‘Twas the Night Before Christmas and the Cybercriminals Were Stirring

1. Christmas Craigslist

Need a little extra money this Christmas? I know I sure could. Cybercriminals, who prey like hyenas on the most vulnerable members of the herd, know the feeling of not having enough for the holidays. Instead of hopping on Craigslist and finding work themselves, they’ve found a pretty nasty workaround: create a fake ad and hook a job hunter with promises of Christmas cash as long as … ready for the catch? As long as the job searcher hands over some personal information by email. (They could also ask for money for training or equipment.) If you send your sensitive details, you’re on a crash course with identity theft.

Want to stay safe? Don’t hand over any personally identifiable information (PII) by email, whether it’s your driver’s license, Social Security number, or just your birthdate. The same goes for venmoing uniform money. If you don’t want to look over your shoulder every time you fill out a form online, put all your online assets under lock and key with some grade A identity theft protection.

2. Amazonn.com

Notice the extra “n” in the URL above? No? Well, that was a test. So take note. As the holidays approach, we’re all in a rush to snatch up gifts in spare moments. Many of us will be doing the bulk of our shopping online. It’s really easy to type an address that’s off by one letter into your browser’s address bar. Fraudsters know this, so they snatch up copycat website addresses like amazonn.com or targets.com and create copycat websites.

Once you enter their cyber lairs, scammers can extract whatever information they want, depending on the nature of the website — your credit card number, phone number, even your driver’s license number. Which is exactly what happened in this Spiirit Airlines (not a typo) employment scam, uncovered by ProPublica. See if you can tell the fake from the real McCoy.

Spiirit Air courtesy of ProPublica

Want to stay safe? It’s so easy to type the wrong address into a browser that, if you don’t have some form of malware protection, anyone can fall victim to a lookalike website scam. You don’t necessarily have to invest in antivirus software to stay safe (though we do recommend it).

• Some top VPNs come with malware blockers rolled in. NordVPN plans have this feature, for example.
• Aura packages, technically ID theft protection plans, will shore up both your personal info, your network, and all your devices.
• If you want to go it on your own, privacy-focused browsers like Firefox are also pretty good at sniffing out scum.

3. Charity Scams: The Gift That Keeps on Taking

Giving to a charity is the very essence of the holiday spirit — unless you happen to inadvertently line the pockets of a parasite pretending to be collecting for military veterans or a disaster relief fund (two very popular holiday charity scams). That’s when you’ll likely feel more like the Krampus than jolly old Saint Nick.

The problem is that we Americans love donating. According to Giving USA, we gave away nearly $485 billion in 2021 alone.3 (Not all of that came out of Bill Gates’ piggy bank. Normal folks gave, too, and they tend to be the ones scammers sink their claws into.) You can run afoul of a fake charity anywhere during the holidays — on Facebook or Instagram, by email, even by phone. I think you know the M.O. by now. The slobs ask for your info (financial in this case), you give it, and that’s all she wrote.

Want to stay safe? The telltale signs of a fraudulent charity are: pressure to donate, thank-yous for fake donations you never made (asking you to help out yet again), and requests for cash payments or wire transfers. So don’t be a Xmas patsy. Never give sensitive data in any shape or form to any charity, even a bonafide one.

4. Dear Customer, We’re Not PayPal. We Just Want Your Money.

Branden Esparsa fell for it. But it looked so legit, you can’t really blame him. A man named Dan Poole messaged Esparsa about a laptop Esparsa was selling. Esparsa sent Poole a request for payment through PayPal and then shipped the laptop priority. What he got instead of money was an email from PayPal telling him they weren’t done processing his request yet. He actually received a series of emails. Esparsa started to get suspicious.

Turns out those emails were good fakes coming from Dan Poole himself (who also went by the name of Joe Poole and Kurt Daniel and didn’t even have a PayPal account). Esparsa didn’t connect the dots in time, and now he was out $580 a few weeks shy of Christmas. Think you could have passed this scam test? Here’s the email Esparsa got.

This is what a fake PayPal email looks like.

