Security Spotlight: Avoiding Holiday Shopping Scams

November 21, 2016
Gretel Egan

Last updated: July 15, 2019

Though shopping scams tend to peak during the holiday shopping season—specifically around Black Friday and Cyber Monday in specific—cybercriminals and thieves work year-round to turn deal hunts into a score for themselves. With competition high among retailers and a wide variety of online and in-person buying options, it’s important to stay vigilant in order to protect your personal information and your hard-earned money.

Below, we outline a few perennial shopping scams, as well as some relative newcomers to the scene. Familiarize yourself with the warning signs associated with these hoaxes and our tips for avoiding them—and be particularly cautious during peak shopping seasons.

Phishing Scams: Fraudulent Shipping Notifications, Phony Offers, and More

Among cybercriminals’ favorite tools are fraudulent messages known as “phishing” emails. These scams use social engineering techniques that capitalize on human emotions like excitement, fear, and curiosity to trick email recipients into clicking malicious web links, revealing sensitive information, or downloading dangerous attachments. Phishing emails are easy to create, cheap to send, and frequently effective. Attacks like these commonly give cybercriminals access to payment card information, account login credentials, and other sensitive pieces of data.

Social engineers know that email inboxes are frequently flooded with many different kinds of messages. In November and December in particular, attackers recognize that email users are likely to see an influx of order confirmations, shipping notifications, and special offers. They take advantage of this increased traffic and pattern their malicious messages after legitimate emails, which makes it easier to trick recipients. And they are not shy about using big-name brands and logos—like Amazon, Apple, PayPal, FedEx, and others—to make things look more realistic.

Top Avoidance Tactic: Verify, Verify, Verify

Before you interact with a message that prompts you to do something—visit a website, download a file, or log into an account, for example—review it thoroughly. If you’re not sure a message is safe, it’s always better to err on the side of caution. Logos, ‘from’ addresses, and signatures are not proof of legitimacy; you must look deeper for confirmation.

Here are five questions to ask yourself about the emails you receive:

  1. Do I definitely know where this message came from?
  2. Does this message look—and sound—odd compared to others I’ve gotten from this sender in the past?
  3. Is this message confusing or does it mention an account or purchase that is unfamiliar to me?
  4. Is this message urging me to act quickly or trying to frighten me by mentioning problems with an account, purchase, or shipment?  
  5. When I hover over the ‘from’ address and web links, do I see something unexpected or something that seems suspicious?

If you can’t definitively confirm the message is legitimate—and even you’re just a little unsure— close out of the email; do not click a link or download a file. If you’re at work, report the message to your IT team. To confirm the information or offer you received, called a trusted number or visit a known website by typing the address into your browser.

Online Scams: Imposter Websites, Phony Charities, and More

Social engineers are practiced at the act of deception, and they know things that appear trustworthy are usually taken at face value. For example, they will buy online ads that link to login screens and web pages that look nearly identical to well-known sites. As with emails, you must look below the surface to ensure you don’t accidentally your valuable information over to scam artists.

There are two themes that fraudsters regularly tap into in order to trip up unsuspecting web surfers: Charitable donations and the pursuit of great deals or hard-to-find items. Though these two are at seemingly opposite ends of the spectrum, both are common practices, particularly during the holiday season. Since social engineers seek to take advantage of natural emotions, you can see why they choose to set up phony charities and create websites that claim to offer the must-have gifts that shoppers seek.

Top Avoidance Tactic: Stick With What You Know

The best way to avoid falling for online imposters is to restrict your online interactions to known, trusted websites and non-profit organizations, preferably those you’ve had personal experience with in the past. If you do decide to stray from the beaten path, be sure to do your research. Ask for friends’ recommendations (online reviews can be faked), and shop only on sites that offer secure, authenticated checkout.

