Don't Let Holiday Shopping Scams Steal Your Cheer: A Guide to Safe Online Shopping and Giving

The holiday season is a time for joy and generosity, but it's also a prime time for cybercriminals to prey on unsuspecting shoppers. Between gift buying and travel planning, the holidays can feel like a blizzard of activity! It’s easy to let your guard down if you feel crunched for time, pressured to have the perfect Christmas or just plain tired — and this makes you a target for cyber scams designed to steal your money, personal information and even your identity.

This year, before you click that tempting deal, donate to a cause or open that package notification, take a moment to arm yourself with knowledge. Understanding common holiday scams is your first line of defense.

What is phishing?

The internet is flooded with deals during the holidays. Black Friday, Cyber Monday and countless other sales events promise huge savings. However, beneath the surface of some of these seemingly great offers lurk malicious links designed to steal your data.

Phishing, based on the word “fishing,” is one of the most common cyberattacks. A scammer will put out “bait” — such as a fake holiday sale — to “catch” valuable information like your credit card number, passwords or more.

How it works:

Cybercriminals create realistic-looking websites or send emails disguised as popular retailers. These messages often feature:

• Urgent language: "Limited time offer!" or "Your cart is about to expire!" to pressure you into acting quickly.

• Deep discounts: Tempting prices designed to bypass your usual skepticism.

• Slightly altered URLs: A website address that looks almost identical to a legitimate one but has a subtle misspelling or an extra character. For example, "ebayy.com" instead of "ebay.com."

• Requests for personal information: Beyond just payment details, they might ask for your Social Security number, date of birth or other sensitive data, claiming it's for "verification."

What to do:

• Hover before you click: Before clicking on any link in an email or social media ad, hover your mouse over it (without clicking) to see the actual URL. If it looks suspicious or doesn't match the retailer you expect, don't click.

• Go directly to the source: Instead of clicking a link, type the retailer's official website address directly into your browser. This ensures you're on the legitimate site.

• Look for the padlock and "https": Always check for the padlock icon in your browser's address bar and ensure that the URL starts with "https://" (the “s” stands for secure). This indicates an encrypted connection.

• Be wary of unexpected emails: If you receive an email about a deal from a retailer you haven't subscribed to, it's best to delete it. Look out for other red flags like misspellings, urgent language or wrong URLs.

What is smishing?

Everyone knows that feeling of excitement when you see that your package has been delivered. But what if you get a text message claiming there's an issue with the delivery? These "smishing" (SMS phishing) scams are particularly effective during the holidays because so many packages are being shipped.

How it works:

You receive a text message, often from an unknown number, claiming to be from a major shipping carrier like FedEx, UPS or USPS. The message might state:

• "Your package has been delayed. Click here to reschedule delivery."

• "Your package requires additional shipping fees. Pay here to avoid further delays."

• "We were unable to deliver your package. Update your information here."

The link provided in these texts often leads to a fake website designed to harvest your personal information or install malware on your device.

What to do:

• Never click links in unexpected texts: Legitimate businesses rarely send unsolicited texts asking for personal information or payment via a link.

• Check tracking numbers directly: If you are expecting a package, use the official tracking number provided by the retailer. Go directly to the carrier's website and input the number there.

• Be skeptical of generic messages: Scammers often send out mass texts without knowing if you're actually expecting a delivery. If the message doesn't mention a specific package or tracking number you recognize, it's a red flag.

What are charity scams?

One of the best ways to celebrate the holidays is by giving back. Sadly, cybercriminals exploit this generous spirit by setting up fake charities. 

How it works:

Fake charities often:

• Mimic legitimate organizations: They create names and logos very similar to well-known charities to confuse donors.

• Pop up after major events: Following natural disasters or other newsworthy events, fake charities often emerge quickly to capitalize on public sympathy.

• Request unusual payment methods: They might ask for donations via gift cards, wire transfers or cryptocurrency, which are difficult to trace.

