Gretel Egan | November 21, 2016

Security Spotlight: Avoiding Holiday Shopping Scams

Last updated: September 5, 2018

Wombat_Blog_HolidayScams_Nov2016.jpgWith Black Friday, Cyber Monday, and the holiday shopping season soon to be in full swing, cybercriminals are working overtime to turn your deal hunt into a score for the bad guys.

Below, we outline a few perennial holiday shopping scams, as well as a couple of relative newcomers to the scene. Familiarize yourself with the warning signs associated with these hoaxes and our tips for avoiding them. Help make your holidays memorable for the right reasons, not the wrong ones.

Phishing Scams: Fake Shipping Notifications, Phony Offers, and More

Phishing scams are a golden goose for cybercriminals. These fake emails are easy to create, cheap to send, and bear tons of fruit in the form of payment card information, account login credentials, and other sensitive pieces of data. Even seemingly innocent messages — like electronic greeting cards — can have malicious software (aka, malware) concealed within them.

Social engineers know that email inboxes will be flooded with order confirmations, shipping notifications, and special offers during this time of the year. They pattern their malicious messages after legitimate emails, which makes it easier to trick recipients. And they are not shy about using big-name brands and logos — like Apple, PayPal, FedEx, and others — to make things look more realistic. (A 2017 Amazon Prime Day scam is a great example.)

Top Avoidance Tactic: Verify, Verify, Verify

Before you interact with a message, give it a good look and make sure everything seems on the up and up — and remember that it’s always better to err on the side of caution. Logos, ‘from’ addresses, and signatures are not proof of legitimacy; you must look deeper for confirmation.

Here are some questions to ask yourself about unsolicited emails:

Do I definitely know where this message came from?

Does this message look like others I’ve gotten in the past, or is something off?

Is this message confusing or does it make sense?  

When I hover over the ‘from’ address and web links, do I see addresses that make sense or does something look suspicious?

Is this message asking me for personal information (like login credentials, credit card numbers, etc.)?

If you’re even a little unsure, close out of the email. Instead of clicking a link or downloading a file, visit a website by keying the address into your browser, and log into your accounts via secure channels to confirm offers and notifications.

Online Scams: Imposter Websites, Phony Charities, and More

Social engineers are practiced at the act of deception, and they know things that look trustworthy are usually taken at face value. They will often plant advertisements that link to login screens and web pages that look nearly identical to well-known sites. As with emails, you must look below the surface to ensure you don’t get caught turning your valuable information over to scam artists.

There are also two themes that fraudsters regularly tap into in order to trip up unsuspecting web surfers: Charitable giving and the pursuit of great deals and hard-to-find items. Though these two are at seemingly opposite ends of the spectrum, both are common practices during the holiday season. Since social engineers seek to take advantage of natural emotions, you can see why they choose to set up phony charities and create websites that claim to offer the must-have gifts that shoppers seek.

Top Avoidance Tactic: Stick With What You Know

The best way to avoid falling for online imposters is to restrict your online interactions to known, trusted websites and non-profit organizations, preferably those you’ve had personal experience with in the past.

Here are a few things to watch out for:

  • Web addresses that don’t match what you expect to see – Scammers are very clever; they will use domains that are very similar to trusted names, hoping to fool those who don’t look closely ( instead of, for example).
  • Offers that are too good to be true – Granted, these are harder to decipher during the holiday shopping season because companies are aggressive about offering great sales. But there is still a clear difference between a great deal and an unbelievable deal. The latter, quite simply, should not be believed — particularly if you find it on a site you’re not familiar with. Learn to identify red flags, like luxury goods at very low prices or access to a toy or electronic item that’s sold out everywhere else. You could end up buying counterfeit goods or paying for something you don’t ever receive.
  • Sites that ask you to pay by gift card, pre-paid debit card, or wire transfer – There are certain types of payment that cannot be tracked and cannot be undone on fraudulent sites, and gift cards, pre-paid debit cards, and wire transfers are a few of those. The Better Business Bureau (BBB) warned of these types of scams in late 2015, and they are of continuing concern. If a site requires you to pay using one of these methods, do not complete a transaction — and report the retailer to the BBB.

If you are going off the beaten path, just be sure to do your research. Ask for friends’ recommendations (online reviews can be faked), and shop only on sites that offer secure, authenticated checkout.


Check out additional holiday shopping tips for a safer online experience.

Holiday Shopping Tips for Black Friday, Cyber Monday, and Beyond


Social Media Scams: Gift Exchanges, Fake Offers, and More

Social media is an excellent avenue for social engineers to distribute their scams — and unsuspecting users will often do it for them. Fake links, stories, and offers (like free gift cards) have long existed on social media, but there’s a newer post making the rounds that’s actually illegal to participate in in certain countries.

In 2015, the BBB warned about social media gift exchanges, which promise 36 gifts in exchange for buying one small gift for a stranger. This is an electronic version of mailed chain letters, and we’ve seen many forms of this — $10 gift cards, books, jewelry, makeup, and more, like the "Secret Sister Gift Exchange" and "Secret Wine Bottle Exchange" that took Facebook by storm in late 2017.

Regardless of what participants are asked to buy, all are pyramid schemes. If you do participate, you are highly unlikely to receive any gifts back…though you could get more than you bargain for from a legal perspective. As the BBB cautioned, "According to the US Postal Inspection Service's gambling and pyramid scheme laws, gift chains like this are illegal and participants could be subject to penalties for mail fraud." They are also illegal in Canada.

Top Avoidance Tactic: Steer Clear of Click Bait

On social media, the lure of “too good to be true” is frequent and strong. The tips shared in the earlier sections will also serve you well on these sites and apps. It’s important to remember that, without your engagement, social engineering scams can’t be successful. Your choices and decisions matter.

In-Person Scams: Delivery Fraud and Theft

Much is made of online schemes, but holiday hoaxes are not confined to the internet. Though there are a wide range of social engineering scams that rely on personal interactions, delivery theft and fraud are of particular concern during the holidays.

Unfortunately, there are a number of reports of people stealing holiday deliveries from porches and mailboxes each year, and the numbers continue to see an upward trend. An report from 2017 indicated that nearly 26 million Americans had packages stolen from their homes by so-called "porch pirates" before they could open them — an increase from the 23.5 million thefts reported in 2015.

It’s suspected that criminals make a regular habit of following delivery vans in order to identify their targets. Many thefts have been caught on security cameras, but although the videos have helped victims obtain refunds, the cameras weren’t able to prevent the thefts themselves.

You also need to be wary of any unexpected deliveries you receive. The BBB has warned of delivery hoaxes that are designed to steal credit card and debit card data. When packages are delivered to individuals, the courier claims to require a “small verification fee” to complete the delivery. Instead of processing a payment, a handheld scanner collects card data for the scammer to use later.

Top Avoidance Tip: Take Advantage of Delivery Safeguards

Whether you have a webcam or not, it’s a good idea to take advantage of protections offered by shippers. Try to schedule deliveries for days that you or someone else will be home, or have packages delivered to an office or other location that offers more consistent security. Track your packages so you know when they will arrive, and consider using signature services (which can cost extra) to ensure that items won’t be delivered when you aren’t around.

To avoid shipping scams this holiday (and year round), make an effort to use known, reputable delivery services and to be proactive about protecting your purchases. Should you be asked to pay a fee to receive a package, refuse the delivery until you are able to confirm the shipment is legitimate.

Subscribe to Our Blog

2018 State of the Phish Report  Protect your organization from phishing attacks. Download Now
2018 Beyond the Phish Report  Protect your organization from threats including and beyond phishing. Download Now