Common holiday email scams and how to avoid them

The holidays are a time for people to celebrate, spread cheer, and connect with their loved ones. It's also the season when online purchases and gifting are at an all-time high. This increased online spending is a prime opportunity for hackers to target people with cyber attacks. They don't necessarily come up with new forms of cyber attacks during the holiday season; instead, they tweak their threat attempts to fit the context of the season.

Email attacks work particularly well during the holiday season because people are already receiving an abundance of emails. So when a threat actor sneaks in a fake email amongst the many legitimate emails, the recipient may fail to detect it. Most people are in a generous mindset around the holidays, so it's easier for hackers to extract money from them by convincing them they're donating to a noble cause.

There are many reasons that make the year-end a prime time for hackers to exploit for their monetary benefits. While it may be inevitable for these emails to land in your mailbox, being prepared to handle them safely may save you a lot of trouble and ensure that your holiday experience doesn't get ruined. In this article, we'll discuss the reasons why holiday email scams are common, some of the common types of email scams, and a few tips that can help you avoid these scams and stay safe online.

Why are holiday email scams common?

Users are bombarded with a multitude of emails about discounts, charities, flash sales, and shipping information about their orders during the holiday season. Threat actors make use of this opportunity to propagate attacks because the abundance of emails helps them penetrate and blend into users' mailboxes. They simply tweak their email content to fit the holiday context and use it to extract money or personal information from the recipients.

By making use of the year-end holidays such as Halloween, Thanksgiving, Christmas, and New Year, threat actors send emails that can exploit the high volume of online orders, shipping information, or discounts that are used during the holiday.

Types of holiday scams

There are different ways in which threat actors try to trick users into believing them. Some of these scams have become common over time. Understanding how these holiday scams occur over email and learning to spot such fraudulent emails will go a long way in protecting your mailboxes from fraudsters and threat actors. Let's take a look at the prevalent types of holiday scams.

Fake online stores

The volume of consumer shopping increases drastically during the holiday season. The number of emails sent to consumers informing them about brand offerings, discounts, and other such information is higher than at any other time of the year. This makes it easier for threat actors to deceive email recipients by posing as a legitimate store.

Under the pretext of being a genuine store, fraudsters create online stores using look-alike domain names of reputed stores. With AI capabilities, they can create websites and product listings that look exactly like the brand they're trying to emulate. They even use email templates, logos, and other creatives that are exact replicas of the original brand. Using this brand name, they send emails that nudge users to take an action.

If the email recipients make purchases from the online store, they either receive counterfeit products or no product at all. After a while, the owners become unresponsive or they close the store altogether and go on to launch other stores that they use to scam people.

Charity requests

The holidays are a time when people are more generous and goodwill flourishes across the globe. Many charitable organizations request donations during this period to contribute towards holiday clothing, toys, or to arrange festive feasts for those in need. But sometimes, fraudsters with ill intent also pose as legitimate organizations and request donations from people.

They create a domain that appears authentic and send emails that nudge the recipients to support a specific cause. This taps into the goodwill that most people tend to have during the holidays, and they sometimes go ahead to make the donation without verifying the authenticity of the sender or the organization. Threat actors send these emails either by emulating a reputed organization or by creating an organization that's completely new.

Many email recipients just perform the preliminary step of verifying the website. But hackers these days are performing elaborate schemes with the help of AI, and they go to the extent of creating a website that looks authentic. So, if a user simply checks the website, they'll tend to believe that the email is authentic and donate money. The money goes towards making the threat actors rich, definitely not to those in need.

Fake shipping information

Threat actors rely on creating a sense of panic, causing email recipients to take an action quickly before they can identify the malicious nature of the email. To create a sense of urgency and prey on recipients' panic, fraudsters send emails with fake shipping updates. Most consumers have products that need to be delivered to them during the holiday season. These update emails are sent either by stealing data about products that people have ordered or under the assumption that the recipient will be expecting something.

