Shop Safely! How to Avoid Christmas Online Shopping Scams

First, let’s look at what we can do ourselves to feel safer while making it harder for online criminals. No matter how you shop online, it’s important to follow a few key rules. Above all, if you find an exceptionally good offer, pay attention to the price. It should raise a red flag if it’s much lower than in other stores or from other sellers. A discount of 30%, 50%, or even 70%? In 99% of cases, it’s a planned scam. You’ll never receive the goods, and your money will be lost. If you decide to take such a “deal,” most of the risk is on you.

Before buying, check whether the store has reliable contact information, how long the domain has existed, whether the return policy and terms are detailed, and whether product images aren’t stolen from other sites. The internet is full of fake stores that disappear right after the holidays—along with customers’ money.

Cybercriminals use AI to generate professional-looking messages, realistic emails with brand logos and tone, graphics and documents, and even audio and video recordings impersonating store employees, courier companies, or financial institutions. If you receive a message requesting immediate payment, order confirmation, or an “urgent verification,” exercise extra caution.

Scammers often use a simple trick: they replace certain characters in a domain name (website address) with alternative characters or exploit typos when we enter a website address. One of their favorite tools is creating websites that look almost identical to the original. Differences are often just one letter, reversed characters, or a different domain ending.

Remember:

• Click the padlock icon and check who issued the certificate.
• A certificate alone does not guarantee full security — fake websites can have them too.
• Avoid sites that ask you to log in again or “verify your identity” immediately after entering.

If an operation takes unusually long, especially when logging into your bank or making a payment, it could be a sign that you’re on a fake website. Often, a loading circle appears in the middle of the screen or a message like “Please wait…” shows up. In some cases, you may see an “Error occurred” message. In all these scenarios, it usually means that cybercriminals, who just captured your real login details for your bank, email, or another service (entered on a previous fake login screen), are trying to “buy time” to empty your account or access your mailbox. A good way to prevent this is to use two-factor or multi-factor authentication, which we’ll discuss shortly.

Let’s assume that cybercriminals manage to log into your bank or another financial service. They may attempt a transaction—usually a transfer to an unknown account or the purchase of cryptocurrency. For such a transaction to go through, it must be confirmed via an independent channel. Most often, this is a code sent to a trusted mobile number or a confirmation in the bank’s mobile app. In such cases, you should ALWAYS carefully verify the transaction details—account number, transaction amount, and recipient name. If you have any doubts, stop the operation immediately—under no circumstances should you enter the code from an SMS or confirm it in the mobile app!

Remember: SMS and email confirmations are your last line of defense. Always double-check the amount, recipient, account number, and type of transaction. If anything seems wrong—stop the process. Even the best security measures won’t protect you if you confirm an unauthorized operation yourself.

Shopping on public Wi-Fi is not a good idea. In malls, cafés, and airports, a man-in-the-middle attack is possible, allowing attackers to intercept your data.

Safe practices:

• Shop on a trusted network or use a VPN,
• Keep your system and apps up to date,
• Use anti-malware software,
• Do not install apps from untrusted sources.

During the holiday season, cybercriminal activity involving various types of malware intensifies (more on this later in the text). It is therefore crucial that devices—especially Windows PCs—are protected with regularly updated anti-malware software from a reputable provider. Only then can such software effectively prevent infection, propagation, and execution of malicious programs.

Due to the nature of other devices and systems, computers, tablets, and phones running Linux/Unix, iOS/MacOS, and Android are potentially more resistant to such attacks. It’s also worth paying attention to services provided by internet and mobile network providers, such as “Cyber Shield” or “Safe Internet.” Some of these services offer partial protection against the threats mentioned for a small fee.

Financial institutions, such as banks, as well as other service providers—email, e-commerce platforms, or social media—offer the option to secure accounts with an additional authentication factor. This is usually a code sent via SMS, confirmation through a dedicated mobile app, or a one-time code from a hardware or software token. Using this mechanism can help prevent most of the attacks described above.

During the holiday season, there is a surge of apps mimicking popular stores or promotional campaigns. Once installed, they can capture SMS messages, logins and passwords, or card information. Only install apps from official stores, and pay attention to the publisher’s name and the number of downloads.

Fraudulent requests for a small extra payment for “delivery,” “surcharge,” or “an undeliverable package” have now evolved: they are generated en masse by bots and often appear while you are genuinely expecting a package. This makes them easier to fall for.

Increasingly, users receive calls from fake “customer service” claiming that a transaction failed and needs to be “verified.” The goal is to steal SMS codes or convince the user to install remote access software. Legitimate companies never ask for such actions.

This is a rapidly growing trend. Cybercriminals promote fake websites through sponsored ads on search engines and social media. The ad looks real, but the link leads to a scam. Simple rule: if you reach a store via an ad, always verify the domain address before making any purchase.

Social media platforms have become major channels for both sales… and fraud. Criminals exploit fake store profiles, stolen product images, impersonation of influencers, fake contests, and “gifts for $1.” Before making a purchase, check the profile history, comments, and whether the account has existed for a long time.

We’ve discussed how to stay safe and what to pay special attention to when shopping online (and beyond). Now, let’s look at the types of attacks criminals use and the scenarios they exploit:

• One of the most common ways to steal money is to present the victim with a cloned, fake store, bank, or service website and trick them into entering their login details. Once captured, criminals attempt to execute unauthorized transactions, and in more advanced scenarios, they may try to intercept one-time codes or persuade the victim to confirm a transaction, for example, through a mobile app.
• Often, the link to a fake site is delivered via email, instant messaging—such as Messenger, WhatsApp, Allegro or OLX chat, Instagram—or even SMS. It’s crucial to approach any unusual message with caution. Receiving such a message usually indicates an attempt to steal money or login credentials.
• A particular type of attack is an SMS claiming an underpayment for a courier or an electricity bill, threatening to cut off service if a small debt isn’t paid. The amounts are often very small, from a few cents to a few dollars. The included link leads to a fake website, after which funds are siphoned off according to previously described scenarios.
• You may also encounter attempts to coerce login details through messages claiming that a password change is required. This attack is difficult to distinguish from legitimate communications, as many online services legally prompt users to change passwords. It’s therefore important to carefully analyze such messages, checking the sender’s address, domain, graphics, language errors, etc. Remember, in most cases, password changes can be done directly on the official website—you never need to click links in emails.
• A similar variant involves coercing victims into “verifying” their payment card, bank account, or online service account. The goal is to capture login data and attempt transactions or card payments. Regardless of the variant, always verify the website address in the message link, including the domain and security certificate.

Answer these 5 questions:

1. Does the domain look unusual?
2. Is the offer too good to be true?
3. Did you receive the link in a private message or SMS?
4. Does the website ask you to log in again?
5. Are you being pressured to act “immediately, or the promotion will be gone”?

If you answered “yes” to any of these — stop and walk away.

If anything raises concern, it’s better to skip the purchase than risk losing your money. Cybercriminals count on haste, time pressure, and the emotions that come with the holiday shopping season. Before diving into the shopping frenzy, it’s a good idea to: change passwords on your most important accounts, enable MFA/2FA everywhere, check whether your email has been involved in a data breach, and remove unused apps and browser extensions. This is a simple way to reduce the risk of attacks.

 Wishing you calm, safe, and mindful online shopping!