Esto también se puede leer en español.

Leer en español

Don't show this again

SpaceX launches 'mighty mice,' beer barley Spotify Wrapped 2019 Cyber Monday The Mandalorian ep 5 James Bond No Time to Die trailer Baby Yoda plush

4 scams to avoid this holiday shopping season: Phishing, pyramid schemes and more

Phony gift exchanges, virtual card skimmers and other digital traps are set and waiting for you when you shop online.

 data-privacy-security-hackers-hacking-unlock-iphone-0991

The key to staying protected is staying alert.

James Martin/CNET
This story is part of Holiday Survival Guide 2019, featuring tips on the best ways to manage the holiday season.

Consumers are estimated to spend a whopping $143 billion throughout the 2019 holiday shopping season, according to Adobe Analytics, and all that money changing hands means cybercriminals will be targeting both you and the online retailers you trust, now more than ever. Some hackers, like the ones who struck Macy's in October, infiltrate merchants' websites directly. Many more scams, however, are designed to lure you away from legitimate sellers and steer you toward malicious sites or apps that often spoof familiar retailers like Amazon, Best Buy or Walmart.

Recent research from RiskIQ identified nearly 1,000 apps using holiday-related terms that the security company deemed to be malicious, as well as over 6,000 apps infringing on copyrighted names and slogans from popular retailers to reel in unsuspecting victims. RiskIQ also uncovered 65 websites posing as popular retailers in an attempt to fool you into giving up your personal information.

As always, your best defense against these kinds of schemes, scams, frauds and cons is to arm yourself with the knowledge to sniff them out when you encounter them. With that in mind, here's everything you need to know about (not) getting duped this holiday season.

facebook-logo-money-1

The "Secret Sister" gift exchange, which originated on Facebook in 2015, is little more than a pyramid scheme.

Angela Lang/CNET

Fake websites and fraudulent apps go 'phishing'

In a phishing scheme, the victim receives an email or text message directing them to enter payment information or other personal details on a fraudulent website, which is often designed to look just like a legitimate site.

mcaffee-stats

According to cybersecurity company McAfee, over a third of all Americans have fallen victim to phishing schemes in the last year.

McAfee

A recent survey by cybersecurity company McAfee reports that 41% of Americans fell victim to email phishing schemes in 2019. Unsurprisingly, a similar number -- 39% -- reported that they don't check email senders or retailer websites for authenticity.

To top it all off, 30% of respondents reported losses of $500 or more just in the last year alone.

If the data from RiskIQ is any indication, expect a surge in messages claiming to be from Amazon, Best Buy, Walmart, Target or other large retailers over the next few months. If you receive an email asking you to update your payment method or requesting other personal information, contact the company's help desk to make sure the email is legit before you do anything else.

Other ways to identify a phishing email, according to the Federal Trade Commission and StaySafeOnline.org, include:

  • The sender's email address looks almost right but contains extra characters or misspellings.
  • Misspellings and/or bad grammar either in the subject line or anywhere in the message.
  • Addresses you with generic terms ("Mr." or "Ms." or "Dear Customer") instead of by name.
  • The message warns that you need to take immediate action and asks you to click a link and enter personal details, especially payment information.
  • The messages promise a refund, coupons or other freebies.
mobile-payments-visa-paywave-chip-security-credit-cards-4885.jpg

Credit card skimming used to require physical hardware, but now hackers are inserting malicious code directly on retailers' websites to steal customers' credit card information.

James Martin/CNET

Credit card skimming goes all-digital

Credit card skimmers that steal your personal information when you swipe a credit or debit card at the ATM gas pump, or other payment kiosk have been around for well over a decade, but October's attack on Macy's is an example of that same technology deployed digitally.

Essentially, instead of using physical hardware to steal payment card numbers, hackers inserted malicious code directly on Macy's website to do the same thing with online payment information.

Regarding online credit card skimming, Tim Mackey, principal security strategist for Synopsis, a digital security company, warns, "There isn't an obvious way for the average person will be able to identify if or when a website has been compromised. The only potential tell-tale sign might be that the website itself doesn't quite look 'right.'"

Mackey suggests a few strategies consumers can use to protect themselves:

  • Don't save your credit card information on retail sites.
  • If possible use a third-party payment method like Apple Pay, Google Wallet or PayPal.
  • Enable purchase alerts on all your credit cards.
  • Disable international purchases on all credit cards.
  • Only make purchases from your home or cellular network, never on public Wi-Fi where your payment could be intercepted.

Avoid the 'Secret Sister' gift exchange -- it's a pyramid scheme

Originating on Facebook sometime around 2015, this gift exchange among internet strangers plays off the popular workplace practice of "Secret Santa," a game where each person buys a present for one other, randomly selected person without anyone sharing their giftee. Instead, it's a pyramid scheme dressed up in holiday clothes, according to the Better Business Bureau. The "Secret Sister" exchange invitation promises you'll receive about $360 worth of gifts after purchasing and mailing a $10 gift for someone else.

Unfortunately, such bad math hasn't stopped this scam from resurfacing year after year. Not only will you probably be out 10 bucks when you don't receive any gifts in return, but the scheme also involves you forwarding personal details -- names, email addresses, phone numbers -- to people you've never met in person.

The Better Business Bureau recommends you deal with any request to become a Secret Sister by ignoring it -- do not give your personal details to online strangers. You can also report the invitation to Facebook or whichever social network you were approached on.

screen-shot-2019-11-22-at-10-42-48-pm.png

The Los Angeles County District Attorney's Office posted a video warning residents of so-called "juice-jacking" malware on public USB charging stations despite having no such cases on the books.

Screenshot by Dale Smith/CNET

'Juice-jacking' fears may be overblown

The Los Angeles County District Attorney's office published a blog post earlier this month advising citizens not to use USB charging ports in public places like airports and shopping malls, warning hackers could install "juice-jacking" software that downloads malicious code on connected phones and tablets, granting the thieves access to your personal information.

Although that is theoretically possible, as the urban myth-busting website Snopes.com points out in a recent post, the likelihood of that actually happening to you is incredibly slim.

When TechCrunch contacted the LA County DA to ask how widespread the problem really is, the chief prosecutor's office could not confirm any actual "juice-jacking" cases on the books. One reason could be that most smartphones and tablets currently in use now have software in place to prevent exactly these kinds of attacks -- that's why your phone asks if you trust the connection when you plug it into a laptop or desktop to charge.

As long as shopping still exists, scammers and thieves will continue to try and rip you off. In the meantime, the best you can do is to stay ahead of their trickery and protect yourself with knowledge. For more strategies for getting through this fun but stressful season, check out our Holiday Survival Guide. We've compiled the best tips and tricks for de-stressing after marathon shopping sessions, how to leverage your smart assistant to help manage holiday get-togethers whether you use Google Home or Amazon's Alexa, as well as how to eat healthily without skipping dessert.

Originally published last month.