Carnegie Mellon University
Computing Services  ›  Information Security Office  ›  News  ›  2021  ›  Holiday Shopping Hazards

holiday shopping hazards

November 30, 2021

Holiday Shopping Hazards

'Tis the season for cyber scams and festive phish.

Shopping online can save you time and effort during the often-hectic holiday season, but it also carries risks. While shopping scams happen year-round, attacks tend to surge near the holidays. At this time of year, it’s especially important to examine any email that asks you to click a link, download a file, or confirm login credentials or payment information.

When you shop at a brick-and-mortar store, you might leave with a paper receipt, but shopping online usually triggers a flurry of emails, texts, and other communications. People expect to receive order confirmations, electronic receipts, and shipping notifications—not to mention countless alerts about special deals, sales, and rewards. Scammers build on these expectations to create convincing phishing emails.

Fake Retail Emails

Scammers often send phishing emails that appear to come from large department stores, e-commerce sites, and other popular retailers. Because consumers already expect to get emails from these legitimate brands, they can fail to notice a well-disguised phish.

Some of these fraudulent emails play on the emotion of fear. For example, you might receive a fake notification that warns you’ve been locked out of your online shopping account. It might ask you to verify your identity, in order to steal your login credentials or other personal information. Another common variation uses the lure of free cash or other rewards. Unfortunately, offers that seem too good to be true are often scams designed to steal your money or information.

Return to Sender

Scammers have long used phishing emails that appear to come from shipping services. These phony shipping emails become more frequent during the holidays and can target both senders and recipients. 

Nobody wants to experience delays with merchandise they’ve ordered or packages they’ve shipped—especially when it comes to last-minute gifts. If you’ve been shopping online, you’re likely to pay attention to an urgent email about a package that couldn’t be delivered. These phishing emails use plausible timing and content to trick you into clicking a link or opening an attachment without thinking. They often contain a malicious attachment—perhaps disguised as a fake invoice or notification—that can infect your device when downloaded.

What Can I Do?

The best way to avoid holiday phishing attacks is to carefully examine any email that prompts you to take action. Since scammers can easily imitate brand logos, “From” addresses, and signatures, you must look deeper.

Ask Yourself:

  1. Am I sure about where this message came from?
  2. Does this message seem odd compared to others I've gotten from this sender in the past?
  3. Is this message confusing or does it mention an account or purchase I don't recognize?
  4. Is this message urging me to act quickly or trying to frighten me by mentioning problems with an account, purchase, or shipment?
  5. When I hover my mouse over the "From" address and web links, do I see anything unexpected or suspicious?

If you're still unsure about an email, confirm the information or offer. Call a trusted number, or visit a known website by typing the address into your browser. 

Share these cyber smart shopping tips with family and friends:

Slow down - Don’t let holiday pressures rush you into snap judgments. Critically examine any email or message that prompts you to do something—visit a website, download a file, or log into an account, for example. If you’re not totally sure a message is safe, it’s always better to err on the side of caution. 

Stick with what you know - To avoid falling for online imposters, only interact with trusted websites, preferably those you’ve used in the past. If you do decide to shop at less-familiar sites, be sure to do your research.

Watch for scam sales - There's a difference between a great deal and an unbelievable Fraudulent ads and sites may promise luxury goods at very low prices, or the ability to buy a toy or electronic item that’s sold out everywhere else. Such purchases could be counterfeit— or never arrive.