6 Costly Holiday Scams and How to Avoid Them
Phishing scams, fake websites, and even fraudulent letters to Santa all have a way of turning holiday cheer into holiday blues.
The holidays are supposed to be a time of cheer and goodwill, but there are a lot of shady scammers out there ruining the most wonderful time of the year for the rest of us. Unfortunately, scams—especially online scams—abound during the holiday season.
From phishing emails to fake charity ploys, many scammers take advantage of our festive feelings of kindness and joy, hitting us when and where we least expect it. While Santa is sure to chastise these cyber-criminals with a stocking full of coal, that’s little consolation when you have to deal with identity theft, a computer full of malware, or a drained bank account when you just want to deck the halls.
The good news is that it’s pretty easy to fend off holiday scams, so long as you know how to spot them. With a little help from Emily Long, a security expert with A Secure Life (@ASecureLife), and Lou Ryan, CEO of the cybersecurity firm EdgeWave (@edgewave), we rounded up the six most common holiday scams you should keep your eyes peeled for.
1. Fake order confirmation emails.
Online shopping for holiday gifts has been on the rise for the past several years, and chances are you’ve been doing your fair share. So it while it might not be out of the ordinary to receive an order confirmation email from a store like Macy’s, Target, or Walmart, you should take a close look at every one you get.
Why? Scammers have been known to use fake order confirmation emails to get access to passwords, bank account numbers, and other sensitive data on your computer. This is achieved through a method of email and website spoofing called phishing: the hackers build an email that looks like it comes from a retailer and fill it with links that, if clicked on, will automatically download a .ZIP file containing malware that could seriously damage both your computer and your finances.
Even if you didn’t order anything recently, you’ll be tempted to click these links just to make sure someone hasn’t been using your credit cards to make online purchases, but you should never click on any links in any emails unless you’re positive they come from a legit retailer.
“Phishing scams attempt to trick you into clicking a link or open a message or attachment that either infects your device with malware or takes you to a site designed to steal personal information,” said Long. “This is related to holiday scams in that more people are looking for the best deals online during the holiday season—consumers spent $3.45 billion on Cyber Monday alone in 2016—and may be easily fooled by fake sites or false messages.”
Here are some steps for determining whether an order confirmation email is real or a cunning fake:
- Real order confirmation emails will arrive seconds to minutes after you make a purchase. If this email arrived a day or week after you bought something, be cautious.
- Double-check the sender’s address. An order confirmation from Target should have an @target.com email address. If it’s from a random address, don’t open it.
- Hover over all links in the body of the email. If they’re not directing you to the official website of the retailer they’re claiming to be, do not click on them.
Ryan warns that falling for a phishing scam can have serious consequences:
“The effects of a successful phish include introduction of Ransomware to their system to encrypt and limit access to their files unless they pay the ransom, business email compromise (BEC), malware infections on the network, and credential-based theft so the hackers can use the stolen credentials to gain privileged access to systems, potentially leading to a data breach.”
2. Charity scams.
We reported last week on Inside Subprime—our breaking news blog devoted to the subprime financial industry—that Georgia Secretary of State Brian Kemp has been warning his citizens against falling for fake charity scams during the holidays.
“As we approach the holiday season, Georgians begin looking for ways to lend a helping hand to those in need,” said Kemp. “Unfortunately, bad actors view this time of year as the perfect opportunity to scam well-meaning donors. Before you open your checkbook, do your homework to make sure your donation will reach the intended recipients.”
Charity scams are an issue year-round, but can really ramp up during the holiday season.
“By phone, the goal [of a charity scam] is to get the victim to agree to donate and give up their credit card information,” said Ryan. “This can be achieved through a technique called ‘spoofing.’ Even with Caller ID, it can be made to appear that the call is coming from a legitimate charity, although the call is actually being made by a scammer. By email, the goal is to get the consumer to visit a website and make a donation which never goes to the actual charity. If successful, the scammer has gotten a non-refundable and hard-to-trace financial donation or worse yet, access to your credit card information to use for other future purchases.”
If you’re approached via email, phone, or on the street by someone asking you to donate to a charity, make sure you double check that they will actually be donating your money, and not keeping it to fund their dream of becoming a cat fashion photographer. If you’re confused, check out Give.org, which compiles detailed reports on all legitimate charities, grading them on governance, effectiveness, finances, and solicitation efforts.
3. ‘Letter from Santa’ scams.
Scammers have been pulling this scheme on unsuspecting parents for a few years. According to the Better Business Bureau, this is how it works:
- You get an email selling a “Handwritten letter from Santa to Your Child.” It encourages you to make your child’s holiday by purchasing “Santa’s special package” for $19.99.
- You click on the link, and it takes you to a website. The site promises the special package contains an “official” nice-list certification and customized letter from Santa. There’s even a free shipping special that ends (not coincidentally) in just few hours. You decide to purchase and enter your credit card information.
