Scammers Love the Holiday Shopping Season

For most of us, the Christmas holidays are a time for gift-giving, festive lights, and year-end deals; for cybercriminals, it’s peak business season. “Don’t click suspicious links” and “Don’t share your personal information online” are basics most of us know by now.

Cyber-scammers, however, have evolved. And the holiday rush gives them exactly what they need.

Black Friday made red-flag-deals easier to believe:

The answer lies in our behavior. During the holiday season, we’re distracted, rushed, and emotionally primed to spend. We hunt for last-minute gifts, chase discounts, and jump between dozens of online stores, delivery updates, and payment confirmations. Add Black Friday, Cyber Monday, and year-end sales to the mix, and vigilance often takes a back seat.

Cybercriminals capitalize on this urgency and overload by launching highly targeted attacks. What would normally raise red flags starts to look normal when every inbox is flooded with “limited-time offers” and “order updates.” In fact, cybersecurity firms consistently report spikes in phishing attempts during November and December, with shopping- and delivery-related scams surging sharply. These scams often masquerade as emails or messages from well-known retailers, courier services, or payment providers.

And it’s not only the “too good to be true” discounts. You might receive what looks like a legitimate email confirming a purchase you don’t quite remember, or warning you of a delivery issue. One click later, you’re on a convincing fake website designed to harvest your credentials or payment details.

Common types of holiday phishing scams include:

Fake shopping sites:
Scammers create convincing replicas of popular online stores, advertising massive Black Friday or Christmas discounts. These sites look legitimate but are designed to steal your payment information.

Phony delivery notifications:
Messages claiming there’s a problem with your package, missed deliveries, incorrect addresses, or customs fees, prompting you to click a link or download an attachment.

Gift card scams:
Emails or messages urging you to urgently buy gift cards for a “boss,” “family member,” or “special offer,” exploiting the pressure and generosity of the season.

Bogus order confirmations:
Phishers send emails appearing to come from trusted retailers or payment providers, claiming there’s an issue with your order or payment. They ask you to log in to “resolve” the problem. This scenario can trap even vigilant users, as it creates a real sense of urgency and legitimacy. At that point, instinct alone isn’t enough, and once your credentials are entered, your personal information is at risk.

What if compromised information wasn’t enough to ruin your account?

What if, even after falling for a scam, attackers still couldn’t log in?

We offer protection even after your information has been compromised.

FIDO2 provides a robust layer of defense against phishing scams through hardware-based authentication. By using a FIDO2 security key, you add a physical barrier to your accounts. Even if scammers obtain your password, they won’t be able to access your account without the FIDO2 key itself. Many online services now support FIDO2 authentication, making it easier than ever to secure your digital life, especially during high-risk seasons like the holidays.

Phishing-resistant authentication:
FIDO2 uses public key cryptography, meaning your credentials are never shared over the network. This makes phishing attacks ineffective, as there’s nothing reusable for attackers to steal.

Secure your shopping and payment accounts:
Enable FIDO2 on email accounts, online retailers, payment platforms, and banking services wherever supported. These accounts are prime targets during the holiday season.

Safer authentication, even on untrusted networks:
Whether you’re shopping from a café, an airport, or a family member’s Wi-Fi, FIDO2 adds a strong layer of protection that passwords alone can’t provide.

A quick checklist if you fall victim to phishing:

Change your passwords:
Immediately update passwords for any affected accounts, starting with email and financial services.

Notify relevant parties:
Contact your bank, payment provider, or retailer to report the scam and secure your accounts.

Monitor your accounts:
Keep a close eye on bank statements, credit cards, and order histories for suspicious activity.

Educate yourself and others:
Sharing your experience helps raise awareness and reduces the chances of others falling for similar scams.

The holiday season should be about joy, not dealing with fraud or identity theft. Staying alert and using phishing-resistant security might be the difference between your end-of-year celebrations, and account recovery emails.