch and the Better Business Bureau, though, will give you a sense of how well a charity is managed, in addition to verifying that it’s real.
For more guidance, the Federal Trade Commission offers tips for how to avoid charity swindles, including Giving Tuesday scams. The IRS offers also pointers for a safe Giving Tuesday.
One point in common for all sorts of online con artists is that they prefer to be paid in ways that can’t be revoked. So when someone doesn’t allow you to pay with a credit card, that’s cause for concern.
Rule No. 1 is don’t do business with people who ask to be paid in gift cards. That’s a favorite of scam artists around the globe because the money can’t be recovered or traced.
Paying through Zelle isn’t much better, by the way, given that the system offers no help recovering money from scammers. If you pay someone through Zelle, it’s no different from handing them cash.
Rule No. 2 is don’t do business with people who ask for payment outside the platform they’re using to sell their products. Sales platforms such as EBay, Etsy and StockX offer ways to get your money back if you’ve been defrauded, but only if you use their payment services. If the seller tries to persuade you to send money directly, that’s a red flag.
PayPal and Venmo can be your ally here, as long as your purchase is covered by their buyer protection programs. This safeguard is available by default on PayPal; on Venmo, you’ll need to make sure your purchase is eligible for protection and then select that option when paying.