Ready or not, the holiday shopping season is in full swing. Criminals are rolling out new holiday scams (as well as some old favorites) to steal your hard-earned money. Holiday scams are widespread and very effective. In fact, one survey found that 75% of respondents were targeted or experienced holiday-related fraud.
According to the FBI’s Internet Crime Complaint Center's (ICS3) 2021 report, the top two holiday scam types resulted in $337 million in losses. When you consider that in 2021 the USPS alone accepted 13.2 billion letters, cards, flats, and packages for delivery between Thanksgiving and New Year’s Eve, the holiday shopping season is packed with purloining potential.
Read the tips below and share these with your friends, family, and colleagues to keep everyone safe from holiday scams in 2022!
Holiday Scams to Watch For in 2022
- Package delivery scams. This scam tops the list again in 2022. Online holiday shopping in the US is projected to increase roughly 6% in 2022, rising to $224 billion dollars, and that means an increase in package deliveries. Unfortunately, cybercriminals target online shoppers by spamming unsuspecting consumers with fake package delivery emails, redirection requests, fake tracking links, and more.
How does this work? Cybercriminals text or email you about your upcoming package delivery. They may ask you to verify your address, update your preferences, or even click a “tracking link” that sends you to a phishing site. Other scammers will email you that they have discovered a package meant for you or even leave a missed package slip on your door. They will tell you that you need to contact them to confirm your details for delivery or schedule re-delivery.
There are also some frighteningly realistic delivery service phishing emails branded as USPS, UPS, DHL, or others, complete with logos, buttons, and convincing scenarios. The stories vary: for example, criminals may claim that the delivery service could not deliver the package and the customer needs to click the link to update the address or pay a small re-delivery fee. All of these scams end with a criminal installing malware onto your computer or stealing your personal and/or financial information.
How do you avoid these scams?
- Think before you click or call! Don’t click the links in emails or provide information to a caller without checking. Stop and think before taking action—scams are rampant, so you should always be suspicious.
- Learn how to spot a phishing email or text. There are several red flags that can tip you off that it could be a scam. Beware of spelling and grammar errors, emails that are marked “urgent,” unusual requests, and more. You can read this free tip sheet on How to Spot a Phishing Email for more information.
- Always verify contact information before responding to an email or calling a number that is listed in an email, voicemail, package re-delivery slip, or text. These can be fake and connect you directly to the criminals. The friendly criminal may ask you to provide your personal information, the credit card number used for your purchase, and any other questions that can help them steal your identity or fraudulently use your credit card. To verify the legitimacy of a message, call a number you know is from a trusted source, such as the phone number on your last statement. You can also type in the sender’s website address directly instead of clicking or use a verified link from a search engine to get their web address or phone number.
- Verify phone callers. Many criminals will call you, posing as customer service representatives, IT, or similar roles. Don’t trust people that call you, even if they sound friendly or provide you with sensitive data. The criminals may have already stolen your SSN or hacked into your bank account and are calling to get additional information to finalize their scam. Instead, ask the caller for their full name and tell them that you are going to hang up and call back. Then, call a number you know is legitimate (see above).
- Online purchase scams. Cybercriminals are all too happy to take your money in exchange for nothing if you make a purchase on a scam website! So, there’s an amazing deal on a fancy new coffeepot… but how do you really know the seller is legitimate? Cybercriminals set up fake e-commerce sites and seller profiles—especially during the holiday season. They even run ads on Google, Facebook, and other social media sites. Their goal is to take your money and run—without the hassle of ever shipping a product. According to the Better Business Bureau, fake online purchase scams account for more than a third of the scam reports they receive.
Hackers also clone the e-commerce sites of popular brands to lure unsuspecting shoppers to enter their payment information or sensitive data. According to Check Point, the two most commonly spoofed sites are Microsoft and Amazon. These fake emails and websites can look very convincing and offer you special deals, subscriptions, and more. When you enter your personal or payment information, you fall victim to the scammer, and your data and/or money is stolen.
