The holiday season is a time of joy, giving, and unfortunately, an increased risk of falling victim to Christmas scams. 

As we are distracted by celebrations and gift buying, cyber criminals exploit the festive spirit for their gain. Around this time, you’ll find more phishing, social engineering, and SMS phishing attacks coming your way, trying to take advantage of your giving mood. 

 In this blog, we’ll explore some common cyber security scams to watch out for during the holiday season and how you can protect yourself from becoming a victim.

Fake Christmas gifts

What happens

Cyber criminals prey on the excitement and urgency to find perfect gifts within a budget. Scammers will take popular items of the year and create fake social media ads that claim to be the product at an extremely discounted price. 

Black Friday shopping

"It’s been a “super-fantastic” experience to see people learning and talking about security threats."

For just $325 USD, you can run a 6 week, automated program for gamified phishing awareness training and challenges.  (Limited time offer. Normally valued at $999 USD)

Use Promo Code: 6WEEKS

Users who fall for the seemingly good deal will click the ad link, be led to a spoofed website, give their financial information, and never receive the item they “ordered”. Now, not only has the victim been charged for this fake item, but the cyber criminal now has access to all their credit card information.

What to do

Always shop from the original IP address of the product you are looking for. Go directly to the company’s website rather than following an ad, even if it claims to lead to better deals. Chances are, if it sounds too good to be true it probably is. 

If you order an item through an advertisement and never receive it, contact the company you “ordered” from immediately. If they can’t find your order, freeze your credit card and obtain a new one immediately. 

Spoofed delayed packages SMS

What happens

Now more than ever, Christmas shopping is done online – and, of course, cyber criminals are going to take advantage of it. A new and common cyber attack will send out SMS messages to victims claiming that a package they ordered will not arrive on time. This preys on the victim’s fear, as they are now worried that a gift they have ordered will not be ready before Christmas. 

If the victim falls for this, they’ll click the “Amazon” or “UPS” link in the text message which will likely lead them to a spoofed website. Then the victim will enter their personal information or malware will immediately be infected into their device. 

In a more timely version of this scam, the SMS will lead the victim to call a customer service number, but the number is spoofed and only brings the victim directly into the attacker’s hands. The victim will then call the number, everything will seem to be normal, and they’ll give up personal and financial information. 

What to do

Be cautious and resist the urge to click on any links in these SMS messages. Instead, verify the delivery status directly on the official website of the shipping company or contact their customer service. Taking this extra step can save you from falling into the trap of the hacker and losing out on more money. 

E-seasons greeting emails

What happens

One of the most common ways for cyber criminals to enter a professional network or obtain personal information is through emails that when opened or clicked, release malware immediately. As the holidays approach, your inbox is probably filling up with more and more emails about the holiday season, and cyber criminals know that. 

Cyber criminals will hide among your plethora of virtual gift cards or e-season greeting emails and trick victim’s into believing their email is just another one to open. All they need to know is the company you work at, so they can claim to be from there, or a name of one of your friends. Then, voila, you receive a fun email from a colleague, open it to receive a fun message, and your network is infected by malware. 

What to do

We don’t want to take out all the fun of the holiday season, as some friends will legitimately send e-gift cards or Christmas cards through email. Before clicking on an email that is sent to you, check if you know the sender. Hover over the sender to check the domain of the email and see if it matches your organization or the organization it is claiming to come from. 

Before clicking on any links, or fully opening the email, you can send a Thank You note to the “sender” through another form of communication. This way you can get confirmation that it was from them before moving forward. 

Counterfeit gift cards

What happens

Scammers create fake websites that advertise irresistible deals on gift cards for popular stores – think paying $50 for a $100 gift card to Best Buy. The scammers will typically portray urgency by claiming that the deals will only go on for so long and need to be purchased immediately. 

Victims who fall for this scam will give their financial information, have the money removed from their account, and never receive access to the gift card. This leaves them with less money, but also vulnerable to further attacks with their financial information now revealed. 

What to do

To avoid falling victim to this scam, always purchase gift cards directly from the official website of the retailer or trusted authorized sellers. Deals that seem too good to be true often are, so exercise caution and validate the legitimacy of the source. A gift card will never be sold for less than it’s worth. 

Charity scams

What happens

As mentioned in our Black Friday scams blog, cyber criminals will prey on generosity during this “giving” season. They will lure people into donating to fake charities by reaching out to them through phone calls, emails, or text messages.  Over the call, they’ll play into people’s emotions by using storytelling and social engineering claiming to be a fake charity looking for donations. They’ll then ask for the victim’s card information in order to obtain access to their banking.

What to do

In the event that you find yourself on a phone call with a charity and feel compelled to donate, politely ask for the name of the organization, express your intention to contribute at your convenience, and end the call. Afterwards, conduct your own research to verify the legitimacy of the charity and to explore safer alternatives for making a donation.

Even better, begin the donation process on your own. Visit an organization of your choice’s official website or physical locations to learn more about how you can donate. Donating physical items or offering your time as a volunteer are both excellent ways to support a cause without divulging your financial information over the phone.

While the holiday season brings warmth and joy, it’s crucial to remain vigilant against cyber security threats. By being aware of common scams and adopting cautious online practices, you can protect yourself and your loved ones from falling prey to cybercriminals. This season, let’s celebrate safely and securely, ensuring that the only surprises we encounter are the ones wrapped in festive paper.


Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.