Want to stay safe? Use a platform like eBay if you’ve got something valuable to sell. Branden Esparsa was trying to avoid those seller’s fees. Looking back, I bet he’d rather have paid 15 percent for eBay’s online security than lost everything to a grubworm with three different names.

5. Preying on Defenseless Older Folks (aka, Grandparent Scams)

If there’s one holiday scammer that really boils my blood, it’s the type of slug that targets older folks with weakened defenses. If I could put them all on a one-way flight to Mars with Elon Musk, you bet I’d do it faster than you can say “Christmas beast.” But, alas, we’re stuck on planet Earth with these criminals.

Seniors don’t get scammed as often as younger folks, but when they do fall victim, the amount of fraud tends to be higher ($1,600 per transaction according to the FTC.6) And, generally, that’s all the slimeballs are after: quick money fixes. They get their cash by impersonating a family member in need. With enough attempts and enough time — in which they have nothing but — they can usually fill their stockings for Christmas.

Want to stay safe? There’s something we call the “scams and predators” talk around here. You sit your little ones down, explain what cyberthreats are, how to recognize the creeps behind them, and what your kids can do to stay safe online. If you’ve got seniors in your family, please give them a refresher course. For iron-clad protection, a first-rate family ID theft protection plan is what we recommend.

6. Gift Cards Galore

Believe it or not, the FTC has marked gift card fraud as one of the most dangerous forms of the grifter’s art at holiday time. In fact, almost 25 percent of fraud victims this year lost money buying gift cards for swindlers.7 Here’s how it works.

You want to buy something. For whatever reason you end up dealing with a  bogus entity. Instead of a credit card, Joe Sleaze asks for a gift card as payment. And not just any gift card. This year eBay gift cards are very popular. So you go and buy some eBay credit, give the PIN to Joe Sleaze, and your money disappears faster than Frosty in a greenhouse.

Want to stay safe? This doesn’t require a Ph.D. in Fraud Prevention. If someone asks for a gift card as payment this Christmas, cut that convo short. It’s a scam. If you fall victim, the FTC keeps a list of card issuers.8 Keep the card you used and your receipt, and report the fraud pronto.

7. $2 Flights to Rome

It’s not just the McCallisters from Home Alonethat plan trips for the holidays. A lot of us get the travel bug around Christmas time. Even if we don't actually take that trip to Miami in December, we’re planning for it, and maybe even buying tickets. Black Friday and Cyber Monday are usually all the incentives we need to click purchase. Enter the faux travel agent.

These slimeballs are like the scalpers lurking in the shadows outside baseball stadiums, except they’re hawking discount tickets to Hawaii for $100 by email. They’ll use all sorts of creepy, but effective social engineering ploys to get you to click on bogus links or divulge your bank info. The deals will be “going fast.” They’ll be pressuring you to “buy now or lose the offer forever.” You know the rest of the story.

Here’s what social engineering tactics look like in action. Just for the record, the president of the United States doesn’t run a bitcoin charity.

A fake bitcoin scam using a social engineer's playbook

Want to stay safe? Expedia may not get you to Hawaii for the price of dinner for eight at Applebee’s, but paying a little more for a real flight is a whole lot better than getting grifted for Christmas. We’ve said it before, but we’ll say it again — if you see an ad that looks too good to be true, it’s usually a scam.

Wrapping Up (get it?)

Christmas isn’t all scams and goonery. I just found out there’s a couple in Colorado who’ve been giving away fake Christmas trees to needy families for the past 12 years. They’re doing it on Craigslist.

But scams are everywhere; they’re also getting more sophisticated and won’t be going away anytime soon. Fortunately, to sidestep the majority of grifts — online and off — all you need is a steady supply of vigilance, some basic knowledge of the cyber threats du jour, and the right digital security stance.

The first two are on you. For the third, you may need a little outside help. (Most of us security experts do.) VPNs with malware blockers are good for keeping sleazeballs and their phony requests off your devices. Identity theft protection will alert you the second a creep has started testing the waters of your credit.