The Most Popular Holiday Online Scams—and How to Avoid Them

The holiday shopping season has officially begun. And as Americans ramp up their online purchasing, cybercriminals will do some shopping of their own—for victims.

Cyber fraud is rampant throughout the year, but crooks press even harder during the holidays, when people are often too distracted and frazzled to see through scams. And criminals are expert at exploiting the fears people have at this time of year—from lost packages to tight supplies to canceled flights.

“Coming into the holiday season, we are seeing a volume increase, and that will continue into January,” says

Vikram Thakur,

technical director of


a division of Broadcom Software. “People are looking to spend money, to get together with their loved ones and for deals. As these topical themes pop up, scammers know just what to say to take advantage of vulnerable people.”

Watch those emotions

Everyone is a potential patsy, especially as we fall under the spell of what behavioral scientists call holiday euphoria—that festive feeling that can induce impulsive behavior and exacerbate the all-too-human desire for instant gratification.

All of which means that people are more likely to visit unproven websites promoting incredible deals, use weak passwords or subscribe to internet-hosted mailing lists in the hope of scoring a discount—while inadvertently surrendering valuable data, says retired Brig. Gen.

Greg Touhill,

faculty member and director of the CERT Division of the Software Engineering Institute at Carnegie Mellon University.

Merry Grift-mas

Internet crime complaints reported to the FBI, as well as the losses associated with such incidents, have surged in recent years as cybercriminals ramp up their attacks

5-year total

2.21 million

5-year total

$13.3 billion

The current economic situation also brings new worries that hackers can exploit—such as the fear of supply-chain issues and a sense of urgency that what you want may be in short supply.

“Cybercriminals understand this mind-set and take advantage of every trick to gain access to your personal information, credit-card numbers or other data they can leverage later,” retired Brig. Gen. Touhill says. “They prey on human nature.”

Many crooked choices

Criminals have a cornucopia of scams from which to choose around the holidays.

One popular scheme, sometimes known as a discount scam, involves luring potential victims with an ad. The scammers know what you’ve been searching for online—often because they place cookies on your PC to track your activity—so they serve up a banner ad offering a coupon or sweet deal for that product.

Let’s say you click on a banner purporting to offer just the right leaf blower for Dad at a steep discount. You will land on a spoof site, like “,” that looks like the legitimate site. From there, the site either asks for personally identifiable information that criminals can sell on the black market, or it requests your credit card to purchase the item. You’re charged the full amount, but the item never arrives.

“You’re getting more discount offers this time of year, so that normalizes these discount cues, even if there is bad grammar in an email or a poorly designed website—obvious signs of a bad actor,” says

Kelly Shortridge,

senior principal product technologist at


a cloud-computing services provider.


What kinds of scams and suspicious offers have you encountered lately? Join the conversation below.

Worse, the holidays are a time of increased spending, so it is easy to miss a bad charge on a credit-card statement, says

Judith Bitterli,

senior vice president of consumer monetization at security-software firm


Attackers can easily blend in with all that noise.

Also big this year is the shipping scam, sometimes called the


scam, in which criminals send an email or text telling you that your package has been delayed, but that you can get it expedited for a fee if you click on a link. They then steal your personal information along with your credit card.

Even security pros can get fooled. “I buy stuff from the U.S. often, and 50% of the time I have to pay value-added charges of 20% and customs of around 2.5% of top of the purchase price,” says

Kevin Curran,

professor of cybersecurity at Ulster University and co-founder of encryption-as-a-service provider Vaultree. “So, while I’m waiting for information about its arrival, by chance I get a text saying I have to pay some fee by clicking on a link, so I do.”

Losing money in a scam like that is bad, but worse, says the professor, is when criminals drop some malware on your phone or laptop when you click on a link. “We call those drive-by downloads. They are easy to install, and the bad guys can come back and get into your machine for whatever they want later.”

The gift-card scam is also proliferating, cyber experts say. This scheme takes advantage of the fact that gift cards act much like cash. They don’t have personal information attached to them the way credit cards do, so somebody can steal card information and use it with very little fear of getting caught.

Gift cards don’t have the same fraud protections as credit cards, and criminals who manage to steal card information can use them will little fear of getting caught.


Javier Jaen

It works like this: A criminal sets up an online store, or uses a platform like


“Either the seller only accepts gift cards, or they say, ‘There is a problem with your credit card, do you have a gift card you can use?’ Now they have an anonymous, untraceable gift card,” says Prof. Curran, adding that gift cards don’t have the same fraud protections as credit cards.