To prevent these scams:
- Verify the seller through third-party sites, ratings, and more. One resource is the Better Business Bureau’s Scam Tracker; it enables you to search their database of reported scams. Even with top brands, verify every seller by verifying links, sales and return policies, and seller reputation to avoid cloned sites or scammers.
- Look for signs it could be a scam. Check for deep discounts (yes, we know this is disappointing, but if it sounds too good to be true, that’s a red flag), grammar errors, and awkward wording, as well as missing return policies, contact information, or “About us” pages.
- When in doubt, go with the reputable brand and a confirmed link—it’s not worth risking your money and information.
- Fake charities, social media scams, and bogus gift exchanges. Social media sites are a hotbed of scams. Criminals are setting up fake charity donation sites, GoFundMe causes, investments, or work opportunities, and even breaking into social media profiles to share the scam with YOUR friends and family. In 2021, more than 95,000 people reported $770 million in fraud losses involving social media sites. It should be noted that only a small portion of social media scams are reported and it’s likely this is only a fraction of the actual fraud. In these scams, criminals will ask you to donate money or sign-up online for a small $10 gift exchange. You can then end up sending money or gifts to the criminals, in addition to giving them your personal information. Beware of any requests from friends for money or gifts, or even an offer of links to reset your password through social media messages.
How to prevent these scams:
- Verify any requests. If a gift exchange or donation request post appears in one of your contacts’ feeds, call your friend or relative directly to confirm if these stories and requests are legitimate.
- Use multi-factor authentication (MFA) and a password manager on all your accounts to reduce the risk of attackers getting access to your social media accounts and information. Read this MFA tip sheet for more information.
- Always research companies and organizations before you donate. Use third-party review sites, the Better Business Bureau, and charity trackers (such as Charity Navigator or Wise Giving Alliance) to verify organizations. When in doubt, it’s better to pay slightly more and order from a reputable seller.
- Check the URL and charity name before donating. Scammers clone charity pages and use a similar web address of a trusted brand name to trick you into providing your information.
- When in doubt, use a third-party payment service like PayPal to make it easier to dispute the charges and get a refund.
- Gift card scams. Gift card requests are a popular scam that can target you at home, as well as in the office. Criminals will email or call, asking you to pay a bill/fee, claim a prize by purchasing a gift card, or even buy and send it to pay a fine for a relative. You should never pay any personal bill or fee or send payments using gift cards—this is almost always a scam. At work, you should be wary of the traditional office gift card scam. In these scams, a criminal impersonates your CEO or another executive and sends emails or text messages to a staff member asking them to purchase gift cards. The cards are supposedly a “reward” for employees or a holiday surprise for the office—meaning that often, the victim is asked to keep the purchase secret. The victim sends the card details to the scammer who steals them for a big holiday bonus.
How to prevent this scam:
- Ensure everyone in your office knows about common gift card scams and knows to verify requests for gift card purchases via phone before responding.
5. Be careful when using Craigslist, Facebook Marketplace, and other person-to-person sales sites. Everyone wants a deal. Scammers know this and often list hot items at steep discounts or pretend to be interested buyers. They may try to hack into your account by asking you to “verify your identity.” Here’s how the scam works. They will explain that they’ll send you a code and ask you to email or text it to them to verify your identity. Do not send the code. They will use the authentication code to reset your account or access your phone’s SIM card to steal access and information.
Another popular tactic is the overpayment scam. When you’re selling an item, the buyer accidentally writes you a check or presents a money order for more than the purchase price and asks you to give them a check or cash for the mistaken overage. Don’t fall for it. The payment is usually a forgery. You’ve refunded them legitimate money, but the check or money order will be flagged as fraudulent by the bank.
How to prevent this scam:
- Check for signs that this is a scam.
- Don’t send the code and stop speaking with the seller.
- Don’t provide cash or check refunds. If the check or money order is wrong, ask for cash. If they can’t provide cash, move on to another buyer.
We hope you find these tips helpful, and we wish you a happy, healthy, and safe holiday season!
This blog is distributed with the permission of LMG Security.