Here are a few things to watch out for when shopping online:

  • Web addresses that don’t match what you expect to see – Scammers are very clever; they will use domains that are similar to trusted names, hoping to fool those who don’t look closely (shop-online-now.com instead of shop-online.com, for example).
  • Offers that are too good to be true – Granted, these can be harder to spot, especially during peak shopping seasons. However, even though many reputable companies offer aggressive sales, there is still a relatively clear difference between a great deal and an unbelievable deal. The latter, quite simply, should not be believed—particularly if you find it on a site you’re not familiar with. Learn to identify hallmarks of fraudulent sites, like luxury goods at very low prices or the ability to access a toy or electronic item that’s sold out everywhere else. You could end up buying counterfeit goods or paying for something you don’t ever receive.
  • Sites that ask you to pay by gift card, pre-paid debit card, or wire transfer – There are certain types of payment that cannot be tracked and cannot be undone on fraudulent sites, and gift cards, pre-paid debit cards, and wire transfers are a few of those. Fraud monitoring agencies have been warning of this practice since 2015, and these scams are of continuing concern. If a site requires you to pay using one of these methods, do not complete a transaction—and report the retailer to an agency like the Better Business Bureau (BBB).

Social Media Scams: Gift Exchanges, Fake Offers, and More

Social media is an excellent avenue for social engineers to distribute their scams—and unsuspecting users will often do it for them. Fraudulent links, stories, and offers (like free gift cards) have long existed on social media, but there’s a newer scam that has been making the rounds—one that actually illegal to participate in within certain countries.

The BBB has been warning the public about the emergence of social media gift exchanges, a pyramid scheme that promise 36 gifts in exchange for buying one small gift for a stranger. This is essentially an electronic version of mailed chain letters, and it’s been executed in many forms—$10 gift cards, books, jewelry, makeup, and the very popular "Secret Sister Gift Exchange" and "Secret Wine Bottle Exchange" that took Facebook by storm during recent holiday seasons.

Regardless of what participants are asked to buy, they are highly unlikely to receive any gifts back…though they could get more than they bargain for from a legal perspective. As the BBB cautioned, "According to the US Postal Inspection Service's gambling and pyramid scheme laws, gift chains like this are illegal and participants could be subject to penalties for mail fraud."

Top Avoidance Tactic: Steer Clear of Click Bait

On social media, the lure of “too good to be true” is frequent and strong. The tips shared in the earlier sections will also serve you well on these sites and apps. It’s important to remember that, without your engagement, social engineering scams can’t be successful. Your choices and decisions matter.

In-Person Scams: Delivery Fraud and Theft

Much is made of online schemes, but shopping hoaxes are not confined to the internet. Though there are a wide range of social engineering scams that rely on personal interactions, delivery theft and fraud have becoming particularly concerning.

Unfortunately, there are a number of reports of people stealing deliveries from porches and mailboxes each year, and the numbers continue to see an upward trend. According to a late-2018 survey commissioned by Comcast and conducted by Wakefield Research, nearly 25% of Americans said they’ve had a package stolen, and nearly 50% know someone who has been a victim of so-called “porch pirates.” The numbers are even higher among Millennials, with a third of survey respondents in this age group personally experiencing package theft, and nearly 60% indicating they personally know a victim of the crime.

It’s suspected that criminals make a regular habit of following delivery vans in order to identify their targets. Many thefts have been caught on security cameras, but this evidence rarely leads to an arrest. And though most retailers will refund or replace items in these cases—particularly when there is video proof—it can be a time-consuming process to get your money back (and frustrating if the purchased merchandise is no longer available).

But what about unexpected deliveries? Don’t just assume someone these are gifts from friends or loved ones. The BBB has warned of delivery hoaxes that are designed to steal credit card and debit card data from unsuspecting recipients. When packages are delivered to individuals, the courier claims to require a “small verification fee” to complete the delivery. Instead of processing a payment, a handheld scanner collects card data for the scammer to use later.

Top Avoidance Tip: Take Advantage of Delivery Safeguards

Whether you have a security camera or not, it’s a good idea to take advantage of protections offered by shippers. Try to schedule deliveries for days that you or someone else will be home, or have packages delivered to an office, delivery locker, or another location that offers more consistent security. Track your packages so you know when they will arrive, and consider having packages held at a shipping center, or use a signature service (which sometimes carries an extra fee) to ensure that items won’t be delivered when you aren’t around. Secure boxes are also an option … though anecdotal stories from consumers indicate that delivery personnel often fail to place packages in these receptacles, even when notes are left.

Bottom line: To avoid shipping scams during the holidays (and year round), make an effort to use known, reputable delivery services and to be proactive about protecting your purchases. Should you be asked to pay a fee to receive a package, refuse the delivery until you are able to confirm the shipment is legitimate.