Merry Phishmas? How to avoid scams this holiday season

Features
By
published

Don't let the scammers steal Christmas

Hooded cybercriminal sitting with laptop surround by hooks
(Image credit: Getty Images)
Jump to:

It's the most wonderful time of the year – or is it? While many people are filled with the spirit of the festive season, there are a collection of individuals who certainly are not wishing for peace and goodwill to all mankind.

I'm talking, of course, about all the scammers, hackers and other ne'er-do-wells who will stop at nothing to get their hands on your data, your money or even your identity. This includes taking advantage of the season we're in, or forcing you into a heightened emotional state in order to manipulate you.

We often recommend using software like the best VPNs and the best antivirus to stay safe online – but even these can't always help if you're fooled by a scammer. In this article we'll explore some common scams, how to spot them and how to combat these holiday nasties.

Fake delivery scam

The internet has made shopping for Christmas gifts so easy. No more trekking to the mall and spending hours trudging round various different shops to find the perfect gift – instead you can virtually trudge from shop to shop online!

However, this has made it very easy for people to fall into scams at this time. Scammers will send you a phishing link, pretending to be from a delivery company. They will entice you into clicking on the link in a number of ways, including:

  • Saying your parcel has not been delivered and you need to book a redelivery
  • Saying your parcel has been held and you need to pay a fee for it to be delivered
  • Saying that your parcel is on its way and you need to click on a link to track it

I received one of these texts recently, and I was surprised at how realistic it was at first glance, especially as I was waiting for some packages to be delivered.

A text claiming to be a delivery service. The text reads: "We couldn't deliver a parcel since nobody answered at the door. For redelivery tracking and scheduling click this link"

(Image credit: Future)

Remember that a legitimate delivery service will not ask for you to supply personal information, or to pay an extra fee on top of the delivery you have already paid. Other things to look out for are:

  • The message coming from a generic mobile number rather than a registered delivery service (e.g. UPS, Evri, DPD, Yodel, FedEx)
  • No information about your package, e.g. it does not say the store you ordered from, your tracking number
  • Incorrect or missing information, e.g. a tracking number that doesn't match any tracking numbers you have received for packages you're waiting for
  • A sense of urgency, e.g. telling you your package will be returned to sender if you do not click on the link

It's also important to note that when you do miss a delivery, the delivery company will contact you in some way, whether this is via email, text or a note dropped through your door, letting you know that the parcel was not delivered and giving you a time frame of when redelivery will be attempted.

Fake website scams

Speaking of online shopping, it's not just fake deliveries you need to look out for – it's fake orders, too.

When looking for presents online, you might be tempted to look for the absolute best deals and get a little extra holiday cheer. However, these deals may be simply too good to be true.

Some scammers are using the draw of getting a good price on presents by setting up fake websites that offer you excellent deals that simply aren't real. These fake websites are set up in order to steal your personal and financial information.

You can spot these fake websites by:

  • Checking the website's URL. Many fake websites will use URLs very similar to legitimate site's, but there will be spelling errors, e.g. swapping out 'O' for '0'. Additionally, check to see if the URL itself starts with 'https://' as this is a good sign a site is real.
  • Look up the deal on social media. If a brand is putting on a massive discount, chances are they will have posted about it somewhere. If there are no posts about it, it's probably a scam.
  • Check the domain extension. Legitimate websites will have domain extensions you recognise, like '.com'. If a website uses an usual domain extension this is a sign its a scam.

Overall, it's better to be safe than sorry and if a deal seems too good to be true, this may mean that it is. When in doubt, try to buy things from the brand directly, or a trusted and well-known retailer, in order to avoid dodgy websites.

Fake PayPal invoices

This time of year also brings a lot of deadlines and a rush to get things sorted before offices close until the new year. Sneaky hackers have been using this to their advantage, though, by sending fake invoices.

I personally have received not one, but two of these phishing invoices recently, complete with a note about potential fraud and a number for me to call if I don't recognise the invoice. Sneaky, huh?

Fake PayPal invoices for $3,000.99 and $13,265.29

(Image credit: Future)

While these scams are shockingly close to any official emails you may have received from PayPal, there are a few key things to keep check if you're trying to spot a scam:

  • The email that sent it. While the display may say PayPal, is it actually from PayPal's official email address?
  • A false sense of urgency. Does the email say you owe a large amount of money that will be taken if you ignore the message? Is it urging you to click a link or call a number straight away?
  • Your PayPal account. Log in to your account and check if you have actually received an invoice. Any requests for payment will be clearly displayed.

If you have received a fraudulent PayPal email, do not click on any links and instead forward it to phishing@paypal.com, then delete the email from your inbox.

The 'Hi Mom' scam

This scam was particularly prevalent this time last year, so it's important to be aware of it in case it makes a resurgence. It's targeted at parents specifically, so if you have children this awareness is especially important.

In this scam, the perpetrator takes advantage of the fact that many people will be travelling home to see their families during the festive season, and that we all want to see our loved ones home safe and sound. The scam starts with a text from an unknown number that usually starts with 'Hi mom'. The scammer will then pretend to be your child, explaining away the fact that the number they are using is not the number you have saved for them by claiming that they have lost/had their phone stolen.

The scam progresses by asking you to send money to their 'friend' (who is in reality the scammer themselves, a mule or even another scammer) so they are able to pay for a new phone, or pay for travel to get home.

If you are unsure as to whether it is actually your child contacting you, call or text them on the number you have saved for them, not on the number that is claiming to be them.

Scammer dressed as Santa

(Image credit: Selimaksan via Getty Images)

Fraudsters pretending to be your bank

While Christmas is a time of love and joy, it can also be a time of feeling the strain of buying various foods, gifts and other things that make the season bright.

It's important to note that scammers frequently use information collected about you in other data breaches in order to successfully pose as your bank. This includes things like:

  • Your full name
  • Your phone number
  • Your email address
  • Your home address
  • Your bank
  • Partial card details (e.g. the last four digits of your credit/debit card number)

This can make the call very convincing, and means that you cannot rely on a caller having your personal information as a sign that they are legitimate. They also may use a spoofed number so they appear to be calling from an official number.

It's important to remember that the scammers will induce tactics to cause you to panic, for example by telling you that credit cards are being taken out in your name, or that there are hackers draining your bank account. This panic can cause you to act in ways you wouldn't usually. Remember that your bank will never ask you to share a One Time Passcode (OTP), or move your funds to a different account.

If you are ever unsure when on a phone call with someone who claims to be your bank, hang up the phone and call the number for your bank supplied on your bank card or the fraud line supplied on their official website.

Avoiding scams this Christmas

So, with these scams in mind, hopefully you and your loved ones will be able to stay safe this holiday season. Be warned, though, that this is not an exhaustive list of all the scams out there – those looking to steal your data, money or identity are sneaky and will frequently change up the way their scams operate in order to avoid getting caught.

With this being said, the scam-spotting techniques will help you when you come up against any kind of probable scam. When in doubt, do not send any of your personal information or money to anyone.

Additionally, if you think you have discovered a scam, or been scammed, you can report or look it up using the Better Business Bureau Scam Checker.

Olivia Powell
Olivia Powell
Tech Software Commissioning Editor

Olivia joined Tom's Guide in October 2023 as part of the core Future Tech Software team, and is the Commissioning Editor for Tech Software. With a background in cybersecurity, Olivia stays up-to-date with all things cyber and creates content across TechRadar Pro, TechRadar and Tom’s Guide. She is particularly interested in threat intelligence, detection and response, data security, fraud prevention and the ever-evolving threat landscape.