- Don’t do it! In the best case, you are simply out the $19.99. In the worst case scenario, you just shared your credit card information with scammers, who can now use it for identity theft.
- In another version of this scam, the site promises a free letter from Santa. It doesn’t request any credit card information, but it does require plenty of personal information, such as your full name, address, and phone number. Theses sites can then turn around and sell your personal information to spammers.
A much better option? Write your kid a letter yourself! It costs nothing, and you won’t be putting yourself at risk of identity theft in the process.
4. Holiday job scams.
If you need to make a little extra cash this holiday season, you may be on the lookout for a seasonal job. Many retailers hire temporary workers to handle the influx of shoppers stocking up on Christmas presents for friends, family, and the one coworker that they got in Secret Santa.
But don’t apply to every job you see without a second glance. Fake job scams can be used to steal your personal information, or even steal your hard-earned cash with the promise of future payback. Whether you’re job-hunting for a seasonal job or for something more permanent, it always pays to remember these tips from ZipRecruiter:
- No legitimate job will ever make you pay money upfront. If a company is asking you to buy something or pay them for the cost of a background check or “training,” run!
- Check online for information about the company. They should have a website and maybe some reviews on Glassdoor, LinkedIn, Google, or the BBB. If they’re not giving you their company name, they’re not legit.
- Check the job description for typos and grammatical errors. If the job is real, they will have taken care to edit the job listing.
- Don’t get suckered into high-pressure, snap-second “investments.” If something seems too good to be true, it probably is.
5. “Secret Sister” social media gift exchange scams.
Have you seen any posts like this one on your social media feed?
These “gift exchanges” sound like a lot of fun. Buy one $10 gift and get back six to 36 of your own gifts? What a steal! Well, “steal” is right, because that’s exactly what’s happening here: you’re getting robbed. This is a modern-day example of the age-old practice of cain letters, which are actually illegal here in the U.S.
“Chain letters don’t work because the promise that all participants in a chain letter will be winners is mathematically impossible. Also, many people participate, but do not send money to the person at the top of the list. Some others create a chain letter that lists their name numerous times—in various forms with different addressee. So, in reality, all the money in a chain is going to one person.”
3. Lookalike website scams.
Equifax, the scandal-ridden credit bureau whose lax online security compromised the personal information of millions of Americans, was recently in the news (again) for accidentally linking to a spoof website, designed to look exactly like the real thing.
Luckily for Equifax customers, the spoof website was made by someone who wanted to educate them on what Equifax was doing, but most lookalike sites have much more sinister intentions.
Scammers can create entire websites that look exactly like a legitimate retailer, in the hopes that you’ll mistake it for the real thing and provide them with your credit card number, address, and other personal info.
“If a fake website is designed well, then to the naked eye, most consumers may not be able to easily spot a fake from a real website,” said Ryan. “A fake website is successful if it has the ‘attention to detail’ to look like the real website that it’s designed to impersonate.”
However, Ryan says there are clues to be on the lookout for:
- The site uses an incorrect URL: “The link in the email doesn’t match the real URL that you would otherwise directly type into your browser”
- The site asks for your banking information: “Real institutions don’t ask for that as part of a web page login”
- The site displays low-resolution images
- The site is rife with misspelled words
- The site is not a secure site, meaning it’s “HTTP:” and not “HTTPS:”
“Consumers should take the extra minute or two to think critically before they enter their personal information or make a purchase, and there are a couple of easy-to-spot clues,” said Long. “I would always err on the side of caution and skepticism before clicking a link, opening an attachment, or entering information on a site, no matter how innocuous it may seem, as it’s a lot harder and more costly to undo the damage of phishing scams and identity theft once they occur than it is to do your due diligence or to find a product or deal on a legit site.”
What can you do if you’re a victim of a holiday scam?
Despite our best efforts, sometimes the scammers come out victorious. But getting caught in a holiday scam doesn’t have to dampen your spirit. Long says anyone who thinks they’ve been the victim of a scam should reach out to the FTC and record a complaint.
|Emily Long is a security expert with A Secure Life (@ASecureLife). She loves to geek out on new tech gadgets. When she isn’t writing about security and smart tech, she can be found teaching yoga, road tripping, or hiking in the mountains|
|Lou Ryan brings over 20 years of executive leadership to his position as Executive Chairman of the Board at EdgeWave (@edgewave). Mr. Ryan became a member of the company’s Board of Directors upon completion of the merger of St. Bernard Software, Inc. with Sand Hill IT Security Acquisition Corp. in July 2006, and has served as Chairman of the Board of Directors since June 2008. Mr. Ryan’s extensive background in the technology industry includes roles as a co-founder and/or executive in several technology startups including Delrina and Living VideoText, which were both sold to Symantec Corp., and Entercept Security Technology, which was sold to McAfee Inc.|