These emails make claims that their package is being held at a particular place due to a lack of customs clearance, or it's being held because of incomplete delivery information. They'll nudge the recipient to click on a link in the email to view the status or enter an OTP that has been sent to them. The embedded link is most likely a phishing link where they're prompted to enter their address. Other times, the hackers will demand a payment to be made to complete the clearance of customs checks.

Popular delivery services such as FedEx, DHL, UPS, or others are mimicked in these emails. The email template is a convincing replica of these services. If you happen to receive such emails, think about your pending deliveries and take action only from the online platform or seller you've placed the order with.

Gift cards

Gift cards are a popular scam that fraudsters commonly use during the holidays. Sales of gift cards rise considerably during the holidays. Companies present their employees with gift cards, and they're commonly bought as gifts for friends and family. This is one of the most profitable scams for hackers because gift cards can reach high denominations in certain cases.

Because this is a common form of gifting in organizations, this is a scam that can affect people not just personally, but on an organizational level as well. Threat actors may send emails impersonating a company's CEO to the finance or payroll team. They may demand that a certain number of gift cards be bought for people in the organization and the codes be shared with the CEO. This is a common cyber attack at the year-end, with many recipients performing the required action. This is one form of CEO fraud or business email compromise.

In another form of this type of attack, consumers receive emails about discounts on gift cards from prominent brands. If a threat actor has sent the email by assuming a genuine identity, the gift cards are probably fake, or sometimes they completely stop responding and fail to send the gift card once the payment has been made.

Flash sales and offers

During the holiday season, time-sensitive offers and discounts are at an all-time high. Most consumers are excited to use these opportunities to save money. But threat actors also make use of this vulnerability for their own gain. They send emails that mimic authentic brands, informing the recipient about a flash sale or an offer that has to be claimed immediately. They nudge you to click on a link or enter your details to claim the offer. Unfortunately, these mostly end up being bogus.

This scam, like many others, preys on recipients' mentality to perform an action within a specific duration and creates a sense of urgency. In this mindset, people fail to notice and check whether the email is authentic. While flash sales have become increasingly common, when you receive emails about such time-sensitive offers, make sure you perform the action directly from the seller's website, not from the email.

Travel scams

Many people go on vacation or travel to visit their family and friends during the holiday season. Because of this increased traffic, travel scams have reached an all-time high. Threat actors trickle into users' mailboxes under the pretext of being a travel company providing good deals and discounts on travel itineraries, packages, and tickets. The email recipient will be anxious to take advantage of these deals since airfares and hotel prices usually skyrocket at this time of the year.

If these emails are sent by fraudsters, they'll take the recipient to a fake website that mirrors a legitimate website's design, template, and logo. The email recipient, assuming that the email and website are genuine, goes ahead and makes payments to secure their vacation packages and flight tickets. This money, instead of going towards their purchases, ends up in the fraudster's pockets, and the email recipient gets cheated of their money. In return, they receive fake tickets or payment confirmations that are denied when presented at airports, train stations, hotels, and other travel checkpoints.

Tips to stay safe from holiday scams

While it's inevitable that you'll periodically receive holiday scam emails, there are a few tips and tricks you can learn to spot such fraudulent emails and even keep them away from your mailboxes. Let's take a look at some of the ways in which you can protect your email from these scams.

Learn to spot fake websites

Learning the telltale signs of a fake website and using those signs to identify whether a website is fake or genuine can help in many scenarios other than the holidays. These days, the prevalence of AI has made it much easier for hackers to create fake websites that appear authentic. But, there are certain signs that give away if a website is being emulated. Here are some ways you can verify this:

1. If you're clicking on the website link, ensure that you're redirected to the correct domain and there's no change or difference in spelling from the original domain.

2. Check whether the website has a padlock symbol in the address bar. This indicates if the site has a TLS/SSL certificate and if the HTTPS protocol is being used.

3. Check if the website has their shipping, refund, and exchange policy on the website and read through them to see if they're valid.

4. Check for grammar or spelling errors in the content and see if the logo of the website or brand is correctly displayed.

5. When making the payment, look at whether the brand uses secure payment gateways. If you spot non-traditional methods, avoid making the payment.

