How to Outsmart Holiday Scammers This Shopping Season

The Federal Trade Commission reports that consumers lost more than $12.5 billion to fraud in 2024 alone. That’s a 25% jump from the previous year. And here’s the thing that makes our security team cringe every November and December: a massive chunk of those losses happens during the holiday shopping season.

Nearly 9 out of 10 adults in the U.S. report being targeted by or experiencing some type of scam, according to AARP’s 2025 research. The holiday season creates what our Head of Public Policy, Mike Centrella, calls “the perfect storm” for these attacks. 

Let’s break down why this time of year is so dangerous and how you can shop online without falling victim to holiday scams.

Why cybercriminals target holiday shoppers

Think about your own behavior during the holiday shopping season. You’re probably tired from work, rushing to find that perfect gift, and clicking through dozens of deal notifications every day. Maybe you’re traveling to visit family, shopping on unfamiliar networks, or trying to snag a limited time offer before it disappears.

Attackers understand this better than most retailers do.

“Holiday shopping creates the perfect storm from cyber criminals,” Centrella explains. “Higher online spending, rushed decision making, distracted consumers and retailers pushing rapid promotions. Attackers know people are tired, they’re traveling and they click faster.”

The data backs this up. Security researchers have documented a 54% surge in phishing attacks impersonating retailers during the holiday period. Fraudsters don’t improvise these campaigns either. They prepare weeks ahead, registering thousands of fake domains designed to impersonate legitimate brands. By the time you’re searching for holiday gifts, the traps are already set and waiting.

The scams and frauds hitting hardest right now

Based on what we’re seeing across the threat landscape, several attack types stand out this season.

Fake retail websites continue to plague online shopping. These aren’t the obvious knockoffs from a decade ago. Modern scammers create complete replicas of legitimate retailer websites, using the exact same logos, colors, fonts, and layouts. Security researchers identified more than 120,000 fake retail apps in 2025, with 65% of them mimicking legitimate brands.

Phishing and smishing attacks disguised as package delivery notifications have become incredibly effective. Scammers use these tactics because they know you’re expecting packages. They send phishing emails or texts saying your delivery is delayed or being held. Since you’re actually expecting packages during the holidays, you click without thinking. The link either steals your personal information or installs malware on your device. More than half of people surveyed by AARP reported receiving these fake notification messages.

Malicious social media ads represent another growing threat. These ads appear on Instagram and other platforms with deals that seem impossible to pass up. When you click through, you land on a fraudulent site that either takes your payment and delivers nothing or harvests your credit card information for future fraud.

Account takeover attacks spike during the holiday season because your email is the key to everything else. Once an attacker gets into your email, they can reset passwords for your bank, your favorite retailer, and your payment apps. Business email compromise has reached record levels according to FBI data, and the same tactics work against individual consumers.

Four security habits that can help you avoid attacks

When we talk to security experts about their top recommendations, the same themes keep coming up. Here’s what actually works to help you avoid holiday shopping scams.

Use strong and unique passwords

Stop reusing the same password across your bank, Amazon, and other shopping accounts. We know it’s annoying to remember different passwords for every site, but password reuse is exactly how attackers turn one breach into access to your entire digital life. Consider using a password manager to generate and store unique passwords for each platform you use.

Turn on multi factor authentication everywhere

“Turn on your multi-factor authentication for your major accounts like email, banking, and other online retailers that you use commonly,” Centrella advises. “Your email is the key to every other account. Most holiday cybercrime involves account takeover. An MFA can stop the attack even if the criminals have your password.”

This single step might be the most effective thing you can do. Stolen passwords become useless when attackers can’t get past that second verification step.

Keep your devices and software updated

We get it. Those update notifications pop up at the worst times. But those updates patch security holes that attackers actively target. This includes your phone, which people sometimes forget about. It takes a few seconds to hit that update button, and those few seconds can make the difference between staying safe and getting compromised.

Slow down before you click

This might be the most repeated advice in cybersecurity, and for good reason. “The best advice I can give during this holiday season is slow down,” Centrella emphasizes. “Make sure you’re reviewing those emails or reviewing those text messages and really understanding the links that you’re clicking on.”

Rushed decisions are exactly what scammers count on. Taking an extra second to verify what you’re about to click on could save you from a world of trouble.

How to spot a fake website before entering your information

When emails come in with a fantastic deal, don’t just click a link and go to the website. Type the actual company’s address directly into your browser instead. If a retailer is running a real promotion, you’ll find it on their actual website.

