How to avoid scams this Christmas

Olivia Powell
·8 min read
The silhouettes of a parent and young child both wearing Santa hats. They are out of focus, with a christmas tree lit in gold lights in focus in the background.
The silhouettes of a parent and young child both wearing Santa hats. They are out of focus, with a christmas tree lit in gold lights in focus in the background.

Christmas is traditionally seen as a time filled with peace, joy, and goodwill. Unfortunately, scammers haven’t got the message, and will take advantage of the season in an attempt to steal Christmas – literally.

Just as the Grinch stole the Whos’ presents, trees, and food, hackers are keen to steal your data and money using a range of methods. They rely on the fact that, at Christmas, people are buying a lot of stuff. They're also aware that people are waiting on legitimate communications from delivery companies, looking for gifts, and anticipating communications from friends and family. Ultimately, this means we're all that much more likely to fall for a scam.

Hackers just love to pose as companies, and even relatives, to trick victims into parting with their financial details. Other scams involve malicious actors setting up fake websites designed to steal your data and spread malware.

So, how you can spot these scams and ensure your digital privacy stays intact over the holidays? I'll share my top tips.

How to avoid phishing scams

Phishing scams are a particularly common (and devastating) type of cyber-attack. In 2022, the Anti-Phishing Working Group logged more than 4.7 million phishing attacks, with 1.35 million of these attacks occurring in Q4 of 2022 alone.

The data is clear – malicious actors can, and will, take advantage of the holiday season to victimize unsuspecting targets.

While phishing attacks traditionally refer to email-based attacks, the evolution of technology means that hackers have more ways to steal your data. Text-based attacks are referred to as "smishing", and if you're targeted over the phone, it's "vishing."

Don't get hooked

Scammers send bogus texts that pressure you to make a payment or follow a dodgy link – and can pretend to be your bank, a delivery service, or even a family member.

The modus operandi stays the same despite the medium, however. Malicious actors leverage social engineering techniques to take advantage of the holiday season. For example, a hacker might send a bogus text (including a dodgy link) pretending to be a delivery company, claiming that there's an issue with a delivery and a fee to be paid.

The victim might not suspect a thing – especially if they're expecting multiple packages – but clicking that link could be catastrophic. Some hackers even develop into a double-pronged social engineering attack where they pose as the victim's bank, coercing them into transferring funds under the guise of helping them combat fraud.

Some cybercriminals take their scams to a whole new level by pretending to be the friends, family, or even children of their target. These attacks are colloquially known as "Hi Mom" or "emergency scams." The scammer will send a bogus text, claiming to be the victim's child, stating that they're in an emergency and require money. Lots of people are traveling home for Christmas, and train disruptions and breakdowns are par for the course. Hackers are quick to take advantage of this, exploiting the concern of family members to make a quick buck.

Avoid phishing scams by:

Verifying the sender.

Look at the email or contact number that's reaching out to you. Do you have other legitimate correspondence from the person or company? Keep an eye out for any suspicious links in the message, too, especially if you're being pressured to act fast and pay a fee that you've never had to pay before.

Malicious actors are more than capable of spoofing numbers – basically, they can send messages that look as though they're from a real company. They might use an email address that's very similar to its legitimate counterpart, at least at first glance.

If you have any doubts about any text, email, or call you receive, contact the person (or company) directly.

Being wary of emotional response.

Phishing scams rely on social engineering, and malicious actors want you to feel rushed and anxious – and they'll often achieve this by insinuating that you have a limited time to pay a fee or prevent fraudulent activity. After all, if you're panicking, you're not thinking rationally.

Take a step back, a deep breath, and read the message with a critical eye. Is it pushing you to do something quickly? That could be clicking a link or sharing your personal information. Remember, companies will never ask you to share your financial details, or send them money, out of the blue.

Checking your data.

You're more likely to become a victim of a scam if your data has been involved in a leak or breach. This is because hackers routinely buy batches of leaked contact information off the dark web – and use it to target new victims en masse.

Have I Been Pwned is a handy site where you can check whether your email address and phone number have appeared in a leak. It's free, and gives you an all-important heads-up about whether you need to double down on your account security.

How to avoid dropshipping scams

'Tis the season, and plenty of us turn to social media for gift inspiration. It's risky business, however, as scammers do their best to tempt us with fake products. Some use generative AI to create product images and send out cheap, mass-produced products from websites like Temu or Alibaba.

While dropshipping (that is, a supplier not physically holding stock and instead sending customers items sourced elsewhere) is a legitimate business model, customers have been caught out by deals that a just too good to be true. In addition to fake images, scammers try to pressure buyers by "reducing" their prices, claiming that certain deals are only available for a limited time.

Avoid dropshipping scams by:

Searching the product image on Google.

Check out whether there are a ton of different listings across a variety of sites and sellers – and if there's a massive price difference. If there is, there's a good chance that the deal you've spotted is a dropshipping scam.

Research the seller.

If a seller, or company, is legitimate, they'll have a business address and a LinkedIn profile. Dropshipping scammers, however, will not. Take a look at the seller's profile page, or the company's homepage, before snapping up that deal.

Read the reviews.

Unfortunately, people only tend to review their purchases when they're unhappy. These reviews can help you out, however, especially if they're complaining about the item's poor quality. They might even let you know that the item they received doesn't look anything like the listing image.

On the other hand, if there are a ton of brief, non-specific (but glowing) reviews, this is a sign that bots are being used to artificially inflate the seller’s ranking. When in doubt, look for reviews with images of the actual product attached.

How to avoid poisoned Google adverts

We all love a good bargain – especially during the holidays when lots of us have a long list of family and friends to shop for. Google's ads can be a massive help here, pointing out the best deals and streamlining the overall shopping experience, but hackers can "poison" these ads, turning them downright dangerous.

Cybercriminals co-opt ads and websites owned by legitimate companies to trick potential customers into following the link and handing over their sensitive information. To maximize their yield, these hackers will target the most well-known and trusted brands.

The success of these scams hinges on the fact that we tend to assume that results at the top of a Google results page are legitimate – and that most people won't double-check the link before following it. The fake sites are often built to look just like their legitimate counterpart, making them even harder to spot.

Avoid poisoned Google ads by:

Checking the URL.

Fake sites are notoriously hard to spot, but a closer inspection of the URL can reveal red flags. Check to see whether the company name is misspelled, has extra numbers in its domain, or has an unusual suffix (e.g. ".org" rather than ".com"). You'll also need to confirm the site's security – its URL should start with HTTPS, not HTTP.

Scrolling beyond the sponsored search results.

You might be in a rush, but it's well worth taking the extra handful of seconds to scroll down the results page to find organic links that are more likely to be trustworthy.

Use an antivirus.

By using one of the best antivirus products on the market, you add an extra layer of protection between yourself and any dodgy sites. If you do happen to click on a malicious link, your antivirus program can help stop malware in its tracks and prevent hackers from running away with your data.