Don't Let Online Scammers Ruin Your Holiday Shopping

Cyber Grinches are on the prowl for online shoppers who don't protect their money and personal information.

Bree Fowler Senior Writer
Bree Fowler writes about cybersecurity and digital privacy. Before joining CNET she reported for The Associated Press and Consumer Reports. A Michigan native, she's a long-suffering Detroit sports fan, world traveler, wannabe runner and champion baker of over-the-top birthday cakes and all-things sourdough.
Expertise cybersecurity, digital privacy, IoT, consumer tech, smartphones, wearables
Bree Fowler
7 min read
A woman in front of a Christmas tree shopping on her laptop.

A few basic precautions will help keep you safe while you do your holiday shopping online. 

Nitat Termmee/Getty Images

The holiday shopping season is well underway, and like a lot of people, you're probably on the hunt for great online deals on those must-buy holiday gifts.

The rush to cross everyone off your list may have you ready to pounce on any offer. But security experts say you need to think before you pull out your credit card because scammers and other online Grinches want to take advantage of your haste.

This holiday season is already smashing shopping records. According to Adobe Analytics, American consumers spent $109.3 billion online between Nov. 1 and Cyber Monday, a 7.3% increase over the same period a year ago.

That's not entirely surprising, given the continued increase in online shopping. According to a survey by cybersecurity company McAfee, 76% of Americans planned to shop online this holiday season, and 30% said they planned to do more online shopping than in previous years.

Meanwhile, now that Black Friday and Cyber Monday are over, shoppers are well aware that with every day that passes, there is less time to get everyone crossed off their holiday lists. Couple that with tough economic conditions, including high inflation, and shoppers are ready to snap up anything that looks like a good deal.

Michael Jabbara, vice president and global head of fraud services for Visa, says cybercriminals want to capitalize on that behavior as they look to steal credit card numbers, log-in credentials and other personally identifiable information.

"You have this perfect confluence of events that make the holiday season a perfect time for fraudsters to strike," he said.

That can have dire consequences. Thirty-six percent of Americans polled in the McAfee survey reported being the victim of an online scam during a previous holiday season, and three-quarters of those victims lost money as a result.

That may seem daunting. But just as Rudolph's bright red nose lights the way for Santa Claus, a few basic precautions will help keep you safe from scams. Here are a few expert recommendations on how to shop safely for the holidays.

Check your list (and credit card and bank statements) more than twice

Keep an eye on your bank and credit card accounts. It's good not only for security but also for keeping track of your spending. 

You can make this task easier by limiting your holiday shopping to a single credit card and email address. Doing so will also reduce the risk of falling for a phishing scam if one comes to your other email accounts.

Don't use your debit card for purchases. Your bank will help you recover money if your account is compromised, but it's a lot easier to quickly get charges reversed when a credit card number is stolen.

Don't pay for your purchase with cryptocurrency. By design, crypto is intended to be anonymous and extremely hard to track. If someone steals it, it's probably gone.

Requests for payment with retail gift cards should also be looked at with suspicion. They also can't be tracked and can be easily converted into cash or merchandise by cybercriminals.

Don't be a feast for the phishers

Just like in past years, spam and scam emails are on the rise. Experts at the cybersecurity company Bitdefender said they've seen steady increases since the start of November, and they said they expected rates to continue to increase through Black Friday.

While the majority of the Black Friday-themed junk emails picked up by the company's filters between Oct. 26 and Nov. 13 were classified as spam from legitimate companies, 46% were scam-related, Bitdefender researchers said.

The fear is that shoppers could click on a link in a malicious email that would take them to a fake website that would then collect their personal or financial information, putting them at risk of financial fraud or identity theft.

Big jumps in phishing emails during the holiday shopping season aren't a new thing. What concerns experts most is that they've become more sophisticated and customized in recent years. As consumers have shifted toward online shopping, they have become aware of its risks, which has forced scammers to up their game, Jabbara said.

Low-cost automated technology can make phishing emails more natural sounding and more contextually relevant. On top of that, experts worry that the rise of increasingly powerful and available generative artificial intelligence tools will supercharge the scale and the perceived legitimacy of those emails.

Meanwhile, although security technology has also improved, it can't do much to stop people from clicking on things they're convinced are legitimate.


