14 online shopping scams to avoid this holiday season

Holiday shoppers beware: Here are sneaky ways that bad actors are trying to steal your money.

  • By Maryalene LaPonsie,
  • U.S. News & World Report
  • Facebook.
  • Twitter.
  • LinkedIn.
  • Print

It’s not your imagination. Scammers are getting harder to spot. AI and other technology make it easy for fraudsters to create polished messages that look like the real thing. They can even clone voices to make it sound like your bank or employer is on the other end of the line.

“While scams are common year-round, we’re more likely to fall victim at a time when we’re busy, stressed and preoccupied,” Mike Steinbach, managing director of financial crimes and fraud prevention at Citi, said in an email. “For many of us, that time is the holiday season.”

A quarter of consumers globally say they have been targeted by a scam when shopping online, according to the 2023 Cyber Safety Insights Report from security firm Norton. Half of the victims were caught up in online shopping scams while nearly a third fell for a phishing scam.

“Cyber scammers are utilizing readily available and existing data through social engineering to understand user behavior and gain access to credentials and assets,” Tami Hudson, a cybersecurity client officer at Wells Fargo, said in an email.

Here are 14 scams you might see fraudsters use this holiday season:

1. Sham order confirmations

Although no longer a new scam, emails about fake online orders continue to make the rounds. Victims receive an email that appears to be from a reputable retailer or a payment service like PayPal confirming a purchase.

If you receive an email like this and are concerned someone has gained access to your account, don't click any links in the email. Instead, go to the retailer’s or payment service’s main page, log into your account from there and check for any fraudulent activity.

2. Bogus shipping notices

A variation of fake order scams involves messages purportedly from FedEx, UPS or the post office that notify recipients of a delayed shipment. The message may include a link to track the package.

However, clicking the link could download a virus onto your computer. If you're expecting a package, visit the merchant site to receive tracking information rather than clicking a link in an email or text.

There's also an offline version of this scam involving missed-delivery notices left in mailboxes. Victims who call the number on the notice may then be asked to provide a credit card number or other information.

However, any request for payment or personal information is a clue that something's not right. You should never have to give your credit card information to receive a package or a piece of mail.

3. Fraudulent fraud alerts

Banks have become increasingly proactive when it comes to fraud detection, and some send texts or make calls when suspicious activity on an account is detected. Unfortunately, some scammers are replicating these contacts to gain access to accounts.

“They can call you as if they are your bank and that something is wrong with your account,” says Avi Turgeman, CEO of IronVest, which offers security and privacy services such as masked emails and single-use virtual cards.

Often, they will say they are sending you a one-time password in your email and ask you to read it back to them. In reality, the person on the line is trying to hack your account and needs the password to get in.

A legitimate bank representative will never ask for your password or two-factor authentication code, and you shouldn’t give out any other sensitive information such as your birthdate, account number or Social Security number to unsolicited callers. If you aren’t sure whether a call is real, hang up and dial your bank directly.

4. Shady email scams

Phishing scams are a tried-and-true method to steal personal information. They involve sending emails that look like official communications from trusted websites but are actually forgeries.

“It’s very easy for criminals to create convincing phishing scams,” says technology expert Burton Kelso.

AI has made it possible for scammers to avoid the signs of a scam – such as the clunky language in the emails from Nigerian princes promising you riches. Today’s emails may direct people to download apps that look legitimate but are harvesting data from unsuspecting users instead.

Other fake apps may use Open Authorization, known as OAuth, to connect to Google or Facebook accounts and access information there. Another common phishing scam involves emails warning that a failure to confirm personal details could result in an account being closed.

According to the Norton report, 32% of scam victims say email is the primary way in which they were contacted. The best defense against phishing scams is to never click links in an email. Instead, manually type the web address into your browser to visit the site. That way, you can confirm whether a requested action is legitimate.

5. SIM swapping

SIM swapping is a scam that involves multiple steps, according to Turgeman. It usually starts with phishing or a fraudulent phone call to gain information about a person. A criminal then uses that information to contact the victim’s wireless phone company to report their SIM card as lost or stolen.

If successful, the scammer will have the victim’s phone number transferred to another SIM card for a phone in their possession. Once they have that, they can use the phone to break into multiple accounts by requesting two-factor authentication codes to log in or reset passwords.

The best defense against this scam is to be vigilant of phishing emails and fake phone calls that harvest the information fraudsters need to convince a mobile carrier to transfer a number.

6. Cloned websites

Consumers need to be wary of all unsolicited emails they receive since it's easy for scammers to clone a website to make it resemble a site you know and trust. They may send you a sale coupon that, when clicked, takes you to a fake website that looks just like the real site.

Keep in mind, criminals aren't necessarily looking for your credit card information. The cloned site might simply ask you to log in and then redirect you to the real website so you never realize you were on a cloned page. Once a thief has your login credentials, he or she can access your account to make unauthorized purchases.

You can avoid cloned sites by paying attention to the URL address. Cloned site URLs will look similar to the site they're replicating but aren't exactly the same. For instance, scammers might use a web address like Amazon-12345.com if they are trying to trick people into thinking they are on Amazon.com. They may also use special characters that look similar to letters.

Even better, stop using the web to make online purchases. “Order directly from an online retailer’s app,” Kelso says. Many major retailers have apps, and these are a more secure way to shop from home.

7. Fly-by-night businesses

It’s not hard to set up a website nowadays, and the holiday shopping season is a perfect time for scammers to set up shop and advertise on social media. They may promise deep discounts on fabulous items to encourage sales.

To avoid sending your money to a criminal who has no intention of shipping out the goods, do some research first. “If you’re buying from a company for the first time, check for reviews of that company or seller to confirm that it’s a legitimate business,” Steinbach said.

