Email is the number one channel scammers use to trick consumers, and it gets phishier during the holidays. If you’re shopping online, here’s how to stay safe – and the first thing to do if you click a phishing link.
As the holidays draw near, the hustle and excitement aren’t the only things ramping up. Phishing scams peak between September and November, when inboxes overflow with shopping and travel confirmations, charity requests, and marketing emails.
The consequences can be severe:
But don’t panic. According to Vlad Cristescu, Head of Cybersecurity at
“The holidays are prime time for scammers to strike,” Cristescu explains. “People are shopping like crazy, donating to causes, and spending more time online than usual. Scammers know we’re feeling generous and maybe a little rushed, so they take advantage of that.”
The psychology behind it is simple: we’re distracted.
“We’re all looking for last-minute deals, eager to get things done quickly, and that’s when we let our guard down. When you’re juggling a bunch of things, it’s easy to miss those little signs that something’s off.” And that’s exactly what scammers count on.
There are many types of scams that could land in your inbox, but according to Cristescu, three types stand out during the holidays:
Account log-in scams: “You’ll see emails that claim something’s wrong with your account and urge you to log in to fix it. These can be convincing, but they’re just fake pages set up to steal your username and password.”
Fake shipping notifications: “With everyone ordering gifts, scammers send emails that look like they’re from Amazon, FedEx, or other big companies. They know you’re waiting for packages, so they trick you into clicking to ‘track your order’ or ‘fix a delivery issue’ — but they’re really just after your passwords.”
Bogus eCommerce or “too good to be true” deals: “These phishing emails often impersonate major retailers or brands. They can lead you to fake websites where you’re prompted to put in sensitive information like credit card details or login credentials.”
Last year, more than 1.2 million scams targeted Amazon alone, according to a Bolster AI study. To safeguard your business domain from spoofing attacks, it's essential to implement email authentication protocols like DMARC, SPF, and DKIM. These measures help prevent hackers from breaching your domain and sending malicious emails on your behalf.
Phishing emails can be sophisticated, “especially with AI making them look pretty legit,” Cristescu says. But the cybersecurity expert emphasizes that there are still a few tell-tale signs.
“A big one is when the email starts with something generic like ‘Dear Customer’ instead of using your name. Another red flag is if the message is trying to induce panic by telling you that your account will be locked or that you need to act fast.”
Here are a few more red flags to watch out for, according to Vlad Cristescu:
Weird sender email addresses: Even if the email looks like it’s from a company you know, check the email address closely. Extra letters or random numbers are usually a giveaway.
Strange attachments: If there’s a random file attached, especially something like a .zip or .exe, be careful. Most companies don’t send attachments unless you’re expecting them.
Suspicious links: Before you click any link, hover over it and see where it’s really taking you. If the URL looks sketchy or doesn’t match the website it claims to be from, don’t click.
Bad grammar or awkward wording: Phishing emails often have little spelling mistakes or just sound a bit off. If it feels weird, it may be a phishing decoy.
Asking for personal info: No legitimate company will ask for sensitive info over email. If they do, that’s a big red flag.
Too-good-to-be-true deals: If the email offers something that sounds way too good, it’s probably a scam trying to get you to click.
If you’ve already clicked on a malicious link, “don’t freak out,” Cristescu says. “It happens to a lot of people.” But here’s what you should do immediately:
The three months leading up to December account for 20% of all phishing scams for the entire year, according to Bolster AI research. As you rush to check off your holiday to-do list, remember to pause and double-check the emails you receive. “Before you click on a link, take just a few extra seconds to ensure no scam is slipping through,” Vlad Cristescu advises.
Vlad Cristescu is the Head of Cybersecurity at
ZeroBounce is an email validation, deliverability, and email-finding company that helps businesses improve their email marketing performance. A multiple Inc. 5000 honoree, ZeroBounce is the go-to choice for more than 350,000 customers worldwide.
Ensuring military-grade security, ZeroBounce serves companies of all sizes, from solo business owners to Amazon, Coca-Cola, Disney, Netflix, and Sephora.
In 2022, ZeroBounce founded Email Day (April 23), now an international holiday honoring email inventor Ray Tomlinson.