6 Costly Holiday Scams and How to Avoid Them


Phishing scams, fake websites, and even fraudulent letters to Santa all have a way of turning holiday cheer into holiday blues.

The holidays are supposed to be a time of cheer and goodwill, but there are a lot of shady scammers out there ruining the most wonderful time of the year for the rest of us. Unfortunately, scams—especially online scams—abound during the holiday season.

From phishing emails to fake charity ploys, many scammers take advantage of our festive feelings of kindness and joy, hitting us when and where we least expect it. While Santa is sure to chastise these cyber-criminals with a stocking full of coal, that’s little consolation when you have to deal with identity theft, a computer full of malware, or a drained bank account when you just want to deck the halls.

The good news is that it’s pretty easy to fend off holiday scams, so long as you know how to spot them. With a little help from Emily Long, a security expert with A Secure Life, and Lou Ryan, CEO of the cybersecurity firm EdgeWave, we rounded up the six most common holiday scams you should keep your eyes peeled for.

1. Fake order confirmation emails.

Online shopping for holiday gifts has been on the rise for the past several years, and chances are you’ve been doing your fair share. So it while it might not be out of the ordinary to receive an order confirmation email from a store like Macy’s, Target, or Walmart, you should take a close look at every one you get.

Why? Scammers have been known to use fake order confirmation emails to get access to passwords, bank account numbers, and other sensitive data on your computer. This is achieved through a method of email and website spoofing called phishing: the hackers build an email that looks like it comes from a retailer and fill it with links that, if clicked on, will automatically download a .ZIP file containing malware that could seriously damage both your computer and your finances.

Even if you didn’t order anything recently, you’ll be tempted to click these links just to make sure someone hasn’t been using your credit cards to make online purchases, but you should never click on any links in any emails unless you’re positive they come from a legit retailer.

“Phishing scams attempt to trick you into clicking a link or open a message or attachment that either infects your device with malware or takes you to a site designed to steal personal information,” said Long. “This is related to holiday scams in that more people are looking for the best deals online during the holiday season—consumers spent $3.45 billion on Cyber Monday alone in 2016—and may be easily fooled by fake sites or false messages.”

Here are some steps for determining whether an order confirmation email is real or a cunning fake:

  • Real order confirmation emails will arrive seconds to minutes after you make a purchase. If this email arrived a day or week after you bought something, be cautious.
  • Double-check the sender’s address. An order confirmation from Target should have an @target.com email address. If it’s from a random address, don’t open it.
  • Hover over all links in the body of the email. If they’re not directing you to the official website of the retailer they’re claiming to be, do not click on them.

Ryan warns that falling for a phishing scam can have serious consequences:

“The effects of a successful phish include introduction of Ransomware to their system to encrypt and limit access to their files unless they pay the ransom, business email compromise (BEC), malware infections on the network, and credential-based theft so the hackers can use the stolen credentials to gain privileged access to systems, potentially leading to a data breach.”

2. Charity scams.

We reported last week on Inside Subprime—our breaking news blog devoted to the subprime financial industry—that Georgia Secretary of State Brian Kemp has been warning his citizens against falling for fake charity scams during the holidays.

“As we approach the holiday season, Georgians begin looking for ways to lend a helping hand to those in need,” said Kemp. “Unfortunately, bad actors view this time of year as the perfect opportunity to scam well-meaning donors. Before you open your checkbook, do your homework to make sure your donation will reach the intended recipients.”

Charity scams are an issue year-round, but can really ramp up during the holiday season.

“By phone, the goal [of a charity scam] is to get the victim to agree to donate and give up their credit card information,” said Ryan. “This can be achieved through a technique called ‘spoofing.’ Even with Caller ID, it can be made to appear that the call is coming from a legitimate charity, although the call is actually being made by a scammer. By email, the goal is to get the consumer to visit a website and make a donation which never goes to the actual charity. If successful, the scammer has gotten a non-refundable and hard-to-trace financial donation or worse yet, access to your credit card information to use for other future purchases.”

If you’re approached via email, phone, or on the street by someone asking you to donate to a charity, make sure you double check that they will actually be donating your money, and not keeping it to fund their dream of becoming a cat fashion photographer. If you’re confused, check out Give.org, which compiles detailed reports on all legitimate charities, grading them on governance, effectiveness, finances, and solicitation efforts.

3. ‘Letter from Santa’ scams.

Scammers have been pulling this scheme on unsuspecting parents for a few years. According to the Better Business Bureau, this is how it works:

  • You get an email selling a “Handwritten letter from Santa to Your Child.” It encourages you to make your child’s holiday by purchasing “Santa’s special package” for $19.99.
  • You click on the link, and it takes you to a website. The site promises the special package contains an “official” nice-list certification and customized letter from Santa. There’s even a free shipping special that ends (not coincidentally) in just few hours. You decide to purchase and enter your credit card information.
  • Don’t do it! In the best case, you are simply out the $19.99. In the worst case scenario, you just shared your credit card information with scammers, who can now use it for identity theft.
  • In another version of this scam, the site promises a free letter from Santa. It doesn’t request any credit card information, but it does require plenty of personal information, such as your full name, address, and phone number. Theses sites can then turn around and sell your personal information to spammers.

A much better option? Write your kid a letter yourself! It costs nothing, and you won’t be putting yourself at risk of identity theft in the process.

