The current economic situation also brings new worries that hackers can exploit—such as the fear of supply-chain issues and a sense of urgency that what you want may be in short supply.

“Cybercriminals understand this mind-set and take advantage of every trick to gain access to your personal information, credit-card numbers or other data they can leverage later,” retired Brig. Gen. Touhill says. “They prey on human nature.”

Many crooked choices

Criminals have a cornucopia of scams from which to choose around the holidays.

One popular scheme, sometimes known as a discount scam, involves luring potential victims with an ad. The scammers know what you’ve been searching for online—often because they place cookies on your PC to track your activity—so they serve up a banner ad offering a coupon or sweet deal for that product.

Let’s say you click on a banner purporting to offer just the right leaf blower for Dad at a steep discount. You will land on a spoof site, like “Amaazon.com,” that looks like the legitimate site. From there, the site either asks for personally identifiable information that criminals can sell on the black market, or it requests your credit card to purchase the item. You’re charged the full amount, but the item never arrives.

“You’re getting more discount offers this time of year, so that normalizes these discount cues, even if there is bad grammar in an email or a poorly designed website—obvious signs of a bad actor,” says Kelly Shortridge, senior principal product technologist at Fastly, a cloud-computing services provider.

Worse, the holidays are a time of increased spending, so it is easy to miss a bad charge on a credit-card statement, says Judith Bitterli, senior vice president of consumer monetization at security-software firm McAfee. Attackers can easily blend in with all that noise.

Also big this year is the shipping scam, sometimes called the FedEx scam, in which criminals send an email or text telling you that your package has been delayed, but that you can get it expedited for a fee if you click on a link. They then steal your personal information along with your credit card.

Even security pros can get fooled. “I buy stuff from the U.S. often, and 50% of the time I have to pay value-added charges of 20% and customs of around 2.5% of top of the purchase price,” says Kevin Curran, professor of cybersecurity at Ulster University and co-founder of encryption-as-a-service provider Vaultree. “So, while I’m waiting for information about its arrival, by chance I get a text saying I have to pay some fee by clicking on a link, so I do.”

Losing money in a scam like that is bad, but worse, says the professor, is when criminals drop some malware on your phone or laptop when you click on a link. “We call those drive-by downloads. They are easy to install, and the bad guys can come back and get into your machine for whatever they want later.”

The gift-card scam is also proliferating, cyber experts say. This scheme takes advantage of the fact that gift cards act much like cash. They don’t have personal information attached to them the way credit cards do, so somebody can steal card information and use it with very little fear of getting caught.

It works like this: A criminal sets up an online store, or uses a platform like eBay. “Either the seller only accepts gift cards, or they say, ‘There is a problem with your credit card, do you have a gift card you can use?’ Now they have an anonymous, untraceable gift card,” says Prof. Curran, adding that gift cards don’t have the same fraud protections as credit cards.

Two other major schemes pop up around the holidays: travel phishing and charity scams. The former might arrive in the form of an email stating that a booking has been canceled, sending you to a spoof site where you’re asked to enter your credit-card number to set up a new reservation. It might also be an email directing you to a clone site offering outrageous deals on a house rental, flight or hotel room as long as you hold your reservation with a deposit.

These are popular now because people are traveling again, but there is still lots of anxiety around ever-changing Covid-related restrictions, says Raj Samani, chief scientist for cybersecurity conglomerate McAfee Enterprise & FireEye.

The charity scam might target victims via social-media feeds, asking people to donate to an organization that turns out to be phony. “These still exist in the other 11 months of the year, but the messaging becomes more pointed toward the things we’d naturally be doing around the holidays,” says Mr. Samani.

Bad Behavior

These scams come as cybercrime is booming. According to the Internet Crime Complaint Center’s 2020 report, Americans reported more than $265 million in nondelivery scams, when consumers are charged for an item purchased online but it never arrives. They filed nearly another $130 million in losses related to credit-card fraud, $54 million in “smishing” campaigns—when bad actors send texts urging recipients to reveal personal information—and $4 million in charity scams.

There are lots of steps consumers can employ to protect themselves against cyber thieves. The easiest is to keep operating systems and software up-to-date, says Prof. Curran. Widely used software companies, like Microsoft, send out patches monthly and promote their updates.

Double-checking that an email, social-media or text offer is legit is as easy as doing a quick search, says Symantec’s Mr. Thakur. “Those links often lead to websites that are pretty well made to mimic the brand at play,” he adds. If a site is purporting to be a well-known company like FedEx or Amazon, visit the site yourself rather than clicking through a potentially nefarious link.

In addition, before inputting any personal information, look to the left of the website address in the browser bar. If the website address begins with https, not just http, “that extra ‘s’ means that it uses a secure protocol for transmitting sensitive info like passwords, credit-card numbers and the like over the internet,” says McAfee’s Ms. Bitterli. “It often appears as a little padlock icon in the address bar of your browser.” It doesn’t guarantee the site is trustworthy, but not having it is a red flag. In addition, when on a site, be wary if you’re asked to update your password or account information. “Do not give your information to anyone unless you were the one who initiated the conversation,” Mr. Thakur says.

Mr. Samani advises consumers to check out review sites to be sure the discount they are being granted is the real deal. If only a handful of reviews exist, proceed with abundant caution; same if the evaluations are negative. A similar strategy can be employed for charitable organizations asking for donations: Search on GuideStar or Charity Navigator to ensure they are true organizations and head to their websites on your own, not through a link.

Damon McCoy, associate professor of computer science and engineering at New York University’s Tandon School of Engineering, whose research focuses on online scammers and cybercrime, advises shoppers and donors to pay only with a credit card, which usually offers fraud protection. “If you’ve been scammed, call your credit-card company, who will investigate and reverse fraudulent charges,” he says. That leaves little room for financial risk.

Other advice from the experts holds true with any suspicious online activity: Don’t give away personal information unless necessary, use strong passwords or log in as a guest to shopping sites and tether to your phone if using a laptop, rather than connecting to the public or open Wi-Fi network, where criminals lie in wait to harvest personal information. Don’t pay with hard-to-trace forms of payment, such as wire transfers, and use two-factor authentication for your most sensitive information, such as bank and credit-card logins. Check your credit-card statement daily during the holidays to isolate any strange purchases.

“And don’t sit on gift cards for too long, use them,” says Prof. McCoy, since crooks who scan magnetic strips while the cards sit on convenience-store racks can drain them, leaving them valueless.

Fastly’s Ms. Shortridge says that even though we are on high alert, the deluge of requests and notifications around the holidays can be overwhelming. So, slow down, update your systems, add two-factor authentication on your most important accounts—and don’t let potential scammers suck the fun from of the season. “The joy you get when you find the perfect gift to give is the thrill of the holiday,” says Ms. Shortridge. “Approach the holiday shopping season with the wisdom of the serenity prayer: Be alert but try to single out the fraud you can control.”

—

Heidi Mitchell, “The Most Popular Holiday Online Scams—and How to Avoid Them”. The Wall Street Journal, how-avoid-holiday-scams-11638474251