How to avoid the "bah humbug" of holiday scams

The holidays are a time for eggnog, family and festive meals, but there's also a dark side to the season: the scammers and hackers who are ready to pounce on the unaware.

And this season may turn into a free-for-all for fraudsters thanks to a few trends that are prompting criminals to set their traps for unmindful consumers. The bad guys have a wide variety of tricks up their sleeves, from fake charities to "phishing" schemes aimed at tricking holiday shoppers.

One difference this year is that these holidays may be the last for magnetic-strip credit cards, which are easier to hack. A new security standard going into effect next October will introduce the "chip and PIN" cards favored in Europe, notes Yaron Samid, chief executive of BillGuard. Since Target's (TGT) massive breach last December, more than 100 million card holders have had their data stolen. BillGuard, which offers an app that allows consumers to monitor for fraudulent activity, expects more data breaches at retailers this season.

"This is like the last hurrah for hackers to go after retailers who are using magnetic-strip credit cards," Samid told CBS MoneyWatch. "There are three certainties in life: death, taxes and data breaches. If you are a holiday shopper, go into holiday shopping season assuming your card will be compromised in a credit breach and act accordingly."

On top of continued data breaches, the year's past data attacks on retailers such as Target, Home Depot (HD) and Michael's means that criminals also have access to millions of stolen emails. Those can be used in phishing scams to target unwary retailers this holiday season, Samid added.

The phishing attempts can appear to come from either a retail or a shipping company, such as UPS or Fedex, but actually are fake emails that are trying to get consumers to disclose their emails.

"Most times, it's trying to phish for your information," said Gary Davis, chief consumer security evangelist at security company McAfee. "Most consumers use the same password in multiple accounts," which means that if a consumer discloses a password, those criminals may try to use it to hack into bank accounts, he added.

Read on for additional tips on holiday scams and keeping your data and finances safe.

During the holidays, check your card activity daily." Given BillGuard's expectation that at least one or two major data breaches will occur this holiday season, it's more important than ever to remain alert to suspicious activity. If you notice any unauthorized charges, immediately contact your bank.

When you look at card activity, keep an eye out for "microcharges." Samid notes that the average consumer looks for big purchases, but hackers often test cards to see if they are valid by charging small amounts of $1 or $2. If those cards are found to be valid, hackers can then sell them to other crooks for a premium. That means that consumers shouldn't overlook small, unauthorized charges.

Be aware of emails purporting to be from shippers or retailers. No established business would ask a consumer to disclose her password via email or on the phone, McAfee's Davis said. Shoppers should look at the specific email address and domain name of the sites they are pointed to, making sure it's really from the retailer and not a close derivative.

Deals that are too good to be true. Gift cards are increasingly popular, but they are also open to a variety of scams. If you are offered a gift card with a significantly discounted face value, it could be too good to be true, Samid noted.

Confirm charities are real before donating. During the holidays, consumers are in a giving mood. Friends on social media might link to a charity, thinking that the organization is legitimate when in fact it's a front for criminals. "There are viral charity outreaches where they show a very emotional photo or video and say, 'Please donate to save the kids or the dolphins,' and that leads you to a site that's just a scam," Samid warned. Before donating, investigate the charity on sites such as CharityNavigator to confirm it's legit.