Be smart as you shop online this holiday season.

Getty Images

As in past years, many of the scam email campaigns spotted by Bitdefender so far this year impersonated big players in retail, including Amazon, Walmart, Target, Kohl's and Lowe's. Researchers from Bitdefender and fellow cybersecurity company Check Point also pointed to an uptick in scam emails promising shoppers amazing deals on luxury bags and accessories from brands like Louis Vuitton, Ray-Ban and Rolex.

Others have taken the form of shipping notifications complete with barcodes that look like they're from FedEx or UPS, something that online shoppers are used to receiving this time of year The Federal Trade Commission recently issued a warning about these kinds of scams. It says consumers could put themselves at risk for identity theft or other cybercrimes if they click on a link in one of those emails, then enter their personal information into the scam website that the link takes them to. 

If ytou have any doubt about an emails authenticity, go directly to the shipper's website and copy and paste the tracking number into it. Don't click on links or open attachments, no matter how tempting or urgent they might seem.

Just a heads-up: Phishing isn't limited to email these days. It also increasingly comes in the forms of text messagessocial media postsphone calls and even QR codes. If they're unsolicited, ignore those, too.

Is that Santa? Or just the Grinch in disguise?

Sure, you can Google around if the major retailers don't have what you want in stock, but make sure you're dealing with a legitimate business. Be especially skeptical of ads that pop up in your social media feeds touting amazing, limited-time offers.

Like the saying goes: If something seems too good to be true, it probably is.

"It's a bit cliche, but I think many of these crimes would be prevented if people just kept that in their heads," said Iskander Sanchez-Rola, director of privacy innovation for Gen, the company behind the Norton consumer security software.

An offer of a $200 iPhone, for example, may seem enticing, but shoppers need to stop and consider the  legitimacy of that kind of deal before they hand over their personal information or credit card number, he said.

Be picky when it comes to gift cards

Some people are really hard to shop for, especially if you're running short on time, which might tempt you to pick up a gift card at your local drug store. But experts say cybercriminals are also looking to cash in on those cards before their recipients ever get a chance to use them.

Dan Woods, global head of intelligence for F5, which specializes in botnet protection, says thieves will take pictures of the numbers and barcodes on the backs of gift cards, then head to that retailer's "check balance" website, where they will use botnets to repeatedly bombard the site with PIN code guesses until they're able to log in to the card's account and steal its cash balance.

Retailers and other online businesses are under constant assault from botnets, Woods says, to the point where bots make up the vast majority of their website traffic. An F5 customer logged more than 6 billion botnet attacks in just a few weeks, he says, while another was forced to shut down its "check balance" website and replace it with a human-powered call center because bots kept crashing it. 

There's usually no way to tell whether a gift card's number has been stolen unless the criminal is brazen enough to have scratched off the PIN code's covering, but Woods recommends picking gift cards towards the back of the rack, or better yet, buying packaged cards where the number is covered.  

Elf on the Shelf isn't the only one watching, but does that really matter? 

The internet has changed a lot in recent years. Any site worth its salt is now encrypted, which means if someone did intercept your web traffic, for instance by logging onto the same Wi-Fi as you at the neighborhood coffee shop, it would be scrambled and useless.

For that reason, many security experts say a virtual private network, or VPN, which masks people's locations in addition to encrypting their data, is overkill for most folks.

But both Jabbara and Sanchez-Rola say that while the chance of the average person being attacked online by a cybercriminal is remote, there's always the chance that they could accidentally connect to a malicious Wi-Fi network, especially in busy places like a mall or airport. That could put their data at risk of being captured, but a VPN would prevent that.

Regardless, basic cybersecurity precautions, which you should be taking year round, are a must if you want to ward off a visit from a cyber Krampus.

Make sure your devices and online accounts -- bank and credit cards, email, social media, shopping website log-ins, and so on -- are locked down before you start shopping. Update your operating systems, antivirus software and all of your apps.

All of your online accounts need strong, unique passwords. If you need help, use a password manager. Two-factor authentication, which requires a second identifier like a biometric or push notification sent to your phone, should always be enabled when available. 

If you're still worried about the security of the free internet at your local store, use the cellular connection on your smartphone instead. It's a lot more secure than just about any Wi-Fi connection out there.