Between Thanksgiving and the New Year, consumers are estimated to spend a staggering $143 billion, according to Adobe Analytics. All that money changing hands means that, now more than ever, cybercriminals will be targeting both you and the online retailers you trust. Some hackers, , infect merchants' websites directly with identity-stealing malware. Far more scams, however, try to lure you away from legitimate sellers to malicious sites or apps that often spoof familiar retailers like , or .
Recent research from RiskIQ lists nearly 1,000 apps using holiday-related terms that the security company deemed malicious, as well as over 6,000 apps infringing on copyrighted names and slogans from popular retailers to fool you into giving up your credit card number. RiskIQ also identified 65 fraudulent websites posing as popular retailers.
As always, your best defense against these kinds of schemes, scams, frauds and cons is to arm yourself with the knowledge to sniff them out when you encounter them. With that in mind, here's everything you need to know about (not) getting duped this holiday season.
4 holiday shopping scams to avoid in 2019: Phishing, pyramid schemes and more.See all photos
Fake websites and fraudulent apps go 'phishing'
In a phishing scheme, the victim receives an email or text message directing them to enter payment information or other personal details on a fraudulent website, which is often designed to look just like a legitimate site.
A recent survey by cybersecurity company McAfee reports that 41% of Americans fell victim to email phishing schemes in 2019. Unsurprisingly, a similar number -- 39% -- reported that they don't check email senders or retailer websites for authenticity.
To top it all off, 30% of respondents reported losses of $500 or more just in the last year alone.
If the data from RiskIQ is any indication, expect a surge in messages claiming to be from Amazon, Best Buy, Walmart, Target or other large retailers over the next few months. If you receive an email asking you to update your payment method or requesting other personal information, contact the company's help desk to make sure the email is legit before you do anything else.
- The sender's email address looks almost right but contains extra characters or misspellings.
- Misspellings and/or bad grammar either in the subject line or anywhere in the message.
- Addresses you with generic terms ("Mr." or "Ms." or "Dear Customer") instead of by name.
- The message warns that you need to take immediate action and asks you to click a link and enter personal details, especially payment information.
- The messages promise a refund, coupons or other freebies.
Credit card skimming goes all-digital
Credit card skimmers that steal your personal information when you swipe a credit or debit card at the ATM gas pump, or other payment kiosk, but is an example of that same technology deployed digitally.
Essentially, instead of using physical hardware to steal payment card numbers, hackers inserted malicious code directly on Macy's website to do the same thing with online payment information.
Regarding online credit card skimming, Tim Mackey, principal security strategist for Synopsis, a digital security company, warns, "There isn't an obvious way for the average person will be able to identify if or when a website has been compromised. The only potential tell-tale sign might be that the website itself doesn't quite look 'right.'"
Mackey suggests a few strategies consumers can use to protect themselves:
- Don't save your credit card information on retail sites.
- If possible use a third-party payment method like Apple Pay, Google Wallet or PayPal.
- Enable purchase alerts on all your credit cards.
- Disable international purchases on all credit cards.
- Only make purchases from your home or cellular network, never on public Wi-Fi where your payment could be intercepted.
Avoid the 'Secret Sister' gift exchange -- it's a pyramid scheme
Originating on Facebook sometime around 2015, this gift exchange among internet strangers plays off the popular workplace practice of "Secret Santa," a game where each person buys a present for one other, randomly selected person without anyone sharing their giftee. Instead, it's a pyramid scheme dressed up in holiday clothes, according to the Better Business Bureau. The "Secret Sister" exchange invitation promises you'll receive about $360 worth of gifts after purchasing and mailing a $10 gift for someone else.
Unfortunately, such bad math hasn't stopped this scam from resurfacing year after year. Not only will you probably be out 10 bucks when you don't receive any gifts in return, but the scheme also involves you forwarding personal details -- names, email addresses, phone numbers -- to people you've never met in person.
The Better Business Bureau recommends you deal with any request to become a Secret Sister by ignoring it -- do not give your personal details to online strangers. You can alsoor whichever social network you were approached on.
'Juice-jacking' fears may be overblown
The Los Angeles County District Attorney's office published a blog post earlier this month advising citizens not to use USB charging ports in public places like airports and shopping malls, warning hackers could install "juice-jacking" software that downloads malicious code on connected phones and tablets, granting the thieves access to your personal information.
Although that is theoretically possible, as the urban myth-busting website Snopes.com points out in a recent post, the likelihood of that actually happening to you is incredibly slim.
When TechCrunch contacted the LA County DA to ask how widespread the problem really is, the chief prosecutor's office could not confirm any actual "juice-jacking" cases on the books. One reason could be that most smartphones and tablets currently in use now have software in place to prevent exactly these kinds of attacks -- that's why your phone asks if you trust the connection when you plug it into a laptop or desktop to charge.
As long as shopping still exists, scammers and thieves will continue to try and rip you off. In the meantime, the best you can do is to stay ahead of their trickery and protect yourself with knowledge. For more strategies for getting through this fun but stressful season, check out our Holiday Survival Guide. We've compiled the best tips and tricks for , how to leverage your smart assistant to help manage holiday get-togethers whether you use or , as well as .
Originally published last month.