011: The Naughty List

How to Outsmart Holiday Scams

Author

Eric ONeill
November 19, 2024

Read This or be Scammed!

As the holiday season unfolds, we find ourselves surrounded by the spirit of giving, the joy of shopping for loved ones, and the warmth of reconnecting with family and friends. But while we’re busy checking off wish lists, sharing festive moments, and spreading cheer, there’s another group equally busy this time of year: scammers.

Scammers have swindled victims out of $1.03 trillion globally in the past year, up from $1.026 trillion, according to the 2024 Global State of Scams report by the Global Anti-Scam Alliance and Feedzai.

These holiday grifters know exactly how to take advantage of the hustle and bustle. They understand that we’re often juggling a million tasks, from hunting down the perfect gift to preparing for holiday travel, and they’re ready to exploit any slip in our guard. Whether it’s a fake charity plea, an online shopping scam, or a too-good-to-be-true “deal” that pops up in your inbox, scammers are at their most creative during the holiday season.

In this issue, we’ll dive into the top holiday scams to watch out for this year. From phishing emails posing as popular retailers to fake charity calls tugging at heartstrings, we’ll cover the red flags to look for and share practical tips to keep you and your family safe. After all, staying informed is the best gift you can give yourself this season.

And speaking of scams, we’ve got a holiday story for you—a cautionary tale with a twist. When one family received a desperate call from an “uncle” stuck in a faraway place, they almost fell for the ploy... until one clever detail saved the day. Read on to find out how a holiday scam was foiled by a simple code word.

 Weekly Story: The Turkey Scam

The Reynolds family had just settled in for their Thanksgiving feast. The turkey was golden and steaming, the pies lined the counter, and Uncle Ed was holding court, explaining why deep-frying a turkey in a snowstorm had been a brilliant idea.

As Grandpa Joe prepared to carve the turkey, the phone rang. Aunt Tisha answered, her smile vanishing. “Everyone, it’s Uncle Mike! He’s in trouble!”

She hit speakerphone, and Uncle Mike’s voice crackled through. “Hey, Tisha, it’s me. I’m so sorry to interrupt, but I need help. I’m in Mexico for Thanksgiving, and my trip’s turned into a disaster!”

The room fell silent as Uncle Mike continued. “My hotel room was ransacked—wallet gone, passport gone, phone gone. I’m using the hotel phone to call you. I need $1,000 wired immediately to pay my bill, get a phone, and book a ticket home. Please, it’s urgent!”

Grandpa Joe frowned. “Mike’s in Mexico? I thought he was at home deep-frying his bird like always.”

Cousin Becky, the tech-savvy one, leaned in. “Uncle Mike, which hotel are you staying at?”

“Uh...the Grand Riviera,” the voice replied hesitantly.

Becky crossed her arms. “Funny. You posted this morning about your backyard smoker. Must be some great Wi-Fi in Mexico. 

Uncle Ed jumped in. “Alright, Mike. Before we send anything, you’ve got to give us the family passphrase. You know the one.”

Silence. Then came a nervous laugh. “Passphrase? Uh...Gobble Gobble?”

The family erupted into laughter, tension escaping the room. Uncle Ed shook his head. “Close, but wrong bird. The real phrase is ‘Dire Hard is a Christmas Movie.’”

The phone line went dead.

Minutes later, the real Uncle Mike Face Timed from his kitchen, proudly showing off his smoked turkey. “Mexico? I wish. What happened?” 

After the Reynolds filled him in, Mike laughed. “Good thing I wasn’t the turkey this Thanksgiving!”

Grandpa Joe raised his carving knife. “Alright, folks, let’s dig in—this scammer didn’t get our money, and we’re not letting this bird get cold!”

And with that, Thanksgiving was saved—along with $1,000 that stayed right where it belonged.

Just like the Reynolds family in our story, many people face sophisticated scams that are designed to prey on their goodwill and holiday spirit. Scammers have become increasingly crafty, using emotional manipulation and even cutting-edge technology to convince people to hand over money or sensitive information.

But with a bit of awareness and some simple precautions, you can avoid falling victim to these schemes. In this issue, we'll walk you through some of the most common holiday scams—from fake online stores to gift card traps and charity cons—and provide practical tips to help keep you and your loved ones safe. Let’s dive into the details and make sure this season remains festive and secure.

1. Social Media Ads Leading to Fake Online Stores

What It Is: You scroll through social media, spot a deal that seems too good to be true, and click on it. Before you know it, you've landed on a fake online store. These scam stores either take your money without delivering anything or, worse, steal your personal information, putting you at risk of identity theft.

Warning Signs:

  • Unbelievably low prices or discounts.

  • Poorly designed websites with typos and fuzzy images.