6. Read through the brand's reviews to see if the brand is authentic. If people complain about counterfeit products or issues with receiving the product, proceed with caution.

Shop only with trusted vendors

Especially around the holiday season, hackers set up new scam websites, send phishing emails to people from different emailing lists, make a good amount of money, and close shop after they've reached their target. Always shop only with vendors with whom you've had a good experience with before. if you're making a purchase on a new website, go through their reviews to ensure that people have had a good experience buying with them.

Subscribe to mailing lists mindfully

Many websites claim to provide a discount if you subscribe to their mailing lists. This is one way for them to market their brand and gain traction. However, not every brand is careful about storing these email addresses safely. Some brands even sell these email addresses on the dark web for a certain amount of money. It's not easy to decipher which brand has shared your addresses because most likely you've subscribed to multiple brands.

To avoid these scenarios, subscribe only to email lists of brands that have a good reputation. Don't share your email address on mailing lists unless you absolutely want to keep up with their updates and discounts.

Use credit cards for online purchases

Using your credit cards for shopping or booking travel online offers a certain level of security and immunity. Credit card transactions are equipped with security features that can protect from fraudulent transactions. Because the payment works on a credit system, the attacker doesn't get direct access to the money. Even if a suspicious transaction goes through, the probability of the victim getting their money back is higher with credit cards than it is with other modes of payment. Stay away from non-conventional payment methods, and make sure the payments go through a secure payment gateway.

Set strong passwords and MFA

Apart from hackers trying to make their way into mailboxes through emails, they may also attempt to use your email address to try to break into your account to gain access to sensitive information. Always configure strong passwords with a mix of upper and lowercase letters, numbers, and symbols. Make sure you also have multi-factor authentication enabled for your account. This way, even if your password gets leaked through a data breach, the additional layer of security will prevent hackers from getting into your email account.

Watch out for smishing and vishing attempts

Email accounts generally have an additional layer of security that spots certain patterns present in emails and filters them out. However, because these functions aren't available in text messages or voice calls, attackers like to use these methods to scam people. Smishing refers to the practice of attackers using SMS to create phishing attacks. Similarly, vishing refers to using voice calls to phish for information. Because there aren't any means to moderate these modes of communication, the onus is on the recipient to ensure safe practices when handling such messages or calls.

Monitor bank statements regularly

While the first line of defense is to make sure your credit card information or other such sensitive data doesn't get leaked, this may not always come to your attention. Therefore, you must monitor your bank account statement regularly. Set up periodic auto-generation of statements and have them sent to your email address so you don't miss reviewing them. Go through them meticulously to spot any discrepancies. In case you come across any issues, immediately report them to your bank and block your credit card if needed.

Avoid using public Wi-Fi

Public Wi-Fi is very easy to hack. Try not to use public Wi-Fi for your shopping needs. Hackers deploy man-in-the-middle attacks to intercept the data you enter. This includes email addresses, usernames, passwords, credit card information, and other such sensitive data. They could use this data for their monetary benefit or to hack your account. Use your mobile network to access the internet ,or if you have to use the public Wi-Fi, make sure you use a VPN to stay safe from hackers.

Don't engage with emails that looks suspicious

If you come across an email that arouses suspicion, tread with caution. Avoid interacting with the email or responding to it. If it elicits a response, check all sources of information and view the legitimate information, order history, or shopping deals on the relevant website before you proceed with taking action on the email.

Deploy email security solutions

The best way to prevent such scam emails from entering your mailbox in the first place is to use an email security solution that can detect such emails. Security solutions use advanced algorithms to spot suspicious patterns in emails and process them accordingly. Because human error is always possible, the best solution in such scenarios is to keep these emails away from your mailbox entirely.

eProtect is a cloud-based email security and archiving solution that provides an additional layer of security for email accounts. The solution offers advanced threat detection mechanisms that can secure on-premise and cloud email accounts from evolving email threats. eProtect is the security solution powering Zoho Mail, a platform trusted by millions of users.