Holiday scams -- and how to avoid them

Retailers aren't the only ones who spend the year planning for the all-important holiday shopping season. Criminals also do advance work to scam money from unsuspecting consumers caught up in the holiday rush. 

Fraudsters collect as much credit card and personal information as they can, then pounce "right now around the holiday," David Kennedy, a former hacker for the National Security Agency and Marine Corps, told CBS MoneyWatch. "During this time, we're seeing a 317 percent increase in these attacks, compared to the average month," said Kennedy, now CEO of TrustedSec, a cybercrime investigations firm that includes major U.S. retailers among its clients.

Consumers should be on the lookout for fraud all year long, but the holidays bring added emotional pressure, especially for those with limited budgets. That can leave them more open to emails, texts or ads touting cash-saving offers. 

"If you get an email saying you're going to save money, you're more vulnerable during the holidays," said Beverly Harzog, a consumer finance analyst and credit card expert for U.S. News & World Report.

A letter from Santa

Scams currently in use target consumers with online coupons for specific products or retailers, then direct them to third-party sites that ask for credit card or other personal information. 

Another comes in the form of a letter from Santa, usually an email from a phony retailer offering the season's must-have toy as a marketing tool, said Harzog. "It'll say, 'you'll get a discount, but hurry since supplies are limited,'" an appeal that could start a parent's heart racing if their child was pining for the specific item, she noted.

"The biggest thing we're seeing that's fairly new now is targeted fake ads," said Kennedy. 

As with fake news, social media companies including Facebook have staff devoted to detecting and removing fake ads, but often the damage is already done. 

"The problem with Facebook is the main way they get revenue is through ads, and targeted ones at that," said Kennedy. "They try, but it's like whack-a-mole," in which the work of one bad actor is quickly replaced by the efforts of another, he added.

Emails and texts alerting recipients that a package won't get to them unless they take action are another way of getting the unsuspecting to hand over personal information. "The package ones are the largest we're seeing now -- 'hey, we tried to deliver and we're sending your package back,'" said Kennedy. He noted that the idea is to get people to enter their user name, password and possibly credit card information by directing them to sites made to resemble FedEx or Amazon.

How to steer clear of traps

While holiday scams abound, you can take some simple steps to avoid many, if not all, of the traps.

Never click on links, and don't enter credit card or personal information on third-party sites, both Harzog and Kennedy advise. Instead, type in the address yourself, then eyeball it to make sure it looks right, starting with the "https." "A site might look like something you're familiar with, then you click on the link and they download malware," said Harzog. 

There are legitimate coupons and codes, some offered by legitimate third-party sites. Still, while it's safe to enter a discount code, it's not when it comes to personal information, said Kennedy. Consumers should instead go directly to the retailer's site and then look at the address bar in their web browser to ensure it's really Amazon or Kohl's because scam sites often look nearly identical.  

Some scams involve taking passwords and emails obtained from prior hackings of sites such as LinkedIn, which was breached in 2012, with about 100 million user emails and passwords believed taken.

Stolen passwords can show up years later in emails, said Kennedy, with a message along the lines of: "We know that you've been browsing adult sites, and we have your password. We're going to contact your employer and family unless you pay us this much in bitcoin," he said. "They actually incorporate holiday stuff into it, like 'I'm going to ruin your Christmas.'"

"People are falling for this, even if they've never been to an adult site," said Kennedy, who noted that many become rattled reading someone knows their password.

Consumers still in a giving mood should be wary of phony appeals for needy children or dog shelters. "Make sure it's a real charity," said Harzog, who recommended charitynavigator.com as a legitimate site to research charitable organizations.