  • URLs that don’t look quite right or lack the “https” security prefix.

How to Protect Yourself:

  • Stick to websites you know and trust. If you're curious about a new site, look it up separately and check reviews.

  • Verify the site’s URL carefully. A legitimate site should have “https” at the beginning of the web address.

  • Use a credit card rather than a debit card for online shopping. Credit cards offer more protection if something goes wrong.

Bottom Line: If a deal seems way too good to be true, it probably is. Trustworthy stores don’t need gimmicky ads to attract customers.

2. Gift Card Scams

What It Is: Gift cards are a scammer's best friend during the holidays. They’re untraceable, hard to refund, and easy to sell online. Scammers may sell “discounted” gift cards with no balance, or they might ask you to pay fines or fees with gift cards—a classic scam tactic.

Warning Signs:

  • Anyone asking you to pay with a gift card for a bill, fine, or fee. No legitimate organization or government agency will request gift card payment.

  • Gift cards with damaged packaging or suspicious tampering.

How to Protect Yourself:

  • Only buy gift cards from reputable retailers and check for tampering before purchase.

  • Get a receipt for the gift card and keep it until the card is used.

  • Never use gift cards as a form of payment outside of the issuing company (like using a Google Play card only on Google Play).

Bottom Line: Gift cards are meant for giving, not for paying bills. If someone asks you to use a gift card for anything else, it’s a scam.

3. Charity Scams

What It Is: Scammers take advantage of the holiday spirit by creating fake charities or “lookalike” charities with names similar to legitimate organizations. They may also set up fake fundraising campaigns to trick people into donating.

Warning Signs:

  • Pressure tactics like “limited-time” donation requests or vague explanations of how the funds will be used.

  • URLs or emails that look like reputable charities but have slight variations in spelling or structure.

How to Protect Yourself:

  • Research the charity before donating. Use resources like the Better Business Bureau’s Wise Giving Alliance or Charity Navigator to verify its legitimacy.

  • For crowdfunding sites like GoFundMe, check the background of the organizer or campaign.

  • Avoid giving over the phone or through direct email links. Go to the charity’s official website directly to donate.

Bottom Line: Give with a warm heart and a cool head. Legitimate charities won’t pressure you or make you feel guilty for asking questions.

4. Grandparent Scams

What It Is: Also known as “family emergency” scams, these often target seniors. Scammers pose as a grandchild or other relative in distress, asking for urgent financial help. They may ask for funds via wire transfers or, of course, gift cards.

Warning Signs:

  • The caller or sender tells you to keep the situation a secret.

  • Odd language or behavior that doesn’t sound like your family member.

How to Protect Yourself:

  • Verify the identity of the person by calling them directly or contacting another family member.

  • Create a “family code word” for emergencies so you know if it’s really your loved one.

  • Remind senior family members to always verify before sending money, no matter the urgency.

Bottom Line: Don’t let panic override caution. Scammers rely on emotional manipulation, so take a moment to confirm before helping.

5. Investment and cryptocurrency scams

What It Is: According to the FTC, Investment and cryptocurrency scams dominate social media. Scammers contact you on social media or dating apps, claiming to know how to make fast money through crypto. They direct you to fake investment sites that show fake profits, urging you to invest more. Once they have your money, they shut down the fake accounts and vanish.

Warning Signs

  • Promises of high returns with no risk.

  • Professional-looking but vague websites or crypto exchanges.

  • Offers to guide you through trades with “insider knowledge.”

  • Offers to help you install applications on your devices in order to manage your trades.

How to Protect Yourself

  • Verify credentials with your state’s Department of Financial Institutions (DFI).

  • Research the company thoroughly before sharing personal info.

  • Never send money to someone who contacts you on social media.

  • Visit Investor.gov, a U.S. Securities and Exchange Commission (SEC) website, for more advice on investing and avoiding fraud.

  • Report investment fraud and scams to the FTC at ReportFraud.ftc.gov

Bottom Line

If it sounds too good to be true, it probably is. Stay cautious and verify every investment offer before you act.

General Tips to Protect Your Financial Information and Identity This Holiday Season

  • Enable Two-Factor Authentication on all accounts that support it. This adds an extra layer of security, even if a scammer obtains your password.

  • Use Strong, Unique Passwords for all your accounts, especially on sites where you store payment information.

  • Monitor Your Accounts Regularly for any unusual activity. If you spot any unfamiliar charges, report them immediately.

  • Beware of Phishing Emails and Texts: Don’t click on links from unknown senders, even if they claim to be from a familiar store or delivery service.

  • Use identity theft monitoring: Identity theft subscription services track your personal information online and provide an early warning system for scams, theft and fraud.

  • If it looks too good to be true, it probably is.

