Carnegie Mellon University
Computing Services  ›  Information Security Office  ›  News  ›  2020  ›  Holiday Shopping Hazards

Image of man holiday shopping from home

November 18, 2020

Holiday Shopping Hazards

'Tis the season for cyber scams and festive phish

Shopping online can save you time and effort during the often-hectic holiday season, but it also carries risks. While shopping scams happen year-round, attacks tend to surge near the holidays. When shopping online, people expect to receive order confirmations, electronic receipts, and shipping notifications—not to mention countless alerts about special deals, sales, and rewards. Scammers build on these expectations to create convincing phishing emails. At this time of year, it’s especially important to examine any email that asks you to click a link, download a file, or confirm login credentials or payment information.

Fake Retail Emails

Scammers often send phishing emails that appear to come from large department stores, e-commerce sites, and other popular retailers. Because consumers already expect to get emails from these legitimate brands, they can fail to notice a well-disguised phish.

Some of these fraudulent emails play on fear. For example, you might receive a fake notification that warns you’ve been locked out of your online shopping account. It might ask you to verify your identity, in order to steal your login credentials or other personal information.

From: Amazon [mailto:Amazon_1@Devora2290.hostpilot.com]
Subect: We could not confirm the address associated with your Amazon account
amazon logo
Hello Customer

We could not confirm the address associated with your Amazon account. As a result, we have disabled the ability for anyone to login to your account to avoid account misuse. To resolve this, a verification process is required to be completed.  Verify Account Information Now

Note that this is required to be completed to enable us to re-enable access to your Amazon.com account. All information should be provided as contained on file.

Thanks,
Amazon Security Team

©2020 Amazon.com, Inc. or its affiliates. | All rights reserved. | Amazon Logo is a registered trademark of Amazon.com. Inc or its affiliates.

Return to Sender

Scammers have long used phishing emails that appear to come from shipping services. These phony shipping emails become more frequent during the holidays and can target both senders and recipients. Nobody wants to experience delays with merchandise they’ve ordered or packages they’ve shipped—especially when it comes to last-minute gifts. If you’ve been shopping online, you’re likely to pay attention to an urgent email about a package that couldn’t be delivered. These phishing emails use plausible timing and content to trick you into clicking a link or opening an attachment without thinking. They often contain a malicious attachment— perhaps disguised as a fake invoice or notification—that can infect your device when downloaded.

Subject: FedEx Delivery Notification

fedex logo
We would like to inform you that your package could not be delivered due to incomplete information. Please print out the invoice copy attached and collect your package from your local FedEx office at your earliest convenience. 

FedEx Web Team

What Can I Do?

The best way to avoid holiday phishing attacks is to carefully examine any email that prompts you to take action. Since scammers can easily imitate brand logos, "From" addresses, and signatures, you must look deeper. 

Ask yourself:

  1. Am I sure about where this message came from?
  2. Does this message seem odd campared t others I've gotten from this sender in the past?
  3. Is this message confusing or does it mention an account or purchase I don't recognize?
  4. Is this message urging me to act quickly or trying to frighten me by mentioning problems with an account, purchase, or shipment?

If you're still unsure about an email, confirm the information by visiting the official website by typing the address into your browser and contact customer support.

Cyber-Smart Shopping Tips

Share these tips with family and friends for a safe holiday shopping experience:

  • Slow down - Don't let holiday pressures rush you into snap judgments. Critically examine any email or message that prompts you to do something—visit a website, download a file, or log into an account, for example. If you’re not totally sure a message is safe, it’s always better to err on the side of caution.
  • Stick with what you know - To avoid falling for online imposters, only interact with trusted websites, preferably those you’ve used in the past. If you do decide to shop at less-familiar sites, be sure to do your research.
  • Watch for social media scams - Many social media websites do not confirm business pages before they go live on the platform. Scammers will post fraudulent ads on social sites that may promise highly coveted items at very low prices, or the ability to buy a toy or electronic item that’s sold out everywhere else. Such purchases could be counterfeit— or never arrive.

    For more tips on how you can protect yourself online and have a safe shoping experience please visit the Computing Services news article Protect Yourself: Tips for Shopping Online Safely.

Fell for a Phish?

If you believe that you were a victim of a phishing email, please contact the Information Security Office as soon as possible at iso-ir@andrew.cmu.edu or by phone 412-268-2044.