Last updated 4 months ago. Our resources are updated regularly but please keep in mind that links, programs, policies, and contact information do change.
The holiday shopping season happens as cybercriminal efforts reach an industrial scale. As millions of Americans buy gifts online, they’re entering an environment where fraudsters use artificial intelligence, automated bot networks, and psychological manipulation at new levels.
Federal agencies including the Federal Trade Commission (FTC), the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the United States Postal Inspection Service have all issued warnings. These agencies describe a criminal ecosystem that targets the specific behaviors of holiday shoppers—urgency, generosity, and distraction—to steal hundreds of millions of dollars every year.
The financial stakes are huge. In 2024, the FBI’s Internet Crime Complaint Center found that non-payment and non-delivery scams—the two most common types of holiday fraud—cost victims more than $785 million in 2024 alone.
AI-Powered Fraud
A defining feature of this threat is criminals using generative artificial intelligence. In the past, consumers could spot phishing attempts by looking for poor grammar, spelling errors, and awkward phrasing. Those mistakes often came from non-native English speakers working from overseas scam centers.
But the widespread availability of Large Language Models has changed everything.
Scammers now use AI tools to generate perfectly fluent, realistic text messages and emails that mimic major retailers like Amazon, Walmart, and delivery services like USPS. This technological leap has eliminated the “literacy barrier” that used to help people detect scams.
AI isn’t just used for text. Criminals employ it to create high-quality visual designs for fake online stores, generate realistic-looking positive reviews, and produce deepfake endorsements from celebrities or influencers.
The scale is staggering. Research shows a 30-fold increase in shopping-related scams and fraudulent text messages leading up to the 2025 holiday season, driven largely by these automated tools.
Criminals can now personalize attacks at scale, using data from previous breaches to craft “spear-phishing” messages that reference your actual bank or recent shopping habits. What used to be a “spray and pray” approach has become precision targeting.
The FBI and FTC note that scammers use deepfake advertisements on social media to create legitimacy that bypasses natural skepticism. The result is a digital environment where seeing is no longer believing.
Non-Delivery and Non-Payment Scams
The most common threats facing holiday shoppers are “Non-Delivery” and “Non-Payment” scams. These consistently rank as the highest money-makers for criminals during the holiday season.
The Fake Store
In a non-delivery scam, you pay for goods found online, typically advertised at a big discount, but the items never arrive. The scam relies on creating a “phantom storefront”—a website designed to look like a legitimate boutique or clearance outlet for a major brand.
Scammers use pre-built templates to quickly deploy these sites. They fill them with stolen product photos, professional-looking logos, and standard features like shopping carts and “About Us” pages.
To drive traffic, criminals buy advertisements on social media platforms and use “Search Engine Optimization (SEO) Poisoning.” When you search for a high-demand, sold-out item—like the latest gaming console or a specific toy—these fraudulent sites often appear at the top of search results.
The visual deception often includes “typosquatting” or URL spoofing. Criminals register domain names that look similar to popular retailers, like “walmrt.com” or “amaz0n-deals.com.” On mobile devices, where URL bars are minimized, these subtle differences are hard to spot.
Once you make a purchase, usually with a debit card or a peer-to-peer payment app, the scammer provides a fake tracking number or simply stops responding. The website itself often disappears within days, only to reappear under a new name.
Triangulation Fraud
A more complex version of the non-delivery scam is “triangulation fraud,” which targets shoppers on third-party marketplaces like eBay, Facebook Marketplace, or Mercari.
Here’s how it works:
The Lure: The scammer lists a legitimate product at a competitive price on a marketplace.
The Purchase: You buy the product from the scammer, thinking you’re dealing with a regular seller.
The Theft: The scammer takes your money and then uses a stolen credit card to purchase the actual item from a legitimate retailer like Amazon and ships it to you.
You receive the correct item and leave positive feedback for the scammer, unaware you’re in possession of stolen goods. The scammer keeps your legitimate payment.
The crime only unravels when the owner of the stolen credit card notices the unauthorized charge. The legitimate retailer gets hit with a chargeback while the scammer walks away with laundered money.