8. Disappearing packages

Not every holiday scam happens online. Some criminals steal the joy of the season by swiping deliveries from front porches. They may cruise through neighborhoods looking for deliveries left while residents are at work.

Installing a home security camera could help law enforcement identify and catch the thieves, but it might be easier to make arrangements so your packages won't be left unattended by the door.

For instance, Amazon offers several special delivery options. Those with Amazon Key smart lock systems can have packages delivered directly to a vehicle trunk or inside a house. There are also Amazon Hub Lockers at various locations throughout the country, which can receive packages for you to pick up at your convenience. For other retailers, having packages delivered to a workplace may be a more feasible option.

9. Fake charities

The spirit of the season makes people feel generous, and scammers capitalize on that. They may create fake GoFundMe pages for a seemingly good cause or impersonate legitimate charities on the phone.

"Charity scams increase in popularity this time of the year,” Chad Hetherington, vice president of global services at NICE Actimize, a financial crime and fraud solutions provider, said in an email.

"While there are many legitimate, worthy organizations, consumers need to be on the lookout for imposters, fake web sites and robocalls (that) sound like charities (but) are clearly scams," he added.

To avoid charity scams, be deliberate about your giving. Do your research and don't make phone donations to unsolicited callers. Any request to wire money overseas should be a red flag.

10. Sob stories on social media

Social media sites make it easy for people to share appeals for financial assistance, and that can make it a breeding ground for scammers. As the holidays approach, be aware that not every story shared on social media is true.

The most glaring example of this is a couple who raised more than $400,000 on the crowdfunding platform GoFundMe in 2019 using a false story about helping a homeless man, which was reported on CNN. Both the couple and the man were prosecuted for the scam when it came to light.

If you want to give money to a GoFundMe account, it may be best to stick to those with a personal or local connection. That way you can verify that the organizer is authorized to raise money for the recipient.

11. Unreal relatives in distress

Although not limited to the holidays, another common scam involves fraudsters impersonating a relative facing a crisis. Seniors are commonly targeted, and they may get a call allegedly from a grandchild in trouble. This child may have supposedly been arrested or have some other urgent need to have money wired to them.

If you get a call like this, hang up the phone and call a family member to confirm. Be equally cautious about emails outlining similar scenarios, such as a relative whose wallet and passport have been stolen while traveling. Make contact with the relative through another channel before offering any financial assistance.

Another sign that this is a scam: if the person on the other end of the line insists on cash or gift cards for payment.

"Generally speaking, scammers prefer to get paid in methods that lack traceability,” Hudson said. “Scammers rarely prefer credit cards because the transactions are tracked.” Instead, they want gift cards that can be easily redeemed or sold for cash.

12. Phony classified ad listings

Scams on Craigslist, Facebook Marketplace and similar online venues can be a problem year-round. Always meet in a public place to make a transaction and test any electronic devices before paying. The lobby of a local police department or city hall can be a good meeting place.

In the past, if a seller posted an item on a local classifieds site but said it needed to be shipped, that would be a red flag. Now, however, shipping items is acceptable on Facebook Marketplace and similar sites. Still, to avoid possible scams, it may be best to stick to purchases from people you can meet locally.

If you do opt to have something shipped, be sure to vet the person selling. If you are buying on Facebook, check the person’s profile to see if they have an established presence. An empty profile that was just created could signal a fake account. So too could a long-dormant account that is suddenly selling a flurry of items. And walk away if the seller wants you to cash a money order or cashier's check and wire money to another party.

“Quite frankly, there may not be a ‘safe’ way to shop private party social media or online marketplace purchases,” Hetherington said. “So, use your credit card – and a digital account number instead of the real card number. If there’s a scam, it’s easier to pursue your complaints through the chargeback process.”

13. Intercepted data

Think twice before doing your Christmas shopping on the public Wi-Fi network at the library or coffee shop. Hackers in the area can intercept data over public systems, giving them access to account passwords, payment information and more.

And don’t assume that just because you shopped from a public Wi-Fi in the past without incident that you are in the clear.

"Sometimes the fraud doesn’t happen (right away),” Turgeman says. "It can have an impact on you six months later.” That’s because your information wasn’t used immediately but rather sold on the dark web for others to use in the future.

While home networks are often more secure, they too can be prone to breaches. Use a virtual private network, or VPN, to add a layer of encryption and protection to all your browsing and online shopping activity.

14. Card skimming and shoulder surfing

While more than half of U.S. consumers planned to do the majority of their holiday shopping online last year, according to Norton, many people stillbuy gifts in brick-and-mortar stores. Don’t let your guard down there.

“Credit card skimmers are still a huge thing,” Kelso says. Scammers affix physical attachments to card readers to steal data during a transaction.

Shoulder surfing is also a problem. Kelso advises against ever using your PIN at the register since people nearby can observe you entering it. Known as shoulder surfing, criminals may peer over your shoulder to see your PIN and then physically steal your card and use it.

Using touchless payment methods such as tapping a card or using a digital wallet can be effective way to avoid both card skimming and shoulder surfing scams, according to Kelso.

  • Facebook.
  • Twitter.
  • LinkedIn.
  • Print
Copyright 2024 © U.S. News & World Report L.P.
close
Please enter a valid e-mail address
Please enter a valid e-mail address
Important legal information about the e-mail you will be sending. By using this service, you agree to input your real e-mail address and only send it to people you know. It is a violation of law in some jurisdictions to falsely identify yourself in an e-mail. All information you provide will be used by Fidelity solely for the purpose of sending the e-mail on your behalf.The subject line of the e-mail you send will be "Fidelity.com: "

Your e-mail has been sent.
close

Your e-mail has been sent.