2018 top holiday shopping scams and how to avoid them

November 30, 2018

One of the unfortunate consequences of the holiday season is the proliferation of scams targeting innocent shoppers. By putting a holiday spin on old tactics, crafty cybercriminals have proven remarkably successful at manipulating consumer buying behavior for ill-gotten gains. This year, we want to help you avoid these common holiday shopping scams and stop these modern-day Grinches before they steal your holiday cheer.

Site spoofing

Is that your favorite online retailer you’re shopping at or an imposter? Even amateur web designers can fake company logos and branding elements, creating a site that looks exactly like a trusted e-commerce site. You can–and should–scrutinize the URL, but even then, determining whether a site is legit or a well-designed fake can be tricky. 

Cybercriminals often create subdomains that appear as if they roll up to the main site. So, instead of “,” it may say “” or “” Fake domains based on common misspellings of popular brand names are also common. When a shopper inadvertently misspells a retailer’s name, the fraudulent site loads in the web browser as expected. You can go through an entire e-commerce transaction and never realize you’ve surrendered your personal information.

First, be certain that you are on the merchant’s main site and not a subdomain. Second, make it a practice to bookmark the sites where you normally shop. This reduces the likelihood you will mistype a URL and wind up on a fraudulent landing page. Third, stay away from sites beginning in “http” rather than “https,” which indicates that the site uses extra security to prevent eavesdropping and tampering. Scams of this nature go by several names, including site spoofing, form-jacking and typo-squatting. Mobile browsers are particularly susceptible to spoofing since most devices can’t display the complete web address of a domain. These crimes are perpetrated year-round but are more common during the holiday shopping season. 

Fake apps 

In addition to site spoofing, cybercriminals often create fake mobile apps that mimic those from easily recognizable brands. Downloading the app introduces malicious viruses to your device. Other fraudulent apps ask you to log in using your social media credentials, which exposes confidential information to nefarious actors. Only download apps from official vendors like Google and Apple. Also, be suspicious of requests for access to your personal information, contacts, login credentials and credit card information. Finally, be on the lookout for poor grammar and misspellings in the app description—those can be a tip-off of a malicious app.

Gift-giving scams

Cybercriminals often seek to exploit victims’ generosity by creating gift-giving scams. Beware of “secret sister” gift exchanges, which are nothing more than an online version of a pyramid scheme. Here’s how it works: You receive an invitation to send one gift, with the promise of receiving more in return for enrolling others in the scheme. According to the Better Business Bureau and the U.S. Postal Service, online gift exchanges and similar invitations are illegal. Avoid them at all costs. And report them if you encounter them on social media.

Phishing emails

Phishing scams are another pernicious year-round threat that spike during the holidays, as cybercriminals take advantage of shoppers on the lookout for discounts. They often appear to be from a reputable merchant and promise deals that are too good to be true. The aim is to get victims to click on a link. Once they do, they open the door to malicious code that locks the device and its contents unless the user pays a ransom. Another variant solicits consumers to enter their personal information, which is then sold to criminal networks. Be sure to closely scrutinize holiday e-cards and invites. Make sure you recognize the sender before clicking on any links.

Shipping scams

The desire for timely delivery of packages creates an opportunity for cybercriminals to trick shoppers into giving up their personal information. Shipping scams start with an email containing a link to download a new shipping label, arrange a delivery time or reroute a package. Always look closely at the “from” line in emails. If you don’t recognize the sender, hover over it with your cursor and see where the link will take you. If you don’t recognize the URL, don’t click on the link. Contact the vendor and shipping provider separately to track the progress of your delivery.

Back up your systems

Aside from educating yourself about common holiday shopping scams, your best defense against cybercriminals is to protect the important data on your computer with a secure backup solution, such as Carbonite Safe or Carbonite Endpoint. Carbonite saves you from having to deal with cybercriminals to get your files back. If your computer becomes infected, a reliable backup solution will allow you to retrieve clean copies without paying a ransom. With backup, not only do you protect what’s important to you, but you also deprive cybercriminals of their primary source of revenue – and not just during the holidays, but all year-round.


  • Tech tips