Here are the red flags that should make you immediately suspicious before making a purchase when you shop online:

• URL misspellings or unusual domain names that look almost but not quite right
• Payment options limited to Zelle, Venmo, CashApp, or gift card only
• Missing customer service contact information or refund policies
• No legitimate way to get a hold of the business
• Prices that seem too good to be true

If you’re looking at a website and there’s no clear way to contact customer service, no refund policy, or no real legitimate way to get a hold of the business, those should be immediate red flags.

The BBB and other consumer protection organizations recommend typing retailer URLs directly into your browser rather than clicking links from emails or ads. Using ad blockers can provide another layer of protection, as many maintain lists of harmful websites and prevent connections to known fraudulent destinations.

Check a retailer’s security before you shop

Here’s something most consumers don’t realize: you can actually check the cybersecurity posture of a retailer before you hand over your credit card information. Our free Public Scorecards tool lets anyone look up a company’s security rating instantly. We rate over 12 million companies on an A through F scale, giving you visibility into how seriously a retailer takes security.

Before doing any holiday shopping online with a retailer you’re unfamiliar with, take 30 seconds to look up their security rating. A low score doesn’t necessarily mean you’ll be scammed, but it can indicate that a company has security weaknesses that could put your data at risk. Think of it as checking reviews before trying a new restaurant, but for cybersecurity.

The hidden danger of public Wi Fi during holiday travel

Holiday travel means airports, coffee shops, hotels, and other locations where you might be tempted to connect to public Wi Fi and do some holiday shopping online.

Typically, the security of a local public wi-fi, whether it’s at a retail store or a coffee shop, is not going to be the best. And in many situations, it could actually open you up for hackers to steal information.

Use your personal cell hotspot for any financial transactions, or simply wait until you get home. The convenience of shopping on airport Wi Fi isn’t worth the risk of having your credit card information intercepted.

A simple trick to contain the damage if something goes wrong

Adam Keown, CISO at Eastman, spoke on how even with the best precautions, things can go wrong, which is why he suggests a practical approach to limit your exposure when you shop online during the holiday season. He said while talking to Mike Centrella –

“Use a single card number for all your online activity. It’s much easier if something does happen to that card to cancel it and have it replaced without creating chaos in your life. Keep your everyday card for gas and groceries separate from your online shopping card.”

Designating one credit card exclusively for buying gifts online gives you several advantages. If that card number gets compromised, you can cancel it without disrupting your daily finances. When your statement comes in, you can easily track all your online purchases in one place and spot any fraudulent charges quickly. Credit cards typically offer stronger fraud protections than debit cards, so you’re better protected if something goes wrong.

This approach also makes it easier to respond if you do encounter fraud. You can request a new card, dispute the charges, and move on without having to update payment information across every subscription and automatic payment in your life.

Watch out for charity scams during the giving season

The holiday season brings out generous impulses, and scammers know it. More than a third of people surveyed said they received a donation request from a charity that felt fake or fraudulent this year. Before responding to any charity request, take time to verify the organization is legitimate. The BBB Wise Giving Alliance and Charity Navigator can help you confirm that your donations will actually go where you intend them to go.

Be especially wary of charity solicitations that arrive via email, text, or social media ad. Legitimate charities won’t pressure you for immediate donations or request payment via gift card or wire transfer. If you want to donate to a specific cause, go directly to that charity’s official website rather than clicking links in unsolicited messages.

What to do if you think you’ve been targeted

If you suspect you’ve encountered a scam or think your information may have been compromised, act quickly. Contact your credit card company to dispute any suspicious charges and request a new card number. Change your passwords, especially for email and financial accounts. Consider placing a fraud alert on your credit reports.

Delete any suspicious emails or text messages after noting any relevant details, but don’t click any links within them. You can report scams and frauds to the FTC at reportfraud.ftc.gov and to the FBI’s Internet Crime Complaint Center at ic3.gov.

The bottom line for staying safe this holiday shopping season

Slow down and take the time to make sure that you’re cyber safe during this holiday season.

The attackers count on urgency. They know you’re looking for deals. They know you’re expecting packages. They know you want to find the perfect holiday gifts before time runs out. By simply pausing before you click, verify before you enter personal information, and staying on the lookout for scams, you dramatically reduce your chances of becoming a victim.

If you only do one thing after reading this, enable multi factor authentication on your email, banking, and major shopping accounts today. It’s the single most effective defense against account takeover, which is the attack type that does the most damage during the holiday shopping season.

At SecurityScorecard, our mission is to make the world a safer place by transforming the way organizations understand, mitigate, and communicate cybersecurity risks. That starts with helping individuals protect themselves too. Check any retailer’s security rating for free before you shop. Stay vigilant, shop smart, and have a safe holiday season.