A sneaky Santa

Ho, ho, no! Scams to avoid this festive season

Whether you’ve been naughty or nice, someone will try and stuff a scam down your chimney either way. The FBI is warning of several likely ways to be parted from your funds or logins, and we’re going to give some additional context along with tips to avoid these digital lumps of coal.

Social media shopping scams

The FBI says:

Consumers should beware of posts on social media sites that appear to offer vouchers or gift cards. Some may appear as holiday promotions or contests. Others may appear to be from known friends who have shared the link. Often, these scams lead consumers to participate in an online survey that is designed to steal personal information.

We say:

Social media scams largely lean into cryptocurrency giveaways and other similar get rich quick schemes. You may see the occasional gift card thrown into the mix, but these tend to be related to survey scams. Having said that, we covered 3 popular forms of gift card scam in the run up to Black Friday:

  • Fake gift cards for sale at a discount. If it’s too good to be true, it probably is. Search out the official card distributor and check if they actually do have a sale on, and then purchase directly.

  • Gift card generators. Tools which claim to create genuine codes have been around for years, and they’re all fake. At best you’ll see one of the previously mentioned surveys. At worst, you could run into malware.

  • Services you encounter online which claim to perform a task in return for gift cards should be avoided. You’ll send them a code, and never hear from them again.

Work from home scams

The FBI says:

Consumers should beware of sites and posts offering work they can do from home. These opportunities rely on convenience as a selling point but may have fraudulent intentions. Consumers should carefully research the job posting and individuals or company offering employment

We say:

Work from home scams are big business over the holiday season, especially with people potentially looking for a little extra cash in the run up to the new year. These scams became incredibly popular with the advent of the COVID-19 pandemic, often tying into cryptocurrency.

Other scams of this nature will make use of cryptocurrency ATMs and QR codes. They’ll set up fake job hunt websites for you to upload your resume to, or post bogus ads on real sites. If you take part in an interview via WhatsApp or Telegram, that may be a red flag. If they send you money to buy work equipment, and then ask you to send the rest of the money to another bank account, that’s a whole box of red flags. You may well be walking into a short lived career as a money mule. It’s simply not with the risk.

Charity scams

The FBI says:

Fraudulent charity scams, in which perpetrators set up false charities and profit from individuals who believe they are making donations to legitimate charitable organizations. Charity fraud rises during the holiday season, when individuals seek to make end-of-year tax deductible gifts or are reminded of those less fortunate and wish to contribute to a good cause. Seasonal charity scams can pose greater difficulties in monitoring because of their widespread reach, limited duration and, when done over the Internet, minimal oversight.

We say:

One of the biggest drivers of fake charity sites is still the invasion of Ukraine. Fake donation sites are easy to set up, and copying genuine content from the real thing is also straightforward.

These sites will often tug at the heart strings, claiming to help children stranded in Ukraine with (what else?) cryptocurrency. Occasionally these scams lurk in the replies of Twitter threads, often imitating the person who originally posted.

In the UK you can search the charity register. I’m not aware of a similar service in the US, but you’re likely going to find a link to the charity you’re looking for on the Forbes top 100 list.

Smartphone app scams

The FBI says:

Some mobile apps, often disguised as games and offered for free, are designed to steal personal information. Before downloading an app from an unknown source, consumers should research the company selling it or giving it away and look online for third-party reviews of the product.

We say:

Bogus apps are something you can expect to run into all year round, but this is still good advice for the most part. I say “most part”, because the above suggests that only apps from an unknown source could be an issue.  Whether you’re using an official app store or downloading apps from third party sources, there could be something lurking in that app. Dubious apps can work their way onto your device via a low tally of installation permission requests and then set about getting up to mischief, and that’s from an official store.

Even if the app you installed is legitimate it can be abandoned by the developers and cause problems of its own, potentially leaving you open to exploits. What you need to do:

  • Stick to official stores. Yes, they do also fall victim to malware apps posing as the real thing. You’re still better off doing this than allowing unknown installs to your device and grabbing files from who knows where.

  • Check the number of installs, how long the file has been available, developer information, and the reviews. Use information from outside the official store to see if anyone is complaining about it in security circles. Check if the app is still supported. If the app is brand new, you may wish to wait a while before installing.

  • When your Android phone begins to show signs of infection, it’s time to follow our list of security tips and run a scan.

Don’t let the scammers spoil your fun

We hope a combination of the FBI’s warnings and our additional hints and tips will keep you safe over the coming weeks. Unfortunately scammers don’t tend to take time off over Christmas, so it’s essential to keep your guard up. As for that lump of coal: return to sender.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.