The holiday season should be a time of joy, not worry. By staying informed and cautious, you can enjoy peace of mind and protect yourself from holiday scams.

Now on to the news!

News Roundup

The LinkedIn Dream Job Scam

Iranian hackers are using fake job offers on LinkedIn to spread malware, targeting individuals in the aerospace, aviation, and defense industries. The malware, disguised as a ZIP file containing job-related documents, activates a backdoor to spy on victims’ computers and steal sensitive information. The campaign, active since September 2023, has been traced to the Iranian hacking group Charming Kitten.

The Telecom Scam

The US government has charged two hackers, Connor Moucka and John Binns, with breaching 10 major companies, stealing sensitive data, and then either extorting victims or selling the loot on the dark web. One of their likely victims? Telecom giant AT&T. According to the indictment, these cybercriminals accessed billions of sensitive records, including call histories, Social Security numbers, and financial information, raking in at least $2.5 million in Bitcoin from their schemes. Moucka was arrested in Canada, while Binns, also linked to a T-Mobile hack, is currently in Turkey.

The Fake Wedding Scam

Cybercriminals in India are using fake wedding invitations to spread malware via WhatsApp. Disguised as innocent Android Package Kit (APK) file attachments (essentially the Android equivalent of an .exe file on Windows), these scams silently install malicious software on victims’ devices, allowing hackers to access sensitive data, monitor activities, and even exploit financial information.

The invitations come from unknown numbers and it bears reminding: Don’t download files from unknown senders! Verify any unexpected messages before clicking. Once installed, these malicious apps can turn your phone into a tool for hackers to steal your data or money.

The Granny Scam (against the scammers!)

Move over, ChatGPT—O2’s “Daisy” chatbot takes AI to hilarious new heights by impersonating a sweet, chatty grandma to waste scammers' time. Armed with stories about knitting and meandering tales of her family, Daisy keeps scammers on the line for 40+ minutes, frustrating them while preventing real victims from being targeted. It’s a perfect twist: scammers think they’re duping an elderly lady, but they’re actually talking to cutting-edge AI trained by scambaiter content (shoutout to YouTuber Jim Browning!).

The best part? Even when scammers get “bank details” from Daisy, they’re fake—sending them on a wild goose chase. With over 89 million scam texts blocked by O2 last year and Brits eager for revenge, Daisy’s a genius blend of tech and humor, making it harder for scammers to distinguish AI from real victims.

Exclusive Event!

I’ve teamed up with the International Spy Museum to lead a team of undercover operatives across the streets of Washington, DC, the Spy Capital of the world. This intense small group introduction to surveillance will include learning the basics and conducting surveillance from the glamourous Doyle Collection, DC hotel through the enticing stalls of the DC Holiday Market. Will you be able to track the “Rabbit” without being “made”? You’ll learn how to snap clandestine shots and keep your target in view so you won’t miss operational acts or clandestine meetings. O’Neill will lead the exercise and help you learn how to blend into the sugarplum shadows for the best spy results! Tickets are still available!

Check out my latest podcast appearance

To stop the most notorious spy in US history, Eric O'Neill went undercover, and became the tip of the spear. His part in catching Robert Hanssen, an FBI agent passing highly classified and damaging information to Russia, is legendary, and the subject of the 2007 film "Breach." In this episode of DEVIANT Off Script, Eric and host Andrew Iden talk about how he helped get Hanssen, and his career in counterintelligence and cybersecurity. It's an incredible, eye-opening story you have to hear to believe.

Like What You're Reading?

Sign up for Spies, Lies & Cybercrime newsletter for our top espionage, cybercrime and security stories delivered right to your inbox. Always weekly, never intrusive!

Are you protected?

Recently nearly 3 billion records containing all our sensitive data was exposed on the dark web for criminals, fraudsters and scammers to data mine for identity fraud. Was your social security number and birthdate exposed? Identity threat monitoring is now a must to protect yourself? Use this link to get up to 60% off of Aura’s threat monitoring service.

What do YOU want to learn about in my next newsletter? Reply to this email or comment on the web version, and I’ll include your question in next month’s issue!

Thank you for subscribing to Spies, Lies and Cybercrime. Please comment and share the newsletter. I look forward to helping you stay safe from all holiday scams!

Best,
Eric

Let's make sure my emails land straight in your inbox.

Gmail users: Move this email to your primary inbox

On your phone? Hit the 3 dots at top right corner, click "Move to" then "Primary."

On desktop? Close this email then drag and drop this email into the "Primary" tab near the top left of your screen

Apple mail users: Tap on our email address at the top of this email (next to "From:" on mobile) and click “Add to VIPs”

For everyone else: follow these instructions

Reply

or to participate.