Two other major schemes pop up around the holidays: travel phishing and charity scams. The former might arrive in the form of an email stating that a booking has been canceled, sending you to a spoof site where you’re asked to enter your credit-card number to set up a new reservation. It might also be an email directing you to a clone site offering outrageous deals on a house rental, flight or hotel room as long as you hold your reservation with a deposit.

These are popular now because people are traveling again, but there is still lots of anxiety around ever-changing Covid-related restrictions, says

Raj Samani,

chief scientist for cybersecurity conglomerate McAfee Enterprise & FireEye.

The charity scam might target victims via social-media feeds, asking people to donate to an organization that turns out to be phony. “These still exist in the other 11 months of the year, but the messaging becomes more pointed toward the things we’d naturally be doing around the holidays,” says Mr. Samani.

Ransomware attacks are increasing in frequency, victim losses are skyrocketing, and hackers are shifting their targets. WSJ’s Dustin Volz explains why these attacks are on the rise and what the U.S. can do to fight them. Photo illustration: Laura Kammermann

Bad Behavior

These scams come as cybercrime is booming. According to the Internet Crime Complaint Center’s 2020 report, Americans reported more than $265 million in nondelivery scams, when consumers are charged for an item purchased online but it never arrives. They filed nearly another $130 million in losses related to credit-card fraud, $54 million in “smishing” campaigns—when bad actors send texts urging recipients to reveal personal information—and $4 million in charity scams.

There are lots of steps consumers can employ to protect themselves against cyber thieves. The easiest is to keep operating systems and software up-to-date, says Prof. Curran. Widely used software companies, like


send out patches monthly and promote their updates.

Double-checking that an email, social-media or text offer is legit is as easy as doing a quick search, says Symantec’s Mr. Thakur. “Those links often lead to websites that are pretty well made to mimic the brand at play,” he adds. If a site is purporting to be a well-known company like FedEx or


visit the site yourself rather than clicking through a potentially nefarious link.

In addition, before inputting any personal information, look to the left of the website address in the browser bar. If the website address begins with https, not just http, “that extra ‘s’ means that it uses a secure protocol for transmitting sensitive info like passwords, credit-card numbers and the like over the internet,” says McAfee’s Ms. Bitterli. “It often appears as a little padlock icon in the address bar of your browser.” It doesn’t guarantee the site is trustworthy, but not having it is a red flag. In addition, when on a site, be wary if you’re asked to update your password or account information. “Do not give your information to anyone unless you were the one who initiated the conversation,” Mr. Thakur says.

Mr. Samani advises consumers to check out review sites to be sure the discount they are being granted is the real deal. If only a handful of reviews exist, proceed with abundant caution; same if the evaluations are negative. A similar strategy can be employed for charitable organizations asking for donations: Search on GuideStar or Charity Navigator to ensure they are true organizations and head to their websites on your own, not through a link.

Damon McCoy, associate professor of computer science and engineering at New York University’s Tandon School of Engineering, whose research focuses on online scammers and cybercrime, advises shoppers and donors to pay only with a credit card, which usually offers fraud protection. “If you’ve been scammed, call your credit-card company, who will investigate and reverse fraudulent charges,” he says. That leaves little room for financial risk.

Other advice from the experts holds true with any suspicious online activity: Don’t give away personal information unless necessary, use strong passwords or log in as a guest to shopping sites and tether to your phone if using a laptop, rather than connecting to the public or open Wi-Fi network, where criminals lie in wait to harvest personal information. Don’t pay with hard-to-trace forms of payment, such as wire transfers, and use two-factor authentication for your most sensitive information, such as bank and credit-card logins. Check your credit-card statement daily during the holidays to isolate any strange purchases.

“And don’t sit on gift cards for too long, use them,” says Prof. McCoy, since crooks who scan magnetic strips while the cards sit on convenience-store racks can drain them, leaving them valueless.

Fastly’s Ms. Shortridge says that even though we are on high alert, the deluge of requests and notifications around the holidays can be overwhelming. So, slow down, update your systems, add two-factor authentication on your most important accounts—and don’t let potential scammers suck the fun from of the season. “The joy you get when you find the perfect gift to give is the thrill of the holiday,” says Ms. Shortridge. “Approach the holiday shopping season with the wisdom of the serenity prayer: Be alert but try to single out the fraud you can control.”

Ms. Mitchell is a writer in Chicago. She can be reached at [email protected].

Corrections & Amplifications
Website addresses that begin with https are considered to be more secure than those that use http, but they aren’t guaranteed to be trustworthy. An earlier version of this article incorrectly implied that sites beginning with https are safe. (Corrected on Dec. 7)

Copyright ©2021 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8