Holiday Phish

Shopping online can save time and effort during the often-hectic holiday season, but it also carries risks. While shopping scams happen year-round, attacks tend to surge near the holidays. So at this time of year, it’s especially important to examine any email that asks you to click a link, download a file, or confirm login credentials or payment information.

When you shop at a brick-and-mortar store, you might leave with a paper receipt, but shopping online usually triggers a flurry of emails, texts, and other communications. People expect to receive order confirmations, electronic receipts, and shipping notifications—not to mention countless alerts about special deals, sales, and rewards. Scammers build on these expectations to create convincing phishing emails.

Fake Retail Emails

Scammers often send phishing emails that appear to come from large department stores, e-commerce sites, and other popular retailers. Because consumers already expect to get emails from these legitimate brands, they can overlook a well-disguised phish.

Some of these fraudulent emails play on the emotion of fear. For example, you might receive a fake notification that warns you’ve been locked out of your online shopping account. It might ask you to verify your identity in order to steal your login credentials or other personal information. Another common variation uses the lure of free cash or other rewards. Unfortunately, offers that seem too good to be true are often scams designed to steal your money or information.

Return to Sender

Scammers have long used phishing emails that appear to come from shipping services. These phony shipping emails become more frequent during the holidays and target both senders and recipients.

Nobody wants to experience delays with merchandise they’ve ordered or packages they’ve shipped—especially when it comes to last-minute gifts. If you’ve been shopping online, you’re likely to pay attention to an urgent email about a package that couldn’t be delivered. These phishing emails use plausible timing and content to trick you into clicking a link or opening an attachment without thinking. They often contain a malicious attachment—perhaps disguised as a fake invoice or notification—that can infect your device when downloaded.

What Can I Do?

The best way to avoid holiday phishing attacks is to carefully examine any email that prompts you to take action. Since scammers can easily imitate brand logos, “From” addresses, and signatures, you must look deeper.

Ask Yourself:

  • Am I sure about where this message came from?
  • Does this message seem odd compared to others I’ve gotten from this sender in the past?
  • Is this message confusing, or does it mention an account or purchase I don’t recognize?
  • Is this message urging me to act quickly or trying to frighten me by mentioning problems with an account, purchase, or shipment?
  • DO I SEE ANYTHING UNEXPECTED OR SUSPICIOUS when I hover my mouse over the “From” address and web links?

If you’re still unsure about an email, confirm the information or offer. Call a trusted number, or visit a known website by typing the address into your browser.

The SYSTECH Zoom room is open and ready to help Monday through Friday, 8:00 am to 5:00 pm: https://uust.org/help/

Happy Holidays!

Office of Systems and Technology

Skip to content