'Tis the season for joy, cheer... and cyber scams.
As the holiday shopping season kicks into high gear, cybercriminals are gearing up too. While shoppers fill their carts with gifts, cybercriminals are filling their toolkits with their most convincing cons.
Studies have shown that one in three Americans have fallen for a scam during this period. According to McAfee’s 2024 Global Holiday Shopping Scams Study, 58% of victims have lost money to these scams. Around $95.2 million in losses was reported to the Federal Trade Commission between October through December last year.
One must think, why is there such an increase in phishing during this holiday period? The answer is simple - human emotion. As the year winds down, employees juggle year-end deadlines while mentally shifting into holiday mode. This change in emotions makes it more likely for people to click on malicious links or make hasty decisions.
And now with the rise of AI, phishers have come up with new tricks to lure the casual internet user. Let’s take a look at everything you need to know to keep yourself secure during this high-risk season.
A $1000 gift card from your boss via email? Sounds like you got that performance bonus? Well, look closer. Just as a fish that gets baited with a plastic worm, you just got ‘phished.’
To simply put it, phishing is when a stranger pretends to be someone you trust in order to persuade you to share personal information you’d only give someone you’d trust. Originally conducted purely by email, now, with the advancements in AI, they are also done via fake web pages, 2FA services, phone calls, and anywhere else where you may have secrets someone else may want to exploit.
Phishers pick up a domain name with a common typo of a popular website, then make their site look exactly like the real one.
It’s no surprise that phishers are taking advantage of the holiday season and everyone’s eagerness to save money. Last Christmas, people in the UK were scammed out of more than £11.5m, figures show, almost £1m more than in the same period in 2022. The number is expected to rise this year.
Knowing the common types of phishing attacks during the holiday season can help you stay secure. Here’s what to watch for:
In 2024, Email Phishing will be the most common form of phishing. The attackers send you a legitimate looking email which in reality, isn’t. It is designed in a way to lure you to share personal information in the form of a reply or lure you to a fake website to steal your data.
And now with AI, attackers can now generate well-crafted mass-marketed emails complete with logos, fonts, and designs that mirror legitimate sellers. These realistic-looking emails make large-scale attacks more effective than ever before.
Example: Cybercriminals sent phishing emails disguised as promotional messages from a popular retailer with a massive discount. These emails contained malicious links and attachments designed to steal personal information or infect devices with malware.
Have you ever come across those “Spin the Wheel to Win a Free iPhone 16!” pop-ups? They’re a classic example of pop-up phishing. Pop-up phishing often uses a pop-up about an offer that tricks you into clicking. Once you do, you’re often redirected to download a file—only to discover its malware disguised as your "reward."
You get a call from someone claiming to be your bank representative. They inform you that your recent transaction for that 90% discount SmartTV didn’t go through and urgently ask you to share the OTP you just received. Would you share it? If the answer is yes, congratulations—you’ve been phished.
This is a textbook social engineered phishing attack where phishers rely on psychological tactics, to create a sense of fear to pressure you into revealing personal information.
Smishing, which is phishing via text message, has become common in the recent years. During the festive season, attackers get really creative by creating messages that are hard to resist. Whether it’s a fake delivery notification or a too-good-to-be-true holiday offer, these scams aim to exploit the convenience of SMS to catch you off guard.
With website spoofing, a hacker creates a fake website that looks legitimate. In the past, hackers have made fake USPS websites that look nearly identical to the real one. The attention to detail makes it hard for even experts to sometimes fall for it while in a rush.
According to Barclay’s research on purchase phishing scams, in the last year, over four in 10 people were approached by email, with a third spotting the scam on social media. Here’s the breakdown of the top channels where shoppers spotted purchase scams:
| Top five channels for purchase scams in 2024 | |
| 42% | |
| Social Media sites and Marketplaces | 33% |
| Text/Messaging Apps | 31% |
| Search Engines | 21% |
| Second Hand Marketplace | 18% |
To outsmart phishers in their own game, you need to be vary of the foundational tactic used in any scam – the Four Ps: Pretend, Problem, Pressure, and Pay. Let’s break it down:
Scammers often disguise themselves as someone familiar—a family member, colleague,
trusted organization, or well-known brand. They may use a real name and send you
messages that appear to be the real deal and taking advantage of your relationship with
that person or company.
Example: If you receive an email from your manager asking you to purchase gift cards for a client meeting and the email looks somewhat identical but with a minor difference.
Almost all the time, scammers say there is a problem. It could be a banking transaction failure, a misplaced parcel, or someone you know desperately needing money. The goal? To manipulate you into sharing sensitive information like one-time passwords (OTPs), account details, or other personal data.
Example: This could be an SMS from your bank remarking you of “suspicious activity” and provides a link to a fake website which looks similar to the bank’s name. You will then be asked to enter your bank logins and OTP to “verify” your account.
Scammers thrive on urgency. They know that an impulsive decision leaves little room for second-guessing. Whether it’s a fake warning about legal trouble from a “government agency” or a time-sensitive claim for a supposed prize, their creative tactics know no limits.
Example: You get a call from “customs government agency” escalating that a suspicious package has arrived under your name. They are likely to demand a “penalty fee” immediately and threaten arrest.
Scammers always tell you to pay in a specific way. They often ask to make purchases via gift cards or buying cryptocurrencies because then it becomes hard to track. These methods make it harder to track the money and easier for them to vanish before you realize you’ve been tricked.
Example: Similar to point 1, when your “manager” asks you to buy giftcards for a client. This specific payment mode is a red flag.
The holiday season is a season for joy and not to be ruined by a scam. As much as we love a good deal or a surprise gift card, a little caution can save you from a ruined holiday mood.
Trust your gut, verify before you click, and remember: no deal, email, or text is worth compromising your security.
Have fun this season, shop smart, and keep the phish where they belong—on a plate, not in your inbox!
Cheers to a Happy (and secure) holiday!