While the risk of being hacked, conned or having sensitive information stolen is possible all through the year, most security experts agree that the holiday season brings a spike in fraudulent activity, both online and off.
CSO compiled a list of twelve dirty tricks to avoid this holiday season (or any time).
After a day of shopping, you log on to Twitter and 'tweet' about how hard it is to find a Zhu Zhu Pet, this season's hot toy, for your daughter. Soon after, you receive a direct message from another Twitter user offering to sell you one. It's your lucky day, right?
Unfortunately, the user often ends up paying for a fake version of the product, or no product at all. It's the classic phishing scam with a new and sophisticated twist because criminals can see what you are looking for by monitoring your tweets on Twitter.
"It used to be that you could identify a phishing scam because they often had spelling mistakes, or the link had some kind of tell-tale sign," said Mark Cohn, vice president of enterprise security with Unisys.
But the game has changed now. The signs that made scams so obvious before are no longer always present as more sophisticated techniques employed by criminals on Twitter and Facebook make it harder than ever to know what's legit. The easiest way to stay away from this?
"Be skeptical," said Cohn. "Double-check to find out: Who is the issuer? If it is not someone you know, think twice about buying."
Fraudulent auction and payment sites
If you do fall prey to the first scam, there is also a chance you could end up at a fraudulent site while paying for the item. Or you might find yourself at a fake auction site while bidding on an item. Escrow services such as PayPal allow businesses and consumers to securely and conveniently send and receive payments online.
However, escrow scams are increasing as fraudsters set up fake payment sites to con both buyers and sellers out of money, according to Unisys.
To ensure payment sites are legitimate and secure, Unisys security experts suggest checking to ensure the sites have SSL certification. Also check that the web address starts as https:// rather than just http:// as the absence of that "s" is often an indicator of rogue traders.
A real escrow company will also only ask you to transfer money to them directly from your bank, i.e. a traceable transfer. If they ask for another method, refuse. Before you send anything, verify with your bank where the receiving bank is located. If this looks like it is outside the seller's own country, stop the transaction.
Another casualty of being phished is your password. Password theft is rampant during the holidays, according to security firm McAfee, which also compiled its own "12 Scams" for folks to watch out for this holiday season.
"Once criminals have access to one or more passwords, they gain vast access to consumers' bank and credit card details and clean out accounts within minutes. They also commonly send out spam from a user's account to their contacts," official with McAfee said.
Dangerous search terms
Andrew Brandt of Webroot recently blogged about how prevalent dangerous sites have become in search results. Brandt searched for news about Zhu Zhu Pets.
"What I found were a flood of fake alert sites mixed in with the legitimate search results," said Brandt.
The bad guys know what people want, and they are getting cleverer about devising dangerous sites that will be ranked high if a user searches for a popular term. Using the most up-to-date version of your browser can help. If you try and head to a malware-laden site, the latest version of today's browsers will often warn you first that the site contains dangerous content.