This method allows scammers to build up “legitimate” seller ratings, making them harder to detect.
Targeting Sellers
The holiday season also brings a rise in “Non-Payment” scams targeting people selling items online. In this scenario, a seller ships goods but never receives payment.
Scammers often claim urgency, saying they need the item immediately for a holiday gift. They send fake payment confirmation emails that appear to come from PayPal, Venmo, or Zelle, claiming the payment is “pending” and will be released once a tracking number is provided.
Sellers who ship before verifying funds in their actual account lose both the merchandise and the money.
Text Message Scams (Smishing)
As online shopping relies on delivery services, scammers have weaponized the delivery notification system through “Smishing” (SMS Phishing). This has shifted from email to text messaging to exploit the incredibly high open rates of SMS—often as high as 98%—and the trust people place in mobile notifications.
The “Incomplete Address” Trick
The United States Postal Inspection Service has identified a specific, high-volume campaign involving text messages claiming a package can’t be delivered due to an “incomplete address” or “unpaid postage.”
These messages are designed to trigger panic in someone waiting for holiday gifts. The text typically contains a link to a fraudulent website that looks exactly like the USPS tracking portal.
You’re prompted to enter your address and pay a small redelivery fee, often as low as $0.30. While the money seems trivial, the real goal is stealing your data. By entering credit card details to pay the small fee, you hand over your complete financial information.
These texts often come from personal mobile numbers rather than the official short codes used by USPS (which are typically 5 digits). The USPIS explicitly states they do not send unsolicited text messages containing links, and any such message should be treated as hostile.
Fake Bank Alerts
Another common tactic involves fake bank fraud alerts. You receive a text, seemingly from your bank, asking if you authorized a large purchase (like “$1,500 at Apple Store”).
When you panic and reply “NO,” you immediately get a phone call from someone posing as a bank representative.
This “agent” uses the urgency of the situation to bypass your critical thinking. They guide you through a “reversal” process that actually involves transferring money out of your account via Zelle or wire transfer, claiming they’re “protecting” your funds or moving them to a “secure holding account.”
This is social engineering that turns you into an unwitting accomplice in your own robbery. Because you authorize the transfer, recovering these funds is legally and technically difficult.
Account Takeover
Account Takeover (ATO) fraud happens when criminals hijack your existing accounts to make unauthorized purchases. The FBI and Amazon have warned of a surge in ATO attacks, which have risen by 141% since early 2021.
Credential Stuffing
The main method for ATO is “credential stuffing.” Because many people reuse the same password across multiple websites, hackers take databases of username/password pairs from previous data breaches and use automated bots to test them against major retail sites like Amazon, Walmart, and Target.
If you use the same password for an old forum account as you do for Amazon, the hacker gains access.
Once inside, the attacker can use stored payment methods to order expensive electronics to a new address or purchase digital gift cards that can be instantly laundered. This activity is often timed to the holiday rush, where an extra order might go unnoticed among legitimate purchases.
Beating Two-Factor Authentication
To overcome Multi-Factor Authentication (MFA), which is designed to stop credential stuffing, scammers use “interception” tactics. They might call you posing as customer support, claiming there’s suspicious activity on your account.
They tell you a “verification code” has been sent to your phone to prove your identity. In reality, the scammer has triggered the MFA request on their own device, and you’re reading the access code to the attacker, effectively handing over the keys.
Another tactic is “MFA Fatigue” or “Bombing,” where an attacker triggers dozens of MFA push notifications to your phone in the middle of the night. You eventually approve one just to make the notifications stop, inadvertently granting the attacker access.
Charity and Gift Card Scams
The holiday season is also a time for giving, and scammers ruthlessly exploit this through charity fraud and gift card manipulation.
Fake Charities
The end of the year is peak time for charitable donations, driven by holiday spirit and tax deduction deadlines. Scammers set up fake charities that mimic the names and branding of well-known organizations (like “The Cancer Fund of America” vs. “American Cancer Society”).
The IRS provides a critical defense tool: the Tax Exempt Organization Search (TEOS). This database lets you verify if an organization is a legitimate 501(c)(3) entity eligible to receive tax-deductible contributions.