What to do:

• Research before you donate: Before giving, thoroughly research the charity. Use reputable sources like Charity Navigator or the Better Business Bureau's Wise Giving Alliance to check their legitimacy and financial transparency.

• Verify their website: Ensure that the charity's website is secure (https://) and looks professional. Be wary of sites with poor grammar, typos or generic design.

• Donate directly: Go directly to the official website of the charity you intend to support. Do not click on links in emails or social media posts.

• Avoid unusual payment methods: Stick to credit cards or checks for donations, as these offer more protection. 

What are gift card scams?

Gift cards are a popular and convenient present, making them a target for various scams.

How it works:

• Physical tampering: In stores, scammers might write down gift card numbers and PINs from cards on display, then wait for someone to activate and load money onto them. They then quickly use the funds online.

• Fake gift card generators: Websites claim to generate free gift card codes, but these are often scams designed to harvest your personal information or spread malware.

• "Activation" scams: Scammers might send you a fake gift card with a QR code or link, claiming you need to "activate" it, which then leads to a phishing site.

What to do:

• Inspect physical gift cards: When buying physical gift cards, carefully examine the packaging to ensure it hasn't been tampered with. Check that the PIN is covered and hasn't been scratched off.

• Buy from reputable retailers: Purchase gift cards directly from the retailer or a trusted third-party vendor.

• Activate cards promptly: Once you purchase or receive a gift card, activate it and use it as soon as possible.

• Be wary of links and QR codes. Don’t open unsolicited QR codes or visit an unfamiliar link. Search for the business’s legitimate website instead.

What are public Wi-Fi dangers?

During holiday travels or while out shopping, public Wi-Fi networks in coffee shops, airports and malls can be tempting. However, they are often unsecured and can expose your personal data.

How it works:

• Man-in-the-middle attacks: Cybercriminals can intercept data sent over an unencrypted public Wi-Fi network, allowing them to see what you're doing, including login credentials and financial information.

• Fake Wi-Fi hotspots: Scammers set up fake Wi-Fi networks with names similar to the ones of legitimate businesses. Once you connect, they can monitor your activity or even inject malware.

What to do:

• Avoid sensitive transactions on public Wi-Fi: Never do online banking, shopping or anything that involves personal or financial information when connected to public Wi-Fi.

• Use a VPN: A Virtual Private Network (VPN) encrypts your internet connection, making it much harder for others to intercept your data, even on public networks.

• Disable auto-connect: Turn off your device's automatic Wi-Fi connection feature to prevent it from unknowingly connecting to unsecured networks.

The ultimate protection: ProtectMyID® with Experian

Even with the best precautions, identity theft can still happen. Cybercriminals are constantly evolving their tactics, and a data breach at a company you interact with could expose your information even if you did nothing wrong. This is where identity theft protection becomes critical.

ProtectMyID® by Experian offers robust identity theft protection services that can help monitor your personal information, alert you to suspicious activity and assist in recovery if your identity is compromised. The good news for AAA Members is that this valuable protection is free with your AAA Membership.

With Experian, you can benefit from:

• Credit monitoring: View your open and closed credit accounts and get updates on important changes in your credit score.

• Fraud resolution support: Access dedicated fraud resolution agents who can guide you through the process of restoring your identity if it's stolen.

• Lost wallet assistance: Receive help canceling and reissuing credit cards and other important documents if your wallet is lost or stolen.

• Dark web surveillance: Get notified if your Social Security Number is found on websites known for illegally buying and selling personal information. 

These are just a few features of the free ProtectMyID® plan! If you’re looking for extra protection, consider our Deluxe and Complete plans as well.

Don't let the threat of holiday scams overshadow the festive season. By staying vigilant, understanding common threats and leveraging the powerful identity theft protection available through your AAA Membership, you can enjoy a secure and joyful holiday, confident that your personal information is well-protected. Happy holidays and safe surfing!