While we’re looking forward to spending quality time with the family and tucking into some good food this Christmas, cybercriminals aren’t taking the holidays off. For them, it’s a massive opportunity to take advantage of the surge in online shopping activity during those last-minute rushes to get the perfect gift.
According to McAfee’s 2024 Global Holiday Shopping Scams Study, Black Friday-themed emails alone saw a 495% increase from October to early November. Christmas-related emails rose by 314% during that same period.
In fact, 3 in 5 Americans are on high alert this year for holiday scams due to the surge in AI-powered attacks, and 78% believe cybercriminal activity intensifies during the festive season.
So, we’re going to help you pinpoint the top scams criminals are running during this holiday season, and how you can keep yourself, and the family, cyber-secure.
NordVPN – The best VPN overall ($3.39 $2.99 per month)
NordVPN Basic is available for $2.99 per month for two years, plus three months free. It’s consistently topped our overall VPN rankings as the best VPN available right now, thanks to:
Lightning-fast speeds in over 110+ countries
Reliable access to geo-blocked services wherever you are in the world
Support for up to 10 simultaneous connections
All plans come with a 30-day money-back guarantee.View Deal
1. Festive phishing scams
Scammers are constantly thinking ahead and trying to leverage current news or events. At Christmas, that means impersonating services you’re likely to come into contact with through email and texts. Think notifications about flash sales, limited-time deals, and delivery updates for packages you’re eagerly awaiting.
These messages are designed to look as legitimate as possible so that you won’t suspect you’re actually clicking a malicious link. Once you’ve opened the link, you’ll usually be prompted to provide personal or financial information to learn more, which is then sent to bad actors.
As well as using offers to entice unsuspecting shoppers, criminals using phishing scams rely on fear to prompt you into immediate action. This often takes the form of fake security alerts warning you about unauthorized access to one of your accounts. However, during the Christmas season, it’s common to see messages claiming there’s an issue with your delivery or payment for a gift that demands urgent attention.
Then there’s the AI problem. Convincing scam messages can now be generated extremely quickly using AI models, meaning that it’s easier than ever for scammers to scale up massive campaigns for email and text fraud that look indistinguishable from the real thing.
Research from Norton suggests that enticing scam messages work. 47% of their respondents said that they’re willing to share personal information if it means they will receive a discount while shopping.
Always verify the sender of any suspicious texts or deals that seem too good to be true. If you’re even a little bit wary, don’t hand your info over.
2. Fake shopping sites
Doing your Christmas shopping online can save some huge headaches during the last-minute rush, but scammers are very aware of shifting consumer preferences away from in-person retail shopping.
They create fake shopping sites similar to existing retailers, which can look incredibly similar to the real thing, so you’ll hand over your payment details. It’s often hard to tell that these sites are malicious unless you know what you’re looking for.
If a deal seems too good to be true, it probably is.
So, to keep shoppers from questioning the authenticity of their fake sites, scammers will typically advertise limited-time deals and massive discounts to create a sense of urgency.
When you’re hunting for that perfect gift at a great price, and you’re running out of time, these offers can be hard to resist. However, once you’ve handed over your payment details and personal information, it’s likely your gift will never arrive. Unfortunately, that’s only the start of your troubles.
To protect yourself, look closely at the URL of the site and see whether there are any misspellings you wouldn’t expect. It’s worth doing a quick Google to see if you’re actually on the correct site. You should also see whether or not they’re using HTTPS for site security, as well as whether there’s any dubious AI-generated imagery in place. If a deal seems too good to be true, it probably is.
3. Charitable charlatans
Scammers will stoop pretty low to run a successful scam. In the festive season, we’re often reminded of those less fortunate than us and more inclined to donate to charity. Scammers know this, and they’re definitely not above pretending to be a charity to make a quick buck.
AARP’s 2025 data tells us that more than half of its respondents (57%) donated money to charity in the last year. More than one-third of those asked (35%) say they received a donation request in the last 12 months that could be a scam. Despite this, 59% of respondents say they don’t always research an organization before donating.
To take advantage of the inclination to donate to charity, bad actors create fake charity websites that closely mimic legitimate organizations. This allows them to bank on the trust the public has in certain charities while making off with the donations themselves in the process.
To donate legitimately and ensure your money goes to those who really need it, go directly to a charity’s official website rather than using links from emails, texts, or social media posts.
How to stay safe this Christmas
With cyber threats ramping up during the festive period, it’s worth taking a moment to read up on how to protect yourself and your loved ones against scams. Here’s some practical steps you can take:
- Be wary of links in your email inbox: If a deal or alert seems suspicious, get in touch with the retailer directly through their official website instead of clicking a link you’ve received.
- Don’t trust delivery texts without verification: Scammers love to imitate delivery services. Always check your tracking information on the courier’s official website and don’t send any personal details through links you receive.
- Enable two-factor authentication: Use 2FA wherever it’s available to add an extra layer of security to your accounts. Even if a hacker does end up with your password, they won’t be able to log in without permission from your 2FA device.
- Use a VPN while shopping and browsing: A VPN encrypts your connection and can help protect your data, too. NordVPN’s Threat Protection Pro can detect fake phishing sites in real time. There’s also Surfshark’s Alternative ID feature, which lets you create disposable email addresses and personal details for shopping with those sites that you’re not quite sure you can trust.
