Security awareness

Holiday Season Cybersecurity Scams and How to Avoid Them

Pierluigi Paganini
December 19, 2019 by
Pierluigi Paganini

Holiday Season Cybersecurity Scam Awareness

The holiday season has arrived, and in this period, cybercriminals intensify their operations in order to monetize shoppers’ exposure to online fraud and scams.

The Department of Homeland Security (DHS) recently issued a security alert to warn U.S. consumers about malicious campaigns and scams that are common during the holiday season.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

"As this holiday season approaches, the Cybersecurity and Infrastructure Security Agency (CISA) encourages users to be aware of potential holiday scams and malicious cyber campaigns, particularly when browsing or shopping online," reads the alert published by the CISA agency.

"Cyber actors may send emails and ecards containing malicious links or attachments infected with malware or may send spoofed emails requesting support for fraudulent charities or causes."

Europol has also issued a warning about holiday-themed fraud, focused on ticket scams.

In this period of the year, it’s quite easy to fall victim to criminals that take advantage of the holiday season by using themed scams in online advertisements, phishing emails, misleading sales calls and text messages. 

In many cases, scammers use holiday-themed phishing messages while pretending to be from popular brands or online stores like Amazon. Scammers may send victims fake order confirmations via email with malicious attachments or share links to phishing messages that promise special discounts to users that provide their personal data via a specially designed online form.

Law enforcement agencies and security firms recommend that consumers be cautious while shopping online during the holiday season. Fraudsters can attack them by intercepting insecure transactions, targeting unpatched systems, creating cloned sites and using scam email messages to harvest their financial and personal info.

Which are the most common holiday scams?

The types of holiday scams are only limited by the criminal’s imagination. However, some fraud patterns are well known, and it is important to share information with customers to recognize them. Here are just a few examples of holiday scams: 

Bogus shipping notifications

During the holidays, users tends to be more active online. The number of gifts and products bought online spikes in this period of the year and people receive many more shipments. Criminals are aware of this and send out phishing emails that pose as shipment notifications. 

The fake shipping notifications may use a malicious attachment or include links to a phishing page designed to trick victims into providing their personal information (e.g., login credentials for a fake login page). The malicious attachments are weaponized Office documents that pretend to be order details.

Bogus gift cards and coupons

Another popular scam consists of sending victims fake coupons and gift cars and tricking them into providing personal and financial information. Lure emails could include links to malware downloaders or redirect victims to phishing pages.

Charity frauds

Charity fraud consists of getting money from people who believe they are making donations to charities. Attackers send messages to people, or make unsolicited phone calls, posing as members of a charity organization and asking donors for contributions to charities that don't exist. 

During this period, groups of criminals adopt high-pressure tactics to trick victims into making immediate donations. Scammers send phishing emails that include links pointing to fake charity organization websites. Other attack scenarios see the criminals calling the victims and tricking them into providing financial information to complete a donation.

Below a list of signs that could be associated with a scam:

  • The organization refuses to give clear details about its mission, identity, associated costs or how the donations are used
  • The organization doesn’t provide proof of its tax-deductible status
  • The organization uses a name that is very similar to a reputable, better-known organization
  • Users receive thanks for donations that you don’t remember giving
  • The organization uses high-pressure methods to urge recipients to donate immediately without giving you ample time to research
  • The organization asks for cash-only donations or a money wire

Fake accommodation listings and fake plane tickets purchased online

The number of travel-related scams increases during the holiday season, from fake discounted prices for flight tickets to fake ads for private residences and luxury villas for rent.

In the latter case, the criminals offer properties that don’t exist or that are owned by unaware people that never offered them for rent. These properties are also offered on popular platforms such as Airbnb; for this reason, Airbnb prohibits hosts from asking users to pay them using something other than the site's built-in payment page. In some cases, scammers asked users to wire them money outside the Airbnb platform.

Cybercriminals also attempt to monetize their efforts by offering discounted flight tickets that were purchased with stolen payment card data.

Recently, an international operation conducted by law enforcement to fight fraudulent online purchases of flight tickets resulted in the arrest of 79 people as part of the Global Airline Action Days (GAAD).

“Fraudsters use fake online adverts, bogus sales calls, emails, text messages and instant messaging offering incredibly cheap rates to tempt you into booking a holiday or purchasing a service. If the price is too good to be true, it probably is,” reads a post published by Europol.

The website may be suspicious if:

  • There are only a few details and pictures of the property or hotel
  • Online reviews aren’t favorable or don’t exist at all
  • You are requested to pay in cash; via bank transfer, such as with MoneyWise or Western Union; or even virtual currencies like Bitcoin

According to Europol, “These payment methods are difficult to trace and are not refundable (remember: criminals need to monetize the stolen card details of other victims and you could be part of this plan).”

How to stay safe online during the holiday season

Below a list of measures users can take to defend against holiday scams: 

  • Be careful when opening attachments or clicking links in unsolicited email messages
  • Use caution when shopping online
  • Verify a charity by contacting organizations like Charity Navigator or CharityWatch
  • Be careful when clicking on any emails, instant messages or social media posts that claim to be offering tickets
  • Only buy tickets from the venue’s box office, the promoter, an official agent or a well-known and reputable ticket exchange site
  • Buy gifts only from official and trusted websites and check that they use a secure payment system and the secure communication protocol (HTTPS)
  • Pay special attention to the website name and domain. Small changes in the name or domain can direct you to a completely different company
  • Always pay by credit card. Other payment methods such as debit card, cash or money transfer services are not secure


Holiday Shopping, Phishing, and Malware Scams, CISA

Protect yourself from holiday and ticket fraud, Europol

Shopping Safely Online, CISA

Get six free posters

Get six free posters

Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.

Protect Your Identity From Holiday Charity Scams, The Balance

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.