4. Holiday job scams.

If you need to make a little extra cash this holiday season, you may be on the lookout for a seasonal job. Many retailers hire temporary workers to handle the influx of shoppers stocking up on Christmas presents for friends, family, and the one coworker that they got in Secret Santa.

But don’t apply to every job you see without a second glance. Fake job scams can be used to steal your personal information, or even steal your hard-earned cash with the promise of future payback. Whether you’re job-hunting for a seasonal job or for something more permanent, it always pays to remember these tips from ZipRecruiter:

  • No legitimate job will ever make you pay money upfront. If a company is asking you to buy something or pay them for the cost of a background check or “training,” run!
  • Check online for information about the company. They should have a website and maybe some reviews on Glassdoor, LinkedIn, Google, or the BBB. If they’re not giving you their company name, they’re not legit.
  • Check the job description for typos and grammatical errors. If the job is real, they will have taken care to edit the job listing.
  • Don’t get suckered into high-pressure, snap-second “investments.” If something seems too good to be true, it probably is.

5. “Secret Sister” social media gift exchange scams.

Have you seen any posts like this one on your social media feed?

secretsister 2

These “gift exchanges” sound like a lot of fun. Buy one $10 gift and get back six to 36 of your own gifts? What a steal! Well, “steal” is right, because that’s exactly what’s happening here: you’re getting robbed. This is a modern-day example of the age-old practice of chain letters, which are actually illegal here in the U.S.

Heed this advice from the U.S. Postal Service:

“Chain letters don’t work. What’s more, if you mail chain letters, you could be committing a federal crime. The same law that prohibits lotteries applies to chain letters as well.”

3. Lookalike website scams.

Equifax, the scandal-ridden credit bureau whose lax online security compromised the personal information of millions of Americans, was recently in the news (again) for accidentally linking to a spoof website, designed to look exactly like the real thing.

Luckily for Equifax customers, the spoof website was made by someone who wanted to educate them on what Equifax was doing, but most lookalike sites have much more sinister intentions.

Scammers can create entire websites that look exactly like a legitimate retailer, in the hopes that you’ll mistake it for the real thing and provide them with your credit card number, address, and other personal info.

“If a fake website is designed well, then to the naked eye, most consumers may not be able to easily spot a fake from a real website,” said Ryan. “A fake website is successful if it has the ‘attention to detail’ to look like the real  website that it’s designed to impersonate.”

However, Ryan says there are clues to be on the lookout for:

  • The site uses an incorrect URL: “The link in the email doesn’t match the real URL that you would otherwise directly type into your browser”
  • The site asks for your banking information: “Real institutions don’t ask for that as part of a web page login”
  • The site displays low-resolution images
  • The site is rife with misspelled words
  • The site is not a secure site, meaning it’s “HTTP:” and not “HTTPS:”

“Consumers should take the extra minute or two to think critically before they enter their personal information or make a purchase, and there are a couple of easy-to-spot clues,” said Long. “I would always err on the side of caution and skepticism before clicking a link, opening an attachment, or entering information on a site, no matter how innocuous it may seem, as it’s a lot harder and more costly to undo the damage of phishing scams and identity theft once they occur than it is to do your due diligence or to find a product or deal on a legit site.”

What can you do if you’re a victim of a holiday scam?

Despite our best efforts, sometimes the scammers come out victorious. But getting caught in a holiday scam doesn’t have to dampen your spirit. Long says anyone who thinks they’ve been the victim of a scam should reach out to the FTC and record a complaint.

“Although in many cases money lost can’t be recovered, victims can and should take steps to protect their identities and personal information going forward,” Long said. “Identity theft monitoring services are a good place to start—at the very least, keep an eye on credit reports and bank statements for signs of fraudulent activity. Update passwords and remove cached credit card info from any online shopping sites.”
Ryan listed a few more options for consumers who think they’ve been hit by a holiday scam:
But at the end of the day, Long says the best offense against holiday scams is a good defense:
“When it comes to scams and identity theft, prevention and precautions are the best protection!”

Have you been victimized by a holiday scammer? We want to hear from you! You can email us or you can find us on Facebook and Twitter.

Visit OppLoans on YouTube | Facebook | Twitter | LinkedIN

emily long headshotEmily Long is a security expert with A Secure Life (@ASecureLife). She loves to geek out on new tech gadgets. When she isn’t writing about security and smart tech, she can be found teaching yoga, road tripping, or hiking in the mountains
RyanLou Ryan brings over 20 years of executive leadership to his position as Executive Chairman of the Board at EdgeWave (@edgewave). Mr. Ryan became a member of the company’s Board of Directors upon completion of the merger of St. Bernard Software, Inc. with Sand Hill IT Security Acquisition Corp. in July 2006, and has served as Chairman of the Board of Directors since June 2008. Mr. Ryan’s extensive background in the technology industry includes roles as a co-founder and/or executive in several technology startups including Delrina and Living VideoText, which were both sold to Symantec Corp., and Entercept Security Technology, which was sold to McAfee Inc.

The information contained herein is provided for free and is to be used for educational and informational purposes only. We are not a credit repair organization as defined under federal or state law and we do not provide "credit repair" services or advice or assistance regarding "rebuilding" or "improving" your credit. Articles provided in connection with this blog are general in nature, provided for informational purposes only and are not a substitute for individualized professional advice. We make no representation that we will improve or attempt to improve your credit record, history, or rating through the use of the resources provided through the OppLoans blog.