Holiday season is a high-volume season for fraud: more online shopping, more delivery updates, more travel, and more new devices getting set up quickly. Attackers win by blending into that noise. The easiest way to stay safe is to pre-commit to a few rules for payments, links, and account recovery.
Holiday safety checklist (fast wins)
| What you are doing | Do this | What it prevents |
|---|---|---|
| Shopping online | Use a credit card, check the domain carefully, and avoid paying by gift cards or crypto. | Fake stores and irreversible payment fraud. |
| Tracking deliveries | Ignore delivery links in texts, and open carrier sites directly. | Smishing and credential theft. |
| Travel and public Wi-Fi | Keep devices updated, use screen locks, and avoid logging into sensitive accounts on unknown networks. | Account takeovers and session theft. |
| Setting up new devices | Update OS first, turn on "Find my" features, and enable strong authentication on key accounts. | Loss, theft, and recovery lockouts. |
| Family gifts and kids devices | Set parental controls and remove risky app permissions early. | Accidental purchases, exposure, and account compromise. |
If you only do one thing: never pay or "verify" with gift cards. That is one of the clearest holiday scam signals.
1) Shopping scams: fake stores and too-good pricing
Fake stores look legitimate enough to get a payment, then disappear. The goal is to catch you when you are in a hurry.
- Check the domain carefully and look for subtle misspellings.
- Be skeptical of extreme discounts for high-demand items.
- Prefer credit cards over debit cards for fraud dispute options.
- Avoid paying via wire, crypto, or gift cards.
If you need a practical shopping checklist, use how to stay safe while shopping online.
2) Delivery scams (smishing) and fake "failed delivery" messages
Delivery scams spike when people are expecting packages. The pattern is simple: a text claims your package is stuck, then pushes you to a link that steals credentials or payment details.
- Do not click delivery links in texts.
- Open carrier sites directly or use the official app you already have.
- Do not enter payment details to "release" a package unless you verified the source.
If you want a formal definition, see smishing.
3) Gift card scams and "urgent" payment requests
Gift cards are popular with scammers because they are fast and hard to reverse. The request is often framed as a holiday surprise, a last-minute emergency, or a favor from a boss or family member.
- Treat gift cards like cash. Once sent, they are usually gone.
- Verify payment requests out of band (call a known number, not the number in the message).
- Do not share card codes in photos or screenshots.
4) Account takeovers during the holidays
Holiday travel and new device setups increase lockouts and mistakes. Account takeover often starts with one compromised account, then uses recovery to spread.
- Secure the inbox first. Email is the reset button for most services.
- Enable two-factor authentication (2FA) on high-value accounts.
- Use unique passwords stored in a password manager.
- Watch for unexpected password reset emails and MFA prompts.
For a general containment flow when something looks wrong, use been hacked? take these steps immediately.
5) New phones, tablets, and laptops: set them up like you will lose them
New devices often get configured fast, with default settings and reused passwords. A safer setup sequence:
- Update the operating system and browsers immediately.
- Turn on full-disk encryption and a strong screen lock.
- Enable "Find my" and remote wipe features.
- Set up strong sign-in for Apple ID or Google accounts, because they often control recovery.
If you suspect a device is acting strangely or you clicked something suspicious, use how to check if your phone is hacked.
6) Family and kids devices
Kids devices get targeted too, often through games, DMs, and account recovery scams. Set guardrails early:
- Use parental controls for core platforms: online services and apps.
- Be cautious with friend requests and DMs, even when they look like a classmate.
- Teach one rule: never share codes or passwords with anyone.
High-authority guidance worth keeping
CISA and the FTC publish consumer guidance that aligns with the durable decision rules above:
Holiday security is not about being paranoid. It is about removing irreversible failure modes. When you avoid gift-card payments, ignore delivery links in texts, and protect the inbox and recovery channels, most seasonal scams lose their highest-value outcomes.
The best goal is consistency. You do the same safe moves when you are tired, traveling, and distracted as you do on a normal day. That is what makes the season noisy but not dangerous.
Over time, the strongest posture is boring: you navigate to sites directly, you verify payment changes out of band, and you keep authentication and recovery strong. Those three habits prevent most holiday incidents from becoming multi-account recoveries.