Legitimate charities will not pressure you for immediate payment via gift cards, wire transfers, or cryptocurrency. Any request for such payment methods is a definitive sign of a scam.
Gift Card Scams
Gift cards have become the “currency of choice” for scammers because they’re nearly instant, anonymous, and irreversible. In a typical scenario, a fraudster poses as a boss, grandchild, or government agent and demands payment via Apple, Google Play, or Amazon gift cards.
The FBI and FTC repeat a simple rule: “Gift cards are for gifts, not for payments.” No legitimate business, utility company, or government agency will ever request payment via gift card.
Once you share the card number and PIN, the funds are drained instantly and are virtually impossible to recover.
How to Protect Yourself
The Cybersecurity and Infrastructure Security Agency has launched the “Secure Our World” initiative to provide a framework for consumer safety.
Use Multi-Factor Authentication
Enable MFA on email, banking, and shopping accounts. Even if a password is stolen, the attacker can’t access the account without the second factor.
While text message codes are common, CISA recommends using authenticator apps (like Google Authenticator or Microsoft Authenticator) or hardware security keys (like YubiKey) where possible, as these are more resistant to interception.
Keep Software Updated
Make sure your operating systems, browsers, and apps are updated to the latest versions before holiday shopping. These updates often contain critical security patches for vulnerabilities that scammers exploit.
“Drive-by downloads,” where you’re infected simply by visiting a compromised website, rely on outdated software to work.
Use Unique Passwords
Use unique, complex passwords for every retailer to prevent the “domino effect” of credential stuffing. CISA advises using a password manager to generate and store these credentials.
This tool lets you have a different 20-character random password for every site while only needing to remember one master password. If one retailer is breached, the credentials can’t be used to compromise other accounts.
Avoid Public Wi-Fi
The convenience of mobile shopping often leads people to shop on public Wi-Fi in cafes, airports, or malls. These networks are often unsecured, allowing attackers to intercept your data.
Government guidance advises against checking bank accounts or making purchases on public Wi-Fi. If necessary, use a Virtual Private Network (VPN) or disconnect from Wi-Fi and use your cellular data connection, which is encrypted.
Payment Method Protection
One of the most critical decisions you make is how to pay. Federal laws provide drastically different levels of protection depending on whether you use credit, debit, or a peer-to-peer app.
Credit Cards (Best Protection)
Government agencies universally recommend credit cards as the safest method for online transactions. The Fair Credit Billing Act offers robust protection for credit card users.
Under this law, your liability for unauthorized charges is capped at $50, and most major issuers offer a “zero liability” policy.
Crucially, if an item is damaged, not delivered, or misrepresented, you have the right to dispute the charge (a “chargeback”) and withhold payment while the card issuer investigates. During this investigation, you’re not out of pocket—it’s the bank’s money at risk.
Debit Cards (Moderate Protection)
Debit cards are governed by the Electronic Fund Transfer Act. While this law provides protections, they’re strictly time-sensitive and generally less favorable:
0-2 Days: If a lost or stolen card is reported within 2 business days, liability is limited to $50.
2-60 Days: If reported after 2 days but within 60 days of the statement, liability can rise to $500.
Over 60 Days: If not reported within 60 days, you face unlimited liability, potentially losing all funds in the account.
Because debit cards draw directly from your checking account, fraudulent charges can cause cascading financial damage. You might face bounced checks, missed mortgage or rent payments, and insufficient funds fees while the bank investigates—a process that can take 10 business days for provisional credit and 45 to 90 days for final resolution.
Peer-to-Peer Apps (Weak Protection)
Payment platforms like Zelle, Venmo, and CashApp present significant risk. These services are designed for transfers between friends and family, not for commercial transactions with strangers.
While Regulation E applies to “unauthorized” transfers (like if a hacker steals your phone), there’s a significant grey area concerning “authorized” transfers induced by fraud.
If you’re tricked into voluntarily sending money to a scammer, banks have historically argued this is an “authorized” transaction because you initiated it. Consequently, they often deny reimbursement claims.
Government advice is strict: Only use P2P apps to send money to people you know and trust personally.
| Payment Method | Governing Law | Liability Limit | Funds at Risk | Dispute Rights |
|---|---|---|---|---|
| Credit Card | Fair Credit Billing Act | $50 max (often $0) | Bank’s money | Strong |
| Debit Card | Electronic Fund Transfer Act | $50-$500 (time-dependent) | Your checking balance | Moderate |
| P2P (Zelle/Venmo) | Regulation E (with gaps) | Varies (often none for scams) | Your checking balance | Weak to None |
| Wire Transfer | Contractual / UCC | Very Low / None | Cash equivalent | Very Weak |
| Gift Card | None | None | Cash equivalent | None |
Smart Shopping Habits
Beyond technical tools, the most effective defense against scams is behavioral change. The FBI and FTC advise a “verify then trust” approach.
Pause When Pressured
Scams rely on urgency to bypass critical thinking. Whenever a message demands immediate action—whether it’s a deal that expires in 10 minutes or an account alert claiming imminent suspension—pause.
This “cognitive break” allows your rational brain to reassess. A legitimate business will not demand immediate action or threaten arrest or account deletion in a text message.
Type URLs Directly
To avoid phishing sites, adopt a policy of “Direct Navigation.” Never click links in texts or emails regarding orders or account status.
Instead, close the message, open a browser, and type the retailer’s known URL (like amazon.com or walmart.com) directly into the address bar. If there’s a genuine issue with an order or account, it will be visible on the legitimate site.
Research Unfamiliar Sellers
When dealing with a new merchant, particularly those found via social media ads, perform due diligence before checkout:
Search Query: Run a search for “[Company Name] + scam” or “[Company Name] + review” to see other people’s experiences.
Contact Verification: Check for a physical address and phone number. Call the number to see if it connects to a real person.
Visual Inspection: Be wary of sites with poor design or broken English. However, as AI improves scam sites, inconsistencies often remain in the “Terms of Service” or “Shipping Policy” pages, which may be copied from other sites and contain conflicting information.
If You Get Scammed
Despite best efforts, scams happen. Quick response is critical.
Immediate Steps
If you suspect you’ve been scammed, contact your financial institution immediately. Call the fraud department of your credit card issuer or bank, request that the card be canceled and a new one issued, and formally dispute the fraudulent transactions.
If you shared personal information (Social Security Number, passwords), change passwords immediately for all accounts and consider placing a credit freeze with the three major bureaus (Equifax, Experian, TransUnion) to prevent new accounts from being opened in your name.
Report to Federal Agencies
Reporting fraud is vital for tracking trends and disrupting major crime rings.
Federal Trade Commission: Report fraud at ReportFraud.ftc.gov. The data enters the Consumer Sentinel Network, a database accessible to over 2,800 federal, state, and local law enforcement agencies.
FBI: For significant financial losses and internet-enabled crimes, file a complaint with the Internet Crime Complaint Center (IC3.gov).
U.S. Postal Inspection Service: If the scam involved the mail or fake delivery texts, report it to the Postal Inspection Service. You can also forward spam texts to 7726 (SPAM), a centralized reporting service supported by major mobile carriers.
State Attorneys General: Many states have active Bureaus of Consumer Protection that can assist with fraud involving local businesses.
Bottom Line
The holiday season brings sophisticated scams powered by AI and automation. Criminals can now create perfect-looking fake stores, generate flawless phishing emails, and personalize attacks at massive scale.
The best defenses are:
- Pay with credit cards whenever possible for maximum protection
- Enable multi-factor authentication on all accounts
- Never click links in unexpected texts or emails—type URLs directly
- Use unique passwords for every site with a password manager
- Pause and verify when pressured to act immediately
- Only use P2P apps with people you personally know
- Remember: Gift cards are for gifts, not payments
By staying alert and following these government-backed guidelines, you can protect your money and personal information this holiday season. The scammers are sophisticated, but informed consumers are their worst nightmare.
Our articles make government information more accessible. Please consult a qualified professional for financial, legal, or health advice specific to your circumstances.