The holiday shopping season is in full gear, and Santa Claus will soon be on his way. If you haven't started shopping yet, now's the time to get things going.
Gift-giving and shipping deadlines are fast approaching, but try not to panic. Security experts say you need to think before you pull out your credit card, because scammers and other online Scrooges want to take advantage of your haste and trick you into falling for fake deals and other shopping-related scams.
It's the big jump in online buying combined with countless busy and distracted shoppers that makes this time of year so enticing for scammers, says Darius Kingsley, head of consumer banking practices at Chase.
"Many of us kind of have our guard up throughout the year, at least to some extent," Kingsley said. "Then it's late November and you've only just started your holiday shopping so panic sets in. It's kind of all of those typical emotions, but that does cloud your judgement a little bit."
This year's online holiday sales are expected to set records. Adobe projects that US online sales will hit $240.8 billion this holiday shopping season, representing 8.4% growth over the same period last year.
They got a good start over the holiday weekend. Adobe says online sales for this year's Cyber Week, the five-day period that includes Thanksgiving, Black Friday and Cyber Monday, hit $41.1 billion, representing an 8.2% increase over the same period last year.
Like some shoppers, many scammers got going early on their holiday activities this year. In its Holiday Threats Report, published in November, Visa noted that the number of fake and spoofed merchant websites spotted by its researchers over the past four months was nearly triple what it was in the four months previous to that.
James Mirfin, the company's senior vice president and global head of risk and identity solutions, said Visa has also seen increases in other kinds of malicious activities including phishing and social-engineering scams, along with scams related to holiday travel and seasonal jobs.
Meanwhile, generative AI tools are making it quicker and easier for cybercriminals to craft custom scams, letting them spoof voices and create deepfake videos that make their scams much more convincing, he said. And, needless to say, gone are the days of poorly written phishing emails that would raise the suspicions of even the least tech savvy consumers.
"These things are starting to look and feel more like they're coming from your bank or from someone you trust," Mirfin said.
Mike Price, chief technology officer at ZeroFox, also pointed to the rise of tools like ChatGPT and other large-language models as the most recent game-changer in the world of online scams. He noted that in addition to deepfaked voices and videos, those kinds of tools allow criminals to create photorealistic images of just about anything you could imagine, simply by entering a text prompt.
"And this had not really been possible until the last couple of years and hasn't really matured until this year," Price said. "The platforms have come a long way in the last couple of months."
That may seem daunting. But a few basic precautions will help keep you safe from the Krampuses of the online world. Here are a few expert recommendations on how to shop safely for the holidays.
Check your list (and credit card and bank statements) more than twice
Keep an eye on your bank and credit card accounts. It's good not only for security but also for keeping track of your spending.
Mirfin said shoppers should set up purchase alerts on their accounts and keep a close eye on their statements, especially during this time of year.
You can make this task easier by limiting your holiday shopping to a single credit card and email address. Doing so will also reduce the risk of falling for a phishing scam if one comes to your other email accounts.
If you notice anything off, log into your account directly through your bank's app or website, or call the number on the back of your card. Don't click on links in emails.
Don't pay for your purchase with cryptocurrency. By design, crypto is intended to be anonymous and extremely hard to track. If someone steals it, it's probably gone.
Requests for payment with retail gift cards should also be looked at with suspicion. They also can't be tracked and can be easily converted into cash or merchandise by cybercriminals.
Don't be a feast for the phishers
Spam and scam emails, texts and other kinds of messages are a year-round thing, but they really pile up this time of year. They might look like a fraud alert from your bank or a great deal on that must-have item.
The risk is that shoppers could click on a link in a malicious email that would take them to a fake website that would then collect their personal or financial information, putting them at risk of financial fraud or identity theft.
Major email providers do their best to keep scam emails out of your inbox, but some inevitably make it past their defenses, ZeroFox's Price said. And it can't do much to stop people from clicking on things they're convinced are legitimate.
Scott Knapp, Amazon's vice president for worldwide buyer risk prevention, said fake order scams, where a consumer gets a text or email claiming that they bought some kind of high-priced item that they actually didn't, have been on the rise this year. Some claim there's a problem with a delivery, while others now tout fake "private" Amazon Prime member deals.
When it comes to potentially scammy emails mentioning Amazon, Knapp says the best thing people can do is just go back to the company's website or app. If there's a problem with an order, or the company otherwise needs to get a hold of you, that information will be in your message center.
Read more: Best Identity Theft Protection Services for 2024
Is that Santa? Or just the Grinch in disguise?
Sure, you can Google around if the major retailers don't have what you want in stock, but make sure you're dealing with a legitimate business. Be especially skeptical of ads that pop up in your social media feeds touting amazing, limited-time offers.
When in doubt about the authenticity of any offer, message or retailer, the advice is the same.
"Customers need to be suspicious," Knapp said. "It's the old adage, 'If it looks too good to be true, it probably is.' Walk away from it."
You're almost always better off shopping on the sites of well-known retailers, but if you're going to do business with what looks like a discount site or even a small business, you need to vet it first. Look for reviews online and check for complaints with groups like the Better Business Bureau, Price said.
Even if you do your homework, you need to be prepared for the possibility that you're going to lose your money to a fraudster, he said. If you're not OK with that, you're probably better off paying a little more somewhere else.
Be picky when it comes to gift cards
Some people are really hard to shop for, especially if you're running short on time, which might tempt you to just buy them a gift card. But experts say cybercriminals are also looking to cash in on those cards before their recipients ever get a chance to use them.
While digital gift cards are the ideal way to go, never buy them from a third-party site, even if it offers them at a generous discount, Chase's Kingsley advised. There's no guarantee that they'll actually arrive. And even if they do show up in the mail, they may turn out to be expired or used.
While admittedly tough to wrap and put under a tree, it's best to buy digital gift cards directly from the company that issued them, or a major retailer. If you really want a physical card, look for one with intact packaging, preferably behind the counter of a store.
Elf on the Shelf might not be the only one watching
Basic cybersecurity precautions, which you should be taking year-round, are a must if you want to ward off a visit from the cyber Grinch.
Make sure your devices and online accounts -- bank and credit cards, email, social media, shopping website logins and so on -- are locked down before you start shopping. Update your operating systems, antivirus software and all of your apps.
All of your online accounts need strong, unique passwords. If you need help, use a password manager. Passkeys are becoming increasingly available and can also make things easier. Two-factor authentication, which requires a second identifier like a biometric or push notification sent to your phone, should always be enabled when available.
If you're worried about the security of the free internet at your local store, think about signing up for a virtual private network. Good ones will both mask your location, as well as encrypt the data you send and receive over that Wi-Fi.
You also can just use the cellular connection on your smartphone. It's a lot more secure than just about any